Win32k(4) 视窗钩子

第五部分 视窗钩子

一、ROS下的流程

 

Win2000版本有人分析过了http://bbs.pediy.com/showthread.php?t=135702

 

消息钩子是一种官方支持钩子回调，可以拦截某一个窗口或者全局的消息。消息本应直接发到对应窗口的wndproc，现在要先发送到我们设定的消息回调，由我们的hook函数进行参数的收取、截获、过滤~

 

HHOOKSetWindowsHookEx(intidHook,

    HOOKPROC lpfn,

    HINSTANCE hMod,

    DWORD dwThreadId

);

HHOOKwin2k下是这样的

typedefstructtagHOOK{   /* hk */

    THRDESKHEAD     head;

structtagHOOK  *phkNext;            hook链表

intiHook;              //WH_xxx hook type

    DWORD           offPfn;

    UINT            flags;              //HF_xxx flags

intihmod;

    PTHREADINFO     ptiHooked;          // Threadhooked.

    PDESKTOP        rpdesk;             //Global hook pdesk. Only used when

//  hook is lockedand owner is destroyed

}HOOK, *PHOOK;

 

 

 

对应内核调用

 

HHOOK

APIENTRY

NtUserSetWindowsHookEx(HINSTANCE Mod,        //dll base

                        PUNICODE_STRINGUnsafeModuleName,

                        DWORD ThreadId,     //非0即针对某一函数的hook

intHookId,                  //hook类型比如WH_KEYBOARD_LL

                        HOOKPROC HookProc, //hook函数

                        BOOL Ansi)

{

//略去参数检查，在句柄表中加入hook对象

 

Hook= UserCreateObject(gHandleTable, NULL, &Handle, otHook, sizeof(HOOK));

 

    Hook->ihmod   = (INT)Mod; //Module Index from atom table, Do this for now.

    Hook->Thread  = Thread; /* SetThread, Null is Global. */

    Hook->HookId  =HookId;

    Hook->rpdesk  =ptiHook->rpdesk;

    Hook->phkNext = NULL; /* Dont use as a chain! Use link lists for chaining. */

    Hook->Proc    = HookProc;

    Hook->Ansi    = Ansi;

 

if (ThreadId)  /* Thread-localhook */

{

//插入到线程hook链中，threadInfo是线程信息win32Thread,

ptiHook->aphkStart是15种hook类型的链表

InsertHeadList(&ptiHook->aphkStart[HOOKID_TO_INDEX(HookId)],&Hook->Chain);

ptiHook->sphkCurrent= NULL;

       Hook->ptiHooked = ptiHook;

ptiHook->fsHooks|= HOOKID_TO_FLAG(HookId);

 

if(ptiHook->pClientInfo)

       {

if ( ptiHook->ppi== pti->ppi) /* 当前进程 */

          {

ptiHook->pClientInfo->fsHooks= ptiHook->fsHooks;

ptiHook->pClientInfo->phkCurrent= NULL;

 

          }

else

          {

                     //挂载到指定进程中去，pClientInfo貌似是一个用户空间的结构吧

KeAttachProcess(&ptiHook->ppi->peProcess->Pcb);

ptiHook->pClientInfo->fsHooks= ptiHook->fsHooks;

ptiHook->pClientInfo->phkCurrent= NULL;

KeDetachProcess();

          }

       }

    }

Else        //全局钩子

{

//桌面的链表

InsertHeadList(&ptiHook->rpdesk->pDeskInfo->aphkStart[HOOKID_TO_INDEX(HookId)],&Hook->Chain);

       Hook->ptiHooked = NULL;

ptiHook->rpdesk->pDeskInfo->fsHooks|= HOOKID_TO_FLAG(HookId);

ptiHook->sphkCurrent= NULL;

ptiHook->pClientInfo->phkCurrent= NULL;

}

 

总之，pti->pDeskInfo->asphkStart[nFilterType+ 1]是全局的钩子链表

ptiThread->aphkStart[nFilterType+ 1]是某一线程的链表

fsHooks是标志位，标志这种类型的钩子是否有设置

 

 

 

二、Hook函数的调用部分

 

co_HOOK_CallHooks- co_IntCallHookProc–KeUserModeCallback跟call wndproc是类似的

三、枚举消息钩子

 

1.可以pti->pDeskInfo->asphkStart[nFilterType+ 1]来找HHOOK结构

 

2.百度到IS找user32里面的gShareInfo结构，HHOOK也是种图形对象，在句柄表中~遍历句柄表就找到了。具体可以跟一下zzzSetWindowsHookEx - HMAllocObject

阅读全文
类别：内核 查看评论