9 comments on “Any application-defined hook procedure on my machine?

  1. Where can I find information relating to the various structs you refer to?

    e.g. THREADINFO, DESKTOPINFO

    Thanks

  2. I usually use WinDbg or .h file I have on my machine, but the net is a good alternative way. I don’t remember where I got the information about the structure you mentioned, and I don’t have on my hard disk anymore (it’s dead…).
    If you want to know something more about these specific structures you can use Windbg starting from _TEB (which is visible from Windbg for sure).
    In case I’ll find the structure’s definitions I’ll tell you.

  3. Hello Zairon,
    Great article! Is there any way you could please post a source code example that you can share to list these hooks on Windows XP? I’m finding that these structures are rather confusing because most of the struct member names are very similar.

  4. Hello Zairon, stumbled over this old article of yours and I’m trying to construct a HookExplorer but keep finding my self in the deep end of the pool…. might be in over my head…
    You couldn’t by any chance post a complete example or mail me some source?

    Regards

  5. I finally get the HOOK struct, I’m interested on global hooks only.

    I get all information about my machine’s global hooks, but I have no idea how to get the module of the hook procedure, I mean, in the hook struct

    typedef struct tagHOOK { /* hk */
    THRDESKHEAD head;
    struct tagHOOK* pNext;
    int iHook;
    PVOID pfn;
    UINT flags;
    int imod;
    PTHREADINFO ptiHooked;
    PDESKTOP rpdesk;
    } HOOK;

    pfn -> is the offset of the procedure in the module…
    imod -> I assume that points to a module, but I have no idea how to translate that to a real dll path.

    help!

  6. Hello, great article and great info! I’m not sure what I’m doing wrong. Or maybe I’m missing something. I have gotten all the code to compile, and (using kernel debugger) am able to look at the structure for THREADINFO. The address all look good (refCount of_W32THREAD, pETHREAD, etc… However, my THREADINFO.pDeskInfo has an address of:0xbc640650. At which point, when i try to look at that memory address, i get a bunch of ????. Any clues as to what I could be doing wrong?

  7. THANKS! You have saved the day!! I have an app that depends heavily on a thread-specific hook in a listview control in a native C++ app. The OS(XP SP3) was arbitrarily dumping my HookProc and I had no way of easily detecting when the problem occurred. I used the methods in your code to build a DLL that allows me to monitor the status of my HookProc and reset it when necessary.
    Thanks again…

    TF

  8. TBFisher, could you PLEASE share sourcecode of the function that checks status of the hook?

    I have the same problem…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s