Realization and application of hook in VB programming

Programming preface

Hooks in Windows systems are powerful enough to intercept, monitor, and process messages in almost all Windows systems. This technology can be widely used in various software, especially the software that needs monitoring, automatic recording and so on to monitor the system. This article discusses this topic, hoping that it can serve as a valuable contribution to readers ' friends.

The mechanism and type of hook

Windows applications are based on message-driven, and application operations depend on the type and content of the messages it gets. Hooks are similar to DOS interrupt interception processing mechanisms. Hooks are a platform for Windows Messaging mechanisms, where applications can set up subroutines to monitor a message for a specified window and process it before the message reaches the target window by installing a variety of hooks.

In Windows, there are two hooks, one is the system Hook (remotehook), its monitoring of the message is the entire system scope, the other is the thread hook (localhook), its blocking scope only within the process of the message. For system hooks, the hook function (hookfunction) should be implemented in the dynamic-link library (DLL) of the Windows system, and for thread hooks, the hook function can be implemented in the DLL or in the appropriate application. This is because when a developer creates a hook, Windows first creates a data structure in the system memory, which contains information about the hook, and then adds the structure to the existing hook list, and the new hook is in front of the old hook. When an event occurs, if a local hook is installed, the hook function in the current process will be invoked. If it is a remote hook, the system must insert the hook function into the address space of the other process, to do this requires the hook function must be in a dynamic link library, so if you want to use a remote hook, you must put the hook function in the dynamic link library. For the type of message that hooks are monitoring, WINDWS provides several types: as shown in table 1:

Table A, Windows message type







Message type constant identification
Value
Message type
Applicable scope

Wh_callwndproc
4
Messages sent to Windows
Thread or System

Wh_callwndprocret
12
Message returned by window
Thread or System

Wh_cbt
5
Window changes, focus settings, and other messages
Thread or System

Wh_debug
9
Whether to execute hooks for other hooks
Thread or System

Wh_foregroundidle
11
Foreground program is idle
Thread or System

Wh_getmessage
3
Messages to the Message queue
Thread or System

Wh_journalplayback
1
Playback of the recorded message
System

Wh_journalrecord
0
Monitor and record input messages
System

Wh_keyboard
2
Keyboard messages
Thread or System

Wh_mouse
7
Mouse message
Thread or System

Wh_msgfilter
-1
Menu scroll bar, dialog box message
Thread or System

Wh_shell
10
The message of the shell program
Thread or System

Wh_sysmsgfilter
6
Menu scrollbars, dialog box messages for all threads
System



Second, the realization of the hook in VB programming

(a) The format of the hook function (hooks functions). The hook function is actually a function, and if it is a system hook, the function must be placed in a dynamic-link library. The function has a certain parameter format, in VB as follows:

Private Function Hookfunc (ByVal ncode as Long,byval WParam as long,byval as long) as long



Among them, the ncode represents what situation produces the hook, with the different hooks have different groups of possible values; The parameter Wparam,lparam return value includes the message content that is being monitored, depending on the type of message being monitored by the hook and the value of the ncode. For the hook function set with VB, the general frame form is as follows:

Private Function Hookfunc (ByVal ncode as Long,byval WParam as long,byval as long) as long
Select Case of Ncode
Case Ncode<0:hookfunc=callnexthookex (Hhookfunc,ncode,wparam,lparam)
Case value 1: processing process 1:hookfunc=x1
CASE2: Handling Process 2:hookfunc=x1
......
End Select
End Function



The return value of the function, if the message to be processed, then pass 0, otherwise pass 1, eat the message.

(b) The installation and execution of hooks. Hook installation uses several API functions: You can use the API function SetWindowsHookEx () to install an application-defined hook Cheng Ann into the hook list. The SetWindowsHookEx () function declares the following:

Declare function SetWindowsHookEx Lib "user32" Alias "Setwindowshookexa" (ByVal Idhook as Long,byval LPFN as Long,byval HMO D as Long,byval dwThreadID as Long



The Idhook value is the message type it handles; Lpfn value is the address pointer of the Hook subroutine. If the dwThreadID parameter is 0 or an identity of a thread created by another process, LPFN must point to the hook thread in the DLL. In addition, LPFN can point to a hook subroutine code for the current process. The Hmod value is the handle of the application, identifying the DLL that contains the Cheng that the LPFN refers to. If dwThreadID identifies a thread created by the current process, and the subroutine code is in the current process, the Hmod must be 0. The dwThreadID value is the identifier of the thread associated with the installed hook threads relative and, if 0, the hook thread is associated with all threads. Hook installation Success Returns the handle of the hook, and the failure returns 0.

In addition, it is generally necessary to call the CallNextHookEx () function in the Hook subroutine to execute the next hook in the hook list, otherwise the application with the other hooks will not receive the hook notification, resulting in the wrong result. The CallNextHookEx () function declares the following:

Declare Function CallNextHookEx Lib "user32" Alias "CallNextHookEx" (ByVal Hhook as Long,byval ncode as Lonog, ByVal WParam As long,lparam as any) as Long



The Hhook value is the return value of SetWindowsHookEx (), and Ncode, WParam, and lparam are three parameters in the hook function. Before the program terminates, you must call the UnhookWindowsHookEx () function to release the system resources associated with the hook. The Unhookwindowsex () function is declared as follows:

Declare Function unhook windowshookex Lib "user32" Alias "Unhook Windowshookex (ByVal hhook as long) as long



Hhook is the return value when the hook is installed, that is, the handle of the hook thread.

(three) VB in the hook installation should pay attention to the problem. The LPFN parameter is a hookfunc address, and VB requires that the Hookfunc code be placed in a standard. BAS module and passed in "address of hookfunc" instead of being placed in a class module or attached to a form. For Remotehook, Hookfunc should be included in the dynamic link library, so if you use Remotehook in VB, you will also use the GetModuleHandle (), GetProcAddress () Two API functions, which are declared as follows :

Declare Function getmodulehandle Lib "kernel32" Alias "Getmodulehandlea" (ByVal Lpmodulename as String) as Long
Declare Function GetProcAddress Lib "kernel32" Alias "GetProcAddress" (ByVal hmodule as Long,byval lpprocname as String) as Long



The Hmod value is the module name handle that contains the hook process, and if it is Localhook, the value can be null (0 in VB), and if it is remotehook, you can use GetModuleHandle ("name. dll") to pass in.
Iii. example--interception of keyboard messages

In the development of the program is commonly used in the input message to monitor the keyboard hooks, for the monitoring of the message should be processed, the following on the keyboard hook parameters of the specific content of the composition of the description:

If a keyboard message (WM_KEYUP or WM_KEYDOWN) is to be processed, the system calls the keyboard hook.

Ncode is hc_action or hc_noremove, if less than 0, the handler function is required to pass the message down.

WPARAM represents a key-key-code constant that is consistent with the corresponding value ' a ' to ' Z ' of the ASCII code, such as the C key, and the wparam value is 67.

LPARAM and Wm_keydown the same, accounting for four bytes, which contains more content, the second binary structure is as follows:

0
1
......
15
16
.........
23
24
25
......
28
29
30
31



0-15-bit (key repeat count), key-code repeat times. 16-23-bit (Scan code), the key scan code. 24-bit (Extended_key flag), extension key (function key, numeric keypad key) flag, 1 is the extension key, otherwise 0. 25-28 bits are kept. 29-bit (context code), status descriptor, ALT key is pressed to 1, otherwise 0. 30-bit (Previouskey_stateflag) specifies the previous key state, 1 if the key is in the pressed state before the message is emitted, or 0 if the key is in the released state. 31-bit (Transiton_stateflag) state conversion flag, if the key is pressed with a value of 1, if the key is released with a value of 0.

The hooks in this example are used to monitor and record key information in the application. In the program, the ALT+F4 key combination is blocked. Here's a partial code:

Public Hhook as Long
Install hook when Private Sub Form_Load () program starts
Hhook=setwindowshookex (2,address of Mykbhook,0,app.threadid)
End Sub
The specific hook procedure in this case is included in the Module1
Public Function Mykbhook (ByVal ncode as Long,byval WParam as long,byval as long) as long
If Ncode>=0 Then
The Open "C:\Keyfile.txt" for Append as #1 Records the operation of the keyboard in the Keyfile.txt file
' Record the key, operation time, and date operation of the button state, with 16 in the record
Write #1, Wparam,hex (LParam), Date,time
Close #1
Mykbhook=0 ' means to process this message
' Shielded Alt+f4 key combination
If wparam=115 and (LParam and&h20000000) <>0 Then
if (LParam and &hc000000) =0 Then ' alt+f4 operation
Myhbhook=1 ' hooks to eat the news
End If
End If
End If
Call CallNextHookEx (Hhook,ncode,wparam,lparam) ' passes the message to the next hook
End Function
' Uninstall the hook when the program exits
Private Sub form_unload (Cancel as Interger)
Call Unhook Windowshookex (hhook)
End Sub



Iv. Summary

Hook processing program is Windows Advanced programming technology, general programmers use VC + + and other programming tools to achieve, this article shows that, for VB, although many people think that the design is not professional tools, but the implementation of hooks such advanced technology is also very convenient. In addition, when using hooks should be noted that the hook although the function is relatively strong, but if the use of improper will seriously affect the efficiency of the system, so try to avoid using the system hook, and in the use of hooks, the hook should be unloaded in a timely manner.