第五部分 视窗钩子
一、ROS下的流程
Win2000版本有人分析过了http://bbs.pediy.com/showthread.php?t=135702
消息钩子是一种官方支持钩子回调,可以拦截某一个窗口或者全局的消息。消息本应直接发到对应窗口的wndproc,现在要先发送到我们设定的消息回调,由我们的hook函数进行参数的收取、截获、过滤~
HHOOKSetWindowsHookEx(intidHook,
HOOKPROC lpfn,
HINSTANCE hMod,
DWORD dwThreadId
);
HHOOKwin2k下是这样的
typedefstructtagHOOK{ /* hk */
THRDESKHEAD head;
structtagHOOK *phkNext; hook链表
intiHook; //WH_xxx hook type
DWORD offPfn;
UINT flags; //HF_xxx flags
intihmod;
PTHREADINFO ptiHooked; // Threadhooked.
PDESKTOP rpdesk; //Global hook pdesk. Only used when
// hook is lockedand owner is destroyed
}HOOK, *PHOOK;
对应内核调用
HHOOK
APIENTRY
NtUserSetWindowsHookEx(HINSTANCE Mod, //dll base
PUNICODE_STRINGUnsafeModuleName,
DWORD ThreadId, //非0即针对某一函数的hook
intHookId, //hook类型比如WH_KEYBOARD_LL
HOOKPROC HookProc, //hook函数
BOOL Ansi)
{
//略去参数检查,在句柄表中加入hook对象
Hook= UserCreateObject(gHandleTable, NULL, &Handle, otHook, sizeof(HOOK));
Hook->ihmod = (INT)Mod; //Module Index from atom table, Do this for now.
Hook->Thread = Thread; /* SetThread, Null is Global. */
Hook->HookId =HookId;
Hook->rpdesk =ptiHook->rpdesk;
Hook->phkNext = NULL; /* Dont use as a chain! Use link lists for chaining. */
Hook->Proc = HookProc;
Hook->Ansi = Ansi;
if (ThreadId) /* Thread-localhook */
{
//插入到线程hook链中,threadInfo是线程信息win32Thread,
ptiHook->aphkStart是15种hook类型的链表
InsertHeadList(&ptiHook->aphkStart[HOOKID_TO_INDEX(HookId)],&Hook->Chain);
ptiHook->sphkCurrent= NULL;
Hook->ptiHooked = ptiHook;
ptiHook->fsHooks|= HOOKID_TO_FLAG(HookId);
if(ptiHook->pClientInfo)
{
if ( ptiHook->ppi== pti->ppi) /* 当前进程 */
{
ptiHook->pClientInfo->fsHooks= ptiHook->fsHooks;
ptiHook->pClientInfo->phkCurrent= NULL;
}
else
{
//挂载到指定进程中去,pClientInfo貌似是一个用户空间的结构吧
KeAttachProcess(&ptiHook->ppi->peProcess->Pcb);
ptiHook->pClientInfo->fsHooks= ptiHook->fsHooks;
ptiHook->pClientInfo->phkCurrent= NULL;
KeDetachProcess();
}
}
}
Else //全局钩子
{
//桌面的链表
InsertHeadList(&ptiHook->rpdesk->pDeskInfo->aphkStart[HOOKID_TO_INDEX(HookId)],&Hook->Chain);
Hook->ptiHooked = NULL;
ptiHook->rpdesk->pDeskInfo->fsHooks|= HOOKID_TO_FLAG(HookId);
ptiHook->sphkCurrent= NULL;
ptiHook->pClientInfo->phkCurrent= NULL;
}
总之,pti->pDeskInfo->asphkStart[nFilterType+ 1]是全局的钩子链表
ptiThread->aphkStart[nFilterType+ 1]是某一线程的链表
fsHooks是标志位,标志这种类型的钩子是否有设置
二、Hook函数的调用部分
co_HOOK_CallHooks- co_IntCallHookProc–KeUserModeCallback跟call wndproc是类似的
三、枚举消息钩子
1.可以pti->pDeskInfo->asphkStart[nFilterType+ 1]来找HHOOK结构
2.百度到IS找user32里面的gShareInfo结构,HHOOK也是种图形对象,在句柄表中~遍历句柄表就找到了。具体可以跟一下zzzSetWindowsHookEx - HMAllocObject
阅读全文类别: 内核 查看评论