Solved

Can WH_DEBUG hook detect when a hook is uninstalled

Posted on 2004-03-31
5
579 Views
Last Modified: 2013-12-03
I know that WH_DEBUG can detect when a hook is installed.  Does anybody know whether it can also detect when a hook is uninstalled?  If so, can you point me to a code sample which does such detection.  Thanks...
0
Comment
Question by:DanFromBoston
  • 3
5 Comments
 
LVL 16

Expert Comment

by:nonubik
ID: 10730447
I don't think so. And I don't think it can detect when a hook is installed.
MSDN states :
"WH_DEBUG Hook
The system calls a WH_DEBUG hook procedure before calling hook procedures associated with any other hook in the system. You can use this hook to determine whether to allow the system to call hook procedures associated with other types of hooks."

So nothing about (un)installation of a hook.
0
 
LVL 16

Expert Comment

by:nonubik
ID: 10730465
http://msdn.microsoft.com/library/en-us/winui/WinUI/WindowsUserInterface/Windowing/Hooks/AboutHooks.asp?frame=true#wh_debughook
I think you were missleaded by what says the MSDN for DebugProc wParam parameter (which I'm positive it's a copy-paste of the table from SetWindowsHookEx.. :)
0
 
LVL 5

Accepted Solution

by:
drnick earned 150 total points
ID: 10830860
you can do the following:

install a normal global hook
which, of course, involves that your dll is loaded in every app
your dll then, in its initialization code, replaces the normal UnhookWindowsHookEx by a
routine of the same signature which calls the "real" unhookwindowshookex proc but
also places a notification record in a shared memory section of your dll.
this record will then be read periodically by a thread in your application.

the whole thing is a little bit complicated, but it would work, maybe.
0
 
LVL 1

Author Comment

by:DanFromBoston
ID: 10832542
That's an interesting idea.  Are you sure that when you install a global hook that it's loaded into every app on the system?  I thought it was just loaded in the context of the thread you specify.
0
 
LVL 16

Assisted Solution

by:nonubik
nonubik earned 100 total points
ID: 10832567
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/WinUI/WindowsUserInterface/Windowing/Hooks/HookReference/HookFunctions/SetWindowsHookEx.asp

dwThreadId "If this parameter is zero, the hook procedure is associated with all existing threads running in the same desktop as the calling thread."
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you have ever found yourself doing a repetitive action with the mouse and keyboard, and if you have even a little programming experience, there is a good chance that you can use a text editor to whip together a sort of macro to automate the proce…
Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now