About Shell hook

Why my shell hook can only hook my process messages? I want to hook other process window create and destroy.

This is my code(DebugTrace function can out put the debug info.
function shellHookProc(iCode:Integer;wParam1:wParam;lParam1:lParam):LRESULT;stdcall;
begin
  Result:=0;
  debugtrace(inttostr(iCode));
  if iCode<0 then Result := CallNextHookEx(hHook1,iCode,wParam1,lParam1);
end;

procedure SetshellHook(hnd:HWND);
begin
  hHook1:=SetwindowsHookEx(WH_SHELL,TaskHookProc,hInstance,0);
  if hHook1 <=0 then messagebox(0,'hookError','task',16);
end;

procedure RemoveshellHook;
begin
   UnhookWindowsHookEx(hhook1);
end;
cookeyAsked:
Who is Participating?
 
GloomyFriarConnect With a Mentor Commented:
cookey, here is sample for you

//#include "stdafx.h"
//#include <afxdllx.h>
//#include "HookEx.h"
#include <windows.h>
#include <stdio.h>


//Shared data among all instances
#pragma data_seg("myshare")//Shared data among all instances.
//HHOOK hook = NULL;
//static HWND h = NULL;
__declspec(allocate("myshare")) HHOOK hook = NULL;
__declspec(allocate("myshare")) HWND hWnd = NULL;
//HHOOK hook;
//HWND h;
#pragma data_seg()

#pragma comment(linker, "/SECTION:myshare,RWS")

HINSTANCE hInst = NULL;

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

#define KEYDLL3_API extern "C" __declspec(dllexport)
//static AFX_EXTENSION_MODULE HookExDLL = { NULL, NULL };

extern "C" int APIENTRY
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    // Remove this if you use lpReserved
    UNREFERENCED_PARAMETER(lpReserved);

    if (dwReason == DLL_PROCESS_ATTACH)
    {
//         TRACE0("HOOKEX.DLL Initializing!\n");
         
         // Extension DLL one-time initialization
//         if (!AfxInitExtensionModule(HookExDLL, hInstance))
//              return 0;

         // Insert this DLL into the resource chain
         // NOTE: If this Extension DLL is being implicitly linked to by
         //  an MFC Regular DLL (such as an ActiveX Control)
         //  instead of an MFC application, then you will want to
         //  remove this line from DllMain and put it in a separate
         //  function exported from this Extension DLL.  The Regular DLL
         //  that uses this Extension DLL should then explicitly call that
         //  function to initialize this Extension DLL.  Otherwise,
         //  the CDynLinkLibrary object will not be attached to the
         //  Regular DLL's resource chain, and serious problems will
         //  result.

//         new CDynLinkLibrary(HookExDLL);
    }
    else if (dwReason == DLL_PROCESS_DETACH)
    {
//         TRACE0("HOOKEX.DLL Terminating!\n");
//         // Terminate the library before destructors are called
//         AfxTermExtensionModule(HookExDLL);
    }
    hInst = hInstance;
    return 1;   // ok
}


LRESULT CALLBACK hookproc( int ncode, WPARAM wparam,LPARAM lparam)
{
  if (ncode >= 0)
  {
    if (( lparam & 0x80000000 ) == 0x00000000)
    {
      //Only when it is pressed not released
      char str[256];
      sprintf(str, "hookproc: idProc = %d(%x) hWnd(%.8x) = %d(%x)",
             GetCurrentProcessId(), GetCurrentProcessId(),
             &hWnd, hWnd, hWnd);
      MessageBox(NULL, str, "hookproc", MB_OK);
    }
  }
 
  return ( CallNextHookEx(hook,ncode, wparam,lparam) );//pass control to next hook in the hook chain.
}

KEYDLL3_API void  installhook( HWND handle )
{
  hook = NULL;
  hWnd = handle;

  char str[256];
  sprintf(str, "installhook: idProc = %d(%x) hWnd(%.8x) = %d(%x)",
             GetCurrentProcessId(), GetCurrentProcessId(),
             &hWnd, hWnd, hWnd);
  MessageBox(NULL, str, "installhook", MB_OK);

    if( hInst == NULL )       MessageBox(NULL,"NULL Instance","Error!",MB_OK);
    hook = SetWindowsHookEx( WH_KEYBOARD, hookproc, GetModuleHandle("hooktest.dll"), NULL );
    if( hook == NULL )      MessageBox(NULL,"Unable to install hook","Error 101!",MB_OK);
   
}


KEYDLL3_API void removehook(void)
{
    UnhookWindowsHookEx( hook );
}
0
 
cookeyAuthor Commented:
I want a system shell hook, not only hook my process
0
 
robert_marquardtCommented:
Such a hook has to reside in a DLL.
Windows maps this DLL into all running applications.

The problem with such a DLL is that each mapped instance has its own data segment and therefore
all global variables are in fact local to the specific instance.
This affects the hHook variable which has to be shared by all instances.

The easiest way is to write the DLL in C with MS VC++ because it allows to easily set up
shared segments. I have written such a DLL myself and it works without problems.
If you want to write the DLL in Delphi then search for "Delphi WH_SHELL" on Google and
you should get enough links to satisfy you.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
DeerBearCommented:
Hi,

As Robert pointed out, there's a problem with system-wide hooks.

The best option is to use a Memory Mapped File for communication
among several DLL instances or just a file, which in turn has several
disadvantages.

You should look deeply into the Delphi Help File for the PROCESS_ATTACH and
PROCESS_DETATCH options on DLL loading.

HTH,

Andrew
0
 
GloomyFriarCommented:
>The best option is to use a Memory Mapped File for communication

I don't agree whit this.
The best way is shared data segment, imho.
0
 
DeerBearCommented:
Hi,

Using MMFs, to my knowledge, basically means using shared memory and I
fail to see where a "data segment" can be considered different from "Memory".

Cheers,

Andrew
0
 
GloomyFriarCommented:
2 DeerBear,
Of caurse I understand what are you talking about.
But try to explain this to cookey ;-)))

And by the way
#pragma data_seg("myshare")

is rather different then somethig like the following
   SECURITY_ATTRIBUTES sa;
   memset(&sa, 0, sizeof(sa));
   HANDLE h_file = CreateFile(FileName, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, &sa, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   DWORD FileSize = GetFileSize(h_file, NULL);
   HANDLE map_file = CreateFileMapping(h_file, &sa, PAGE_READWRITE, 0, 0, NULL);
   char* Data = (char*)MapViewOfFile(map_file, FILE_MAP_ALL_ACCESS, 0, 0, 0);
   memmove(Data+Position, Data+Position+LenToClip, FileSize-Position);    
     UnmapViewOfFile(Data);
   CloseHandle(map_file);
   SetFilePointer(h_file, FileSize-LenToClip, NULL, FILE_BEGIN);
   SetEndOfFile(h_file);
   CloseHandle(h_file);


Or you can't agree?
0
 
DeerBearCommented:
Eheheheheheh yeah ok, sorry ^_^

Just think I had arrived to a point where I was imagining this "data segment" as a
sort of C++ meta-instruction <g>, ya know some of those black magic C++ tricks that
make you go nuts in debugging <g>.

Andrew
0
 
cookeyAuthor Commented:
I think I find out the way to solve this problem, that Delphi write system wild hook very hard, I already write it in VC++

Thanks every body give me very good advices, but it seems the scores can only give one person,  so I give the scores to GloomyFriar because of the longest code :-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.