关于消息钩子链的读取问题说明: NtUserSetWindowsHookEx返回的HHOOK怎么换成PHOOK

不少人问NtUserSetWindowsHookEx返回的HHOOK怎么换成PHOOK，这里说明一下。
主要是找到那个转换函数地址直接调用就是了。

原理:
找到 win32k ssdt的NtUserUnhookWindowsHookEx的函数入口，
直接取@HMValidateHandle@8 的地址

使用方法:

#define GetObjectFromHandle (handle,object)
{
__asm push ecx
__asm push edx
__asm mov ecx,handle
__asm mov dl,5
__asm call @HMValidateHandle@8
__asm mov object,eax
__asm pop edx
__asm pop ecx
}

/////
//////////////NtUserUnhookWindowsHookEx的代码
/////
.text:A0013B47                         ; __stdcall NtUserUnhookWindowsHookEx(x)
.text:A0013B47                         _NtUserUnhookWindowsHookEx@4 proc near  ; DATA XREF: .data:A016BD34o
.text:A0013B47
.text:A0013B47                         arg_0           = dword ptr  8
.text:A0013B47
.text:A0013B47 56                                      push    esi
.text:A0013B48 E8 3D D1 FE FF                          call    _EnterCrit@0    ; EnterCrit()
.text:A0013B4D 8B 4C 24 08                             mov     ecx, [esp+arg_0]
.text:A0013B51 B2 05                                   mov     dl, 5
.text:A0013B53 E8 48 96 FF FF                          call    @HMValidateHandle@8 ; HMValidateHandle(x,x)
.text:A0013B58 85 C0                                   test    eax, eax
.text:A0013B5A 75 04                                   jnz     short loc_A0013B60
.text:A0013B5C 33 F6                                   xor     esi, esi
.text:A0013B5E EB 08                                   jmp     short loc_A0013B68
.text:A0013B60                         ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:A0013B60
.text:A0013B60                         loc_A0013B60:                           ; CODE XREF: NtUserUnhookWindowsHookEx(x)+13j
.text:A0013B60 50                                      push    eax
.text:A0013B61 E8 2A C8 08 00                          call    _zzzUnhookWindowsHookEx@4 ; zzzUnhookWindowsHookEx(x)
.text:A0013B66 8B F0                                   mov     esi, eax
.text:A0013B68
.text:A0013B68                         loc_A0013B68:                           ; CODE XREF: NtUserUnhookWindowsHookEx(x)+17j
.text:A0013B68 E8 E4 D0 FE FF                          call    _LeaveCrit@0    ; LeaveCrit()
.text:A0013B6D 8B C6                                   mov     eax, esi
.text:A0013B6F 5E                                      pop     esi
.text:A0013B70 C2 04 00                                retn    4
.text:A0013B70                         _NtUserUnhookWindowsHookEx@4 endp