Solved

About Shell hook

Posted on 2003-11-18
9
337 Views
Last Modified: 2010-04-05
Why my shell hook can only hook my process messages? I want to hook other process window create and destroy.

This is my code(DebugTrace function can out put the debug info.
function shellHookProc(iCode:Integer;wParam1:wParam;lParam1:lParam):LRESULT;stdcall;
begin
  Result:=0;
  debugtrace(inttostr(iCode));
  if iCode<0 then Result := CallNextHookEx(hHook1,iCode,wParam1,lParam1);
end;

procedure SetshellHook(hnd:HWND);
begin
  hHook1:=SetwindowsHookEx(WH_SHELL,TaskHookProc,hInstance,0);
  if hHook1 <=0 then messagebox(0,'hookError','task',16);
end;

procedure RemoveshellHook;
begin
   UnhookWindowsHookEx(hhook1);
end;
0
Comment
Question by:cookey
  • 3
  • 3
  • 2
  • +1
9 Comments
 

Author Comment

by:cookey
ID: 9776416
I want a system shell hook, not only hook my process
0
 
LVL 11

Expert Comment

by:robert_marquardt
ID: 9776510
Such a hook has to reside in a DLL.
Windows maps this DLL into all running applications.

The problem with such a DLL is that each mapped instance has its own data segment and therefore
all global variables are in fact local to the specific instance.
This affects the hHook variable which has to be shared by all instances.

The easiest way is to write the DLL in C with MS VC++ because it allows to easily set up
shared segments. I have written such a DLL myself and it works without problems.
If you want to write the DLL in Delphi then search for "Delphi WH_SHELL" on Google and
you should get enough links to satisfy you.
0
 
LVL 5

Expert Comment

by:DeerBear
ID: 9777117
Hi,

As Robert pointed out, there's a problem with system-wide hooks.

The best option is to use a Memory Mapped File for communication
among several DLL instances or just a file, which in turn has several
disadvantages.

You should look deeply into the Delphi Help File for the PROCESS_ATTACH and
PROCESS_DETATCH options on DLL loading.

HTH,

Andrew
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9778383
>The best option is to use a Memory Mapped File for communication

I don't agree whit this.
The best way is shared data segment, imho.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 6

Accepted Solution

by:
GloomyFriar earned 125 total points
ID: 9778413
cookey, here is sample for you

//#include "stdafx.h"
//#include <afxdllx.h>
//#include "HookEx.h"
#include <windows.h>
#include <stdio.h>


//Shared data among all instances
#pragma data_seg("myshare")//Shared data among all instances.
//HHOOK hook = NULL;
//static HWND h = NULL;
__declspec(allocate("myshare")) HHOOK hook = NULL;
__declspec(allocate("myshare")) HWND hWnd = NULL;
//HHOOK hook;
//HWND h;
#pragma data_seg()

#pragma comment(linker, "/SECTION:myshare,RWS")

HINSTANCE hInst = NULL;

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

#define KEYDLL3_API extern "C" __declspec(dllexport)
//static AFX_EXTENSION_MODULE HookExDLL = { NULL, NULL };

extern "C" int APIENTRY
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    // Remove this if you use lpReserved
    UNREFERENCED_PARAMETER(lpReserved);

    if (dwReason == DLL_PROCESS_ATTACH)
    {
//         TRACE0("HOOKEX.DLL Initializing!\n");
         
         // Extension DLL one-time initialization
//         if (!AfxInitExtensionModule(HookExDLL, hInstance))
//              return 0;

         // Insert this DLL into the resource chain
         // NOTE: If this Extension DLL is being implicitly linked to by
         //  an MFC Regular DLL (such as an ActiveX Control)
         //  instead of an MFC application, then you will want to
         //  remove this line from DllMain and put it in a separate
         //  function exported from this Extension DLL.  The Regular DLL
         //  that uses this Extension DLL should then explicitly call that
         //  function to initialize this Extension DLL.  Otherwise,
         //  the CDynLinkLibrary object will not be attached to the
         //  Regular DLL's resource chain, and serious problems will
         //  result.

//         new CDynLinkLibrary(HookExDLL);
    }
    else if (dwReason == DLL_PROCESS_DETACH)
    {
//         TRACE0("HOOKEX.DLL Terminating!\n");
//         // Terminate the library before destructors are called
//         AfxTermExtensionModule(HookExDLL);
    }
    hInst = hInstance;
    return 1;   // ok
}


LRESULT CALLBACK hookproc( int ncode, WPARAM wparam,LPARAM lparam)
{
  if (ncode >= 0)
  {
    if (( lparam & 0x80000000 ) == 0x00000000)
    {
      //Only when it is pressed not released
      char str[256];
      sprintf(str, "hookproc: idProc = %d(%x) hWnd(%.8x) = %d(%x)",
             GetCurrentProcessId(), GetCurrentProcessId(),
             &hWnd, hWnd, hWnd);
      MessageBox(NULL, str, "hookproc", MB_OK);
    }
  }
 
  return ( CallNextHookEx(hook,ncode, wparam,lparam) );//pass control to next hook in the hook chain.
}

KEYDLL3_API void  installhook( HWND handle )
{
  hook = NULL;
  hWnd = handle;

  char str[256];
  sprintf(str, "installhook: idProc = %d(%x) hWnd(%.8x) = %d(%x)",
             GetCurrentProcessId(), GetCurrentProcessId(),
             &hWnd, hWnd, hWnd);
  MessageBox(NULL, str, "installhook", MB_OK);

    if( hInst == NULL )       MessageBox(NULL,"NULL Instance","Error!",MB_OK);
    hook = SetWindowsHookEx( WH_KEYBOARD, hookproc, GetModuleHandle("hooktest.dll"), NULL );
    if( hook == NULL )      MessageBox(NULL,"Unable to install hook","Error 101!",MB_OK);
   
}


KEYDLL3_API void removehook(void)
{
    UnhookWindowsHookEx( hook );
}
0
 
LVL 5

Expert Comment

by:DeerBear
ID: 9778415
Hi,

Using MMFs, to my knowledge, basically means using shared memory and I
fail to see where a "data segment" can be considered different from "Memory".

Cheers,

Andrew
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9778548
2 DeerBear,
Of caurse I understand what are you talking about.
But try to explain this to cookey ;-)))

And by the way
#pragma data_seg("myshare")

is rather different then somethig like the following
   SECURITY_ATTRIBUTES sa;
   memset(&sa, 0, sizeof(sa));
   HANDLE h_file = CreateFile(FileName, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, &sa, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   DWORD FileSize = GetFileSize(h_file, NULL);
   HANDLE map_file = CreateFileMapping(h_file, &sa, PAGE_READWRITE, 0, 0, NULL);
   char* Data = (char*)MapViewOfFile(map_file, FILE_MAP_ALL_ACCESS, 0, 0, 0);
   memmove(Data+Position, Data+Position+LenToClip, FileSize-Position);    
     UnmapViewOfFile(Data);
   CloseHandle(map_file);
   SetFilePointer(h_file, FileSize-LenToClip, NULL, FILE_BEGIN);
   SetEndOfFile(h_file);
   CloseHandle(h_file);


Or you can't agree?
0
 
LVL 5

Expert Comment

by:DeerBear
ID: 9778599
Eheheheheheh yeah ok, sorry ^_^

Just think I had arrived to a point where I was imagining this "data segment" as a
sort of C++ meta-instruction <g>, ya know some of those black magic C++ tricks that
make you go nuts in debugging <g>.

Andrew
0
 

Author Comment

by:cookey
ID: 9856619
I think I find out the way to solve this problem, that Delphi write system wild hook very hard, I already write it in VC++

Thanks every body give me very good advices, but it seems the scores can only give one person,  so I give the scores to GloomyFriar because of the longest code :-)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now