Win32k(4) 视窗钩子

第五部分 视窗钩子

一、ROS下的流程

 

Win2000版本有人分析过了http://bbs.pediy.com/showthread.php?t=135702

 

消息钩子是一种官方支持钩子回调，可以拦截某一个窗口或者全局的消息。消息本应直接发到对应窗口的wndproc，现在要先发送到我们设定的消息回调，由我们的hook函数进行参数的收取、截获、过滤~

 

HHOOKSetWindowsHookEx(intidHook,    HOOKPROC lpfn,    HINSTANCE hMod,    DWORD dwThreadId);HHOOKwin2k下是这样的typedefstructtagHOOK{   /* hk */    THRDESKHEAD     head;structtagHOOK  *phkNext;            hook链表intiHook;              //WH_xxx hook type    DWORD           offPfn;    UINT            flags;              //HF_xxx flagsintihmod;    PTHREADINFO     ptiHooked;          // Threadhooked.    PDESKTOP        rpdesk;             //Global hook pdesk. Only used when//  hook is lockedand owner is destroyed}HOOK, *PHOOK;

 

 

 

对应内核调用

 

HHOOKAPIENTRYNtUserSetWindowsHookEx(HINSTANCE Mod,        //dll base                        PUNICODE_STRINGUnsafeModuleName,                        DWORD ThreadId,     //非0即针对某一函数的hookintHookId,                  //hook类型比如WH_KEYBOARD_LL                        HOOKPROC HookProc, //hook函数                        BOOL Ansi){//略去参数检查，在句柄表中加入hook对象 Hook= UserCreateObject(gHandleTable, NULL, &Handle, otHook, sizeof(HOOK));     Hook->ihmod   = (INT)Mod; //Module Index from atom table, Do this for now.    Hook->Thread  = Thread; /* SetThread, Null is Global. */    Hook->HookId  =HookId;    Hook->rpdesk  =ptiHook->rpdesk;    Hook->phkNext = NULL; /* Dont use as a chain! Use link lists for chaining. */    Hook->Proc    = HookProc;    Hook->Ansi    = Ansi; if (ThreadId)  /* Thread-localhook */{//插入到线程hook链中，threadInfo是线程信息win32Thread,ptiHook->aphkStart是15种hook类型的链表InsertHeadList(&ptiHook->aphkStart[HOOKID_TO_INDEX(HookId)],&Hook->Chain);ptiHook->sphkCurrent= NULL;       Hook->ptiHooked = ptiHook;ptiHook->fsHooks|= HOOKID_TO_FLAG(HookId); if(ptiHook->pClientInfo)       {if ( ptiHook->ppi== pti->ppi) /* 当前进程 */          {ptiHook->pClientInfo->fsHooks= ptiHook->fsHooks;ptiHook->pClientInfo->phkCurrent= NULL;           }else          {                     //挂载到指定进程中去，pClientInfo貌似是一个用户空间的结构吧KeAttachProcess(&ptiHook->ppi->peProcess->Pcb);ptiHook->pClientInfo->fsHooks= ptiHook->fsHooks;ptiHook->pClientInfo->phkCurrent= NULL;KeDetachProcess();          }       }    }Else        //全局钩子{//桌面的链表InsertHeadList(&ptiHook->rpdesk->pDeskInfo->aphkStart[HOOKID_TO_INDEX(HookId)],&Hook->Chain);       Hook->ptiHooked = NULL;ptiHook->rpdesk->pDeskInfo->fsHooks|= HOOKID_TO_FLAG(HookId);ptiHook->sphkCurrent= NULL;ptiHook->pClientInfo->phkCurrent= NULL;}

 

总之，pti->pDeskInfo->asphkStart[nFilterType+ 1]是全局的钩子链表

ptiThread->aphkStart[nFilterType+ 1]是某一线程的链表

fsHooks是标志位，标志这种类型的钩子是否有设置

 

 

 

二、Hook函数的调用部分

 

co_HOOK_CallHooks- co_IntCallHookProc–KeUserModeCallback跟call wndproc是类似的

三、枚举消息钩子

 

1.可以pti->pDeskInfo->asphkStart[nFilterType+ 1]来找HHOOK结构

 

2.百度到IS找user32里面的gShareInfo结构，HHOOK也是种图形对象，在句柄表中~遍历句柄表就找到了。具体可以跟一下zzzSetWindowsHookEx - HMAllocObject