hook function Tutorial (a) What is a hook

Original address: http://blog.csdn.net/g200407331/article/details/50982025

One, what is the hook we can first literally understand the hook, what is the hook? In daily life, our hooks are used to hook something, for example, said that the hook is used for fishing, once the fish bite the hook, the hook has been hooked on the fish, let the fish in the water how to swim, also can not escape the control of the hook. Similarly, Windows hook hooks are used to hook things up, and it is more abstract that he is used to hook Windows events or messages. The most common is the mouse and keyboard hooks, hook hooks with hook mouse, keyboard, when your mouse, keyboard has any operation, through the hook can know what they have done, how image ah, the mouse mouse hooked, no matter what you do, you can not escape the palm of my hook hooks. Technically, hooks are a very important part of the Windows message processing mechanism, and who calls Windows based on messages. The application can intercept processing window messages or some other specific event through the hook mechanism. We can hang a lot of things on the same hook. Remember to go to work before the request to be a physical examination, when you are registered, according to your registration form on the order, wait to each section one to check it. Each section has the possibility to decide whether you continue, only through this, you can go to the next, if not through, then, you are not see the last doctor, can directly over home. If the physical examination is likened to an event, when an event occurs, the application (physical examination process) can be set on the corresponding hook hooks on the hook Procedures (hook) (a number of sections of the check), consisting of a hook with a link to the hook function of the list of pointers (Hook lists) ( Check the checklist to determine the order you want to go. When the message that the hook is watching appears (you take the form for a physical examination), Windows (the guide) first sends it to the first hook function pointed to in the call list (the first section on the physical examination, which is usually height and weight, hehe), The hook function will monitor the message according to its respective functions (different from the items inspected by each department) (some doctors just take a look at it), modify (Meet a good doctor can also help you to add points to the better, hehe) and control (some doctors are very strict AH), And after the completion of the process (of course, some doctors will directly brush you down, go home, there's no next. Pass the message to the next hook function (the Department of the next project, of course, can also force the message to pass you home) until you reach the end of the hook list (checked out.) ）。 After the hook function hands over the control, the intercepted message will eventually return to the window processing function (OK, take the table to go to work). Although the hook function to filter the message will slightly affect the efficiency of the system, but in many cases through the hook to the message filtering processing can be done by some other methods of the specialFeatures.

Second, a more professional technical understanding of the hook

Hooks, a platform for Windows Messaging mechanisms, where applications can set up a subroutine to monitor a message for a specified window, and the monitored window can be created by another process. When the message arrives, it is processed before the target window processes the function. The hook mechanism allows the application to intercept processing window messages or specific events.

The Windows system is built on the event-driven mechanism, which means that the entire system is implemented through message delivery. The hook is a very important system interface in Windows systems that can intercept and process messages sent to other applications to accomplish features that are difficult for ordinary applications to implement. Hooks can monitor various event messages in the system or process, intercept messages destined for the target window, and process them. In this way, we can install a custom hook in the system, monitor the occurrence of specific events in the system, complete specific functions, such as the interception of keyboard, mouse input, screen Word, log monitoring and so on. It is obvious that using hooks can achieve many special and useful functions.

The hook is actually a program segment that handles messages, and it is hooked into the system by system calls. Whenever a particular message is sent, the hook program captures the message before it reaches the destination window, which means that the hook function gets control first. The hook function can then process (change) the message, or it can continue to deliver the message without processing, and can force the end of the message to be passed.

A hook has a list of pointers associated with it, called hook lists, maintained by the system. The pointer to this list points to the specified, application-defined callback function called by the Hook subroutine, which is the handle of the hook. When the message associated with the specified hook type occurs, the system passes the message to the hook thread. Some hook threads can only monitor messages, or modify messages, or stop messages from passing through to the next hook or Destination window. The recently installed hooks are placed at the beginning of the chain, and the first hooks are placed at the end, which is the first to gain control after joining. zdwork.cn

Windows does not require the order of the hooks to be unloaded in the same order as the installation sequence. Whenever a hook is unloaded, Windows releases its memory footprint and updates the entire hook list. If the program has a hook installed, but it finishes before uninstalling the hook, the system will automatically uninstall the hook for it.

Most people or online articles think that global hooks depend on a DLL to work properly, and often see a lot of people arguing about a topic for a long time on the forum: "The global hook must be in the DLL." ”。 There is actually a conceptual question of what the global hook above refers to. The answer to this question can be found by understanding the scope of the various hooks above. This paper comes from the intelligent software zdwork.cn

The above mentioned 15 kinds of hooks, their scope please look at the following table:

Hook

Scope

Wh_callwndproc

Thread or Global

Wh_callwndprocret

Thread or Global

Wh_cbt

Thread or Global

Wh_debug

Thread or Global

Wh_foregroundidle

Thread or Global

Wh_getmessage

Thread or Global

Wh_journalplayback

Global only

Wh_journalrecord

Global only

Wh_keyboard

Thread or Global

Wh_keyboard_ll

Global only

Wh_mouse

Thread or Global

Wh_mouse_ll

Global only

Wh_msgfilter

Thread or Global

Wh_shell

Thread or Global

Wh_sysmsgfilter

Global only

Table I: Hook scopes

Wh_journalplayback,wh_journalrecord,wh_keyboard_ll,wh_mouse_ll, Wh_sysmsgfilter These 5 kinds of hooks themselves are scoped to the global, Whether the hooks are written directly in the application's code or in a DLL, they can hook up the system's messages. The remaining 10 hooks, whose scope can be both threaded and global, can only capture messages for the current thread context when the corresponding hooks are written directly in the application's code. So how do they implement the ability to capture global messages? When the hook is written to a separate DLL and referenced again, the system automatically maps the DLL to the address space of all processes affected by the hook function, injecting the DLL into those processes for the purpose of capturing the global message. In contrast, the top 5 hooks themselves are global and do not need to be injected. Smart move Software

Therefore, the answer to the previous question is whether the hook to capture the global message functionality is written in a separate DLL, depending on the type of hook and the scope. The system must process each message, and the hook's use increases the amount of processing the system has to perform for each message, so the hook slows the system down. Hooks should be installed only when necessary and unloaded as early as possible.

Third, Hook Chain (Hook list)

The system supports many different types of hooks, each of which provides access to a different aspect of the message processing mechanism. For example, an application can use the Wh_mouse hook to monitor the delivery of mouse messages.

The system maintains a separate hook list for each type of hook. A hook list is a pointer to a specific, application-defined callback function called the Hook Cheng (hook procedure). When a message occurs that is associated with a particular type of hook (hook), the system passes the message one by one to each hook Cheng (hook procedure) in the hook chain, and the action that the hook can take depends on the type of hook involved. Some types of hooks can only monitor the message, others can modify the message or terminate the message's advance in the hook list, which prevents the message from reaching the next hook or target form.

Here are a few conceptual translations, mainly:

Hook Chain: Hooks list

Hook procedures: Hooks Cheng (The program segment that is processed after the message is received)

If both the line Cheng and the global hook are installed for the same event, the system automatically invokes the line Cheng and then invokes the global hook.

Recently learn to hook, read a few tutorials:

1) http://blog.sina.com.cn/s/articlelist_1585708262_3_1.html

2) http://www.lellansin.com/windows-api-%E6%95%99%E7%A8%8B%EF%BC%88%E4%B8%83%EF%BC%89-hook-%E9%92%A9%E5%AD%90% E7%9b%91%e5%90%ac%ef%bc%88%e7%bc%96%e5%86%99%e4%b8%ad%ef%bc%89.html

3) http://blog.csdn.NET/camly/article/details/1752798