Address: http://www.zdexe.com/program/201004/576.html
Professional technical understanding of hooks
Hook is a platform for message processing in windows. Applications can set sub-processes on the platform to monitor messages in a specified window, the monitored window can be created by other processes. When a message arrives, process it before the target window processing function. The hook mechanism allows applications to intercept and process window messages or specific events.
The Windows system is based on the event-driven mechanism. To put it bluntly, the entire system is implemented through message transmission. Hooks are very important system interfaces in Windows systems. They can be used to intercept and process messages sent to other applications to implement functions that are hard to implement in common applications. Hooks can monitor various event messages in the system or process, intercept and process messages sent to the target window. In this way, we can install custom hooks in the system to monitor the occurrence of specific events in the system and complete specific functions, such as intercepting keyboard and mouse input, and retrieving words on the screen, log monitoring. As you can see, hooks can be used to implement many special and useful functions.
A hook is actually a program segment for message processing. It is called by the system and mounted to the system. When a specific message is sent, the hook program first captures the message before it reaches the target window, that is, the hook function gets control of the message first. In this case, the hook function can process (Change) the message, continue to transmit the message without processing it, and forcibly end the message transmission.
Each Hook has an associated pointer list, which is called a hook linked list and maintained by the system. The pointer to this list points to the number of calls to the hook sub-Program defined by the application, that is, the processing sub-processes of the hook. When a message associated with the specified hook type occurs, the system passes the message to the hook sub-process. Some hook sub-processes can only monitor messages, modify messages, or stop messages from being pushed forward to the next hook sub-process or target window. The recently installed hooks are placed at the beginning of the chain, and the earliest installed hooks are placed at the end, that is, the first added hooks to obtain control.
Windows does not require that the order in which the hook program is detached must be different from that in the installation sequence. Every time a hook is detached, Windows releases the memory it occupies and updates the entire hook linked list. If the program is installed with a hook, but it is finished before the hook is uninstalled, the system will automatically uninstall the hook for it.
Most people or online articles believe that global hooks depend on a DLL to work normally. Many people often have a long debate on this topic in the Forum: "Must the global hook be In the DLL? ". In fact, there is a conceptual question: what is the global hook mentioned above. Through understanding the scope of the above hooks, you will find the answer to this question.
15 hooks are mentioned above. The following table lists their scopes:
Hook |
Scope |
Wh_callwndproc |
Thread or global |
Wh_callwndprocret |
Thread or global |
Wh_cbt |
Thread or global |
Wh_debug |
Thread or global |
Wh_foregroundidle |
Thread or global |
Wh_getmessage |
Thread or global |
Wh_journalplayback |
Global only |
Wh_journalrecord |
Global only |
Wh_keyboard |
Thread or global |
Wh_keyboard_ll |
Global only |
Wh_mouse |
Thread or global |
Wh_mouse_ll |
Global only |
Wh_msgfilter |
Thread or global |
Wh_shell |
Thread or global |
Wh_sysmsgfilter |
Global only |
Table 1: hook Scope
The five hooks wh_journalplayback, wh_journalrecord, wh_keyboard_ll, wh_mouse_ll, and wh_sysmsgfilter have global scopes, whether they are directly written in application code or placed in DLL, they can all hook messages from the system. For the remaining 10 hooks, their scopes can be both thread and Global. When the corresponding hooks are directly written in the application code, they can only capture messages in the context of the current thread. How can they capture global messages? After the hook is written to a separate DLL and referenced, the system automatically maps the DLL to the address space of all processes affected by the hook function, which injects the DLL into those processes, to capture global messages. Relatively speaking, the first five hooks are global and do not need to be injected.
Therefore, the answer to the preceding question is: whether to write the hook that captures global messages in a separate DLL depends on the hook type and the corresponding scope.
If both the thread hook and global hook are installed for the same event, the system automatically calls the thread hook and then calls the global hook.
Hook tutorial-principle (2)