1

I need to get the list of functions in global hook chain in Windows and get their corresponding application if it's possible. I don't know how to retrieve information from the global hook chain however.

As far as I know there is no windows API for doing this so I think I have to find them by parsing the hook chain link list. The problem is that I don't know the data structure of this link list and it's begin address.

Does anyone know how windows manages its global hook chain?

Kheldar
  • 5,361
  • 3
  • 34
  • 63
Roozbeh
  • 36
  • 1
  • 3
  • As far as I can tell, there is no real _global_ hook chain. Furthermore, even the hook chains on a desktop are not associated with an application. They call DLL functions, in an injected DLL. – MSalters Sep 20 '10 at 07:38
  • take a look at Hans link. it seems there exist a real global hook chain in windows. – Roozbeh Sep 21 '10 at 18:22
  • 3
    There is no documented way of doing this. If you start digging into undocumented stuff, then you may stop working in a future version of Windows. (You will also give the Windows compatibility team nightmares.) Why do you need to know this, anyway? – Raymond Chen Sep 05 '11 at 15:16

2 Answers2

3

One approach I've seen is shown in this blog post. It was referenced by this code (beware of slow server). Crazy stuff of course, no idea how well this will port between different Windows versions.

Hans Passant
  • 922,412
  • 146
  • 1,693
  • 2,536
  • Thanks for your help. I've seen the blog and it gave me an overview but i think the code may be more useful. Now i`m trying to read assembly code and build it under win7. – Roozbeh Sep 21 '10 at 18:07
0

Instead of trying to walk an internal Windows structure, you know that all Window hooks must have a loaded module associated with them that has been injected into the target process; if you're trying to ensure that your own application isn't being hooked, enumerate the loaded module list and look for modules that shouldn't be there.

Ana Betts
  • 73,868
  • 16
  • 141
  • 209
  • How would this help you and how are you supposed to determine what is 'supposed' to be there? If I interpreted his question correctly, he wants the function pointers themselves – Mike Kwan Sep 05 '11 at 16:06
  • Run the app, make a list of modules on your machine, then those are the ones that are supposed to be there. – Ana Betts Sep 05 '11 at 18:06
  • There is no way to know what is 'supposed' to be there. There are plenty of apps which inject DLLs globally that aren't performing window hooks. – Mike Kwan Sep 05 '11 at 22:27
  • @Mike We don't know why the OP is looking only for hooks rather than looking for anything that can alter program behavior. If they are looking for anything that can alter program behavior, then injected DLLs are just as unwanted as hooks. – Raymond Chen Sep 12 '11 at 03:32