What is a hook function?

Windows hook functions can be considered as one of the main features of windows. They allow you to capture events that occur in your own processes or other processes. With "hook-up", you can give Windows a callback function to process or filter events. This function is also called "hook function". When an event you are interested in occurs, windows will call this function. There are two types of hooks: local and remote.

Local hooks only hook events of your own processes.

Remote hooks can also hook events that occur in other processes. There are two remote hooks:

Based on the thread, it will capture events of a specific thread in other processes. In short, it can be used to observe the events that will happen to a specific thread in other processes.

System-wide event messages will be captured by all processes in the system. When you create a hook, Windows will first create a data structure in the memory, which contains information about the hook, then add the struct to an existing hook linked list. The new hook is added to the front of the old one. When an event occurs, if you install a local Hook, the hook function in your process will be called. If it is a remote Hook, the system must insert the hook function into the address space of other processes. To achieve this, the hook function must be in a dynamic link library, if you want to use a remote Hook, you must put the hook function in the dynamic link library. Of course, there are two exceptions: The work Log Hook and the work log playback hook. The hook functions of these two hooks must be in the thread where the hooks are installed. The reason is: These two hooks are used to monitor relatively low-level hardware events. Since they are recorded and played back, all events are of course sequential. Therefore, if the callback function is placed in the DLL and the input events are recorded in several threads, we cannot guarantee the correct order. The solution is to put the hook function in a single thread, such as the thread for installing the hook.

There are a total of 14 types of hooks. The following are the times when they are called:

Wh_callwndproc when sendmessage is called
Wh_callwndprocret when sendmessage is returned
Wh_getmessage when getmessage or peekmessage is called
Wh_keyboard when getmessage or peekmessage is called to query wm_keyup or wm_keydown messages from the Message Queue
Wh_mouse when getmessage or peekmessage is called to query mouse event messages from the Message Queue
Wh_hardware when getmessage or peekmessage is called to query non-mouse and keyboard messages from Message Queue types
Wh_msgfilter: when a message is to be processed in a dialog box, menu, or scroll bar. This hook is local. It is designed for the control objects that have their own message processing processes.
Wh_sysmsgfilter is the same as wh_msgfilter, but it is only within the system range.
Wh_journalrecord when Windows receives messages from the hardware queue
Wh_journalplayback when an event is requested from the system's hardware Input Queue
Wh_shell when a Windows Shell event occurs, for example, a task bar needs to re-draw its button.
Wh_cbt when a computer-based training (CBT) event occurs
Wh_foregroundidle is used by windows, and is rarely used by general applications.
Wh_debug is used to debug the hook function