CodeSteps

Python, C, C++, C#, PowerShell, Android, Visual C++, Java ...

Windows – Hooks – An Overview

Windows Applications are message or event driven applications. Windows Procedures or Application methods are going to execute whenever there is an event occurred. There is a message handling mechanism in the Windows to handle or process the messages.

For example, when the User press the key from the Keyboard; relevant message will be generated and will process through message handling mechanism. A Windows Procedure or the Application specific Procedure will process the message.

There are different types of messages Windows will generate to do particular Actions.When the Application is active, relevant messages will be routed to the active Application. How about receiving all the events whichever generated? This is where Windows Hooks comes into the picture.

Hook is an entry in the message handling mechanism; will execute a procedure, which is called the Hook Procedure, before executing the relevant Windows Procedure(s) for the particular message(s). Hook Procedures are call back functions.

Does it possible to place our function in the message handling mechanism to execute whenever a particular event occurred? Yes, below section explains this.

Installing a Hook Procedure

First thing we need in our Application, to receive the messages (even though the Application is in-active) is to install the Hook Procedure in the Hook Chain. Hook Chain is nothing but a list of pointers to point to the Hook Procedures and Windows will maintain a separate Hook Chain for each type of Hook.

In another words, when the Applications are registering the Hook Procedures, Windows will maintain a Hook Chain to allow to all the Applications to give a chance to run their Application specific procedures (Hook Procedures) when an event occurred.

We must have to tell to Windows to execute our Procedure (called Hook Procedure) instead of Windows Procedure when an Event occurred or Message is generated. This is possible through calling the Win32 API function SetWindowsHookEx.

SetWindowsHookEx Win32 API function will register or install the Hook Procedure into the Hook Chain.

The Syntax of this function looks like below:

HHOOK SetWindowsHookEx(int hook_proc_type, HOOKPROC lpfn, HINSTANCE module_handle, DWORD thread_id);

Where hook_proc_type is the type of the Hook Procedure to be installed in the Hook Chain. There are different Hook Types. For example, to monitor Keyboard message Windows WH_KEYBOARD (Value 2) hook type will be used; to monitor Mouse messages, it is WH_MOUSE (Value 7) hook type etc,. 

lpfn is the pointer to the Hook Procedure; this is application specific call back function.

module_handle is the handle to the module where the Hook Procedure is placed. Hook Procedure can be placed in a separate DLL or into the same Application from where calling this Win32 API function.

thread_id is the Thread to which the Hook Procedure is associated.

Upon success, this Win32 API function returns the handle to the Hook.

Defining Hook Procedures

The Application must implement the Hook Procedure in order to process the messages relevant to the registered Hook Types.

The Syntax of the Hook Procedure is looks like below: This is the callback function. Windows will call this function, whenever there is a related message generated in the System.

LRESULT CALLBACK HookProc( int hook_code, WPARAM message_info_1, LPARAM message_info_2 );

Where hook_code is the Hook Code, Hook Procedure will use to determine the action to perform. The Hook Code is depending on the type of the Hook.

For each Hook type, there may be some additional details to be passed and these details are available through the rest of the arguments in the HookProc callback function. The values of these are depending on the message types.

As mentioned above, the Hook Procedure will be installed in the Hook Chain. Hook Chain contains list of related Hook Procedures for each Hook Type. Once our Hook Procedure is executed, Windows will not send the hook notifications by default to next Hook Procedures in the Hook Chain.

Because of this, this is the responsibility of the Applications to call the next Hook Procedure in the Hook Chain, once Application’s Hook Procedure is executed. How to do this? Win32 API has CallNextHookEx function to pass the hook notification to next Hook Procedure registered in the Hook Chain.

The Syntax of this function is:

LRESULT CallNextHookEx(HHOOK hook_handle, int hook_code, WPARAM message_info_1, LPARAM message_info_2);

Where hook_handle is the handle to the Hook. We can ignore this; and always pass NULL value. Other parameters are already discussed above.

It is recommended that, Applications call this function in their Hook Procedures to allow other Applications to receive Hook notifications in the Hook Chain. Otherwise, other Applications which are using Hooks may not work properly.

Now we know how to register our Hook Procedure in the Hook Chain. And also know how to define the Hook Procedure. What next? Once we done with the Hook Procedure, we need to remove it from the Hook Chain.

Unregister the Hook Procedure

To remove or uninstall the Hook Procedure from the Hook Chain Win32 provides UnhookWindowsHookEx Win32 API function.

The Syntax of this function is simple:

BOOL UnhookWindowsHookEx(HHOOK hook_handle);

Where hook_handle is the handle to the registered Hook. We get this handle after calling the function, SetWindowsHookEx.

After this call, the registered Hook will be removed from the Hook Chain and return the nonzero (TRUE) value upon Success.

This is an Overview of Windows Hooks. We will discuss more with working examples in my next Articles.

(Raju)

Windows – Hooks – An Overview

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top