Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 505
  • Last Modified:

Hooks Urgent Problem.

I am trying to install a system hook that catchs WM_CREATE messages in the system, don't let any application to start running and to allow for only one specific application to start running. For some reason all application are not started meaning i have some problem with the strcmp statment that in the CBTProc() function . What is the problem ? I have even tried to put message dialogs with in the code in order to debug this code cause i didn't find any other way to debug this code.

///////////////////////////////////////////////////////////////////filestart/
//
// FILE: HOOKPROC.CPP
//
// DESCRIPTION:
//
// REVISION:
//
// DATE       AUTHOR                 CHANGE DESCRIPTION
// 8/5/98    Ilan Moshe        Creation
//
// NOTES:
//
/////////////////////////////////////////////////////////////////////fileend/


#include <windows.h>
#include <stdio.h>
#include <process.h>
#include <fstream.h>

#pragma data_seg("shared")
HHOOK hhook = 0;

#pragma data_seg()
#pragma comment(linker,"/section:shared,rws")

extern HINSTANCE hinstDLL = 0;

///////////////////////////////////////////////////////////////functionstart/
//
// DESCRIPTION:
//
// WARNINGS:
//
// ERRORS:
//
/////////////////////////////////////////////////////////////////functionend/




LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam)
{  

      switch(nCode)
      {
      case HCBT_CREATEWND:
            {
                  LPCREATESTRUCT pCs = ((LPCBT_CREATEWND)lParam)->lpcs;
                  if (!lstrcmpi(pCs->lpszName,"OpenWin"))
                  {
                        return 0;
                  }
                  else
                        return 1;                        }
            break;
      default:
            {
            return CallNextHookEx(hhook,nCode,wParam,lParam);;
            }
      }
}


///////////////////////////////////////////////////////////////functionstart/
//
// DESCRIPTION:
//
// WARNINGS:
//
// ERRORS:
//
/////////////////////////////////////////////////////////////////functionend/


void SetHook(void)
{
            int local = 0;

            hhook = SetWindowsHookEx( WH_CBT, CBTProc , hinstDLL , 0 );
            local =  GetLastError();
            printf("%d",local);
            //            return (hhook != NULL );
}


///////////////////////////////////////////////////////////////functionstart/
//
// DESCRIPTION:
//
// WARNINGS:
//
// ERRORS:
//
/////////////////////////////////////////////////////////////////functionend/


void UnSetHook(void)
{
      UnhookWindowsHookEx(hhook);
      CloseHandle(hhook);
}


///////////////////////////////////////////////////////////////functionstart/
//
// DESCRIPTION:
//
// WARNINGS:
//
// ERRORS:
//
/////////////////////////////////////////////////////////////////functionend/
void SetMod(HINSTANCE hMod)
{
      hinstDLL = hMod;
}



/////////////////////////////////////////////////////////////////functionend/
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
//
// DESCRIPTION: DllMain - Windows DLL entry and exit point.Initialize and shut down
//              UTL_Error so that the error strings are available immediately
//              an error occurs.
//
// WARNINGS:
//
// ERRORS:
//
/////////////////////////////////////////////////////////////////functionend/
{

    switch(dwReason)
      {
            case DLL_PROCESS_ATTACH:
            {
                  SetMod(hinstDLL);
                  DisableThreadLibraryCalls(hinstDLL);
                  break;
            }
      }
      return TRUE;  
}


And the program that sets the hook and checks this program is :

#include <windows.h>
#include <conio.h>

__declspec( dllimport ) LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam);
__declspec( dllimport ) void SetHook(void);
__declspec( dllimport ) void UnSetHook(void);

void main()
{

HINSTANCE hinstDLL;
int ch;
DWORD errorNumber;

      hinstDLL = LoadLibrary((LPCTSTR)"HookDll.dll");
      if ( hinstDLL == NULL )
      {
            errorNumber = GetLastError();
      }

      SetHook();
      if (ch = _getch())
      {
            UnSetHook();
            exit(0);
      }


I realy need a fast answer on this problem.
0
sector
Asked:
sector
1 Solution
 
nietodCommented:
First I would check to see if the problem really is in testing the window name or if the problem is somewhere else ihn your hook.  In the HCBT_CREATEWND case, make the code always return 0, thus the hook should allow windows to open.  Does it?  if so the problem is in the strcmp(), if not, the problem is elsewhere.

0
 
sectorAuthor Commented:
I have already checked this. If i write return 0;  the windows will open as if there was no hook . So i know there is a problem with the strcmp . What can be the problem ???
0
 
sectorAuthor Commented:
Edited text of question
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
sectorAuthor Commented:
I have gread problem with debuging this DLL so i try sending information with the MessageBox function but ofcourse this is a problem because this allso is a WM_CREATE message.
0
 
sectorAuthor Commented:
Why i print values of the pCs->lpszName with the MessageBox function i and changing the return value to 0 for the windows to appear , I see some values the don't make sense like kernel32 etc...  

Is this the right way to do this ????
0
 
nietodCommented:
Those names, like Kernal32, might be the names of windows created by the operating system.  Preventing the creation of those windows could have drastic negative side effects.  That could be the cause of this problem, or it could cause other problems you haven't even encountered yet.
0
 
jkrCommented:
Debugging system wide hooks is not easy, but it works if you manually issue a breakpoint in the app that set the hook, e.g.
#pragma data_seg("shared")
HHOOK hhook = 0;
DWORD g_dwPID2Break = 0;
#pragma data_seg()

void SetHook(void)
{
 g_dwPID2Break = GetCurrentProcessId();
//...
}

LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam)
{  

 if ( g_dwPID2Break == GetCurrentProcessId())
 {
   // issue a hard breakpoint if this is the app that set the hook
   __asm { int 3};
 }

Hope you got the idea. At least, this works for me ;-)
0
 
alexoCommented:
Using duplicate accounts is against the EE customer agreement, ilanmoshe.
0
 
CovCommented:
Your hook is keeping necessary os windows from opening.  The os has to open up a few windows just to start... figure out which ones they are, or maybe instead just deny the creation of any application after your app opens...
Cov
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now