This graph shows which files directly or indirectly include this file:

Classes
struct	tagEVENTHOOK

struct	tagEVENTTABLE

struct	_NOTIFYEVENT

Macros
#define	HOOK_THREAD_REFERENCED (0x1)

#define	HOOKID_TO_INDEX(HookId) (HookId - WH_MINHOOK)

#define	HOOKID_TO_FLAG(HookId) (1 << ((HookId) + 1))

#define	ISITHOOKED(HookId) (((PTHREADINFO)PsGetCurrentThreadWin32Thread())->fsHooks & HOOKID_TO_FLAG(HookId))

#define	WH_APIHOOK WH_MAX + 1

Typedefs
typedef struct tagEVENTHOOK	EVENTHOOK

typedef struct tagEVENTHOOK *	PEVENTHOOK

typedef struct tagEVENTTABLE	EVENTTABLE

typedef struct tagEVENTTABLE *	PEVENTTABLE

typedef struct _NOTIFYEVENT	NOTIFYEVENT

typedef struct _NOTIFYEVENT *	PNOTIFYEVENT

Functions
LRESULT APIENTRY	co_CallHook (INT HookId, INT Code, WPARAM wParam, LPARAM lParam)

LRESULT APIENTRY	co_HOOK_CallHooks (INT HookId, INT Code, WPARAM wParam, LPARAM lParam)

LRESULT APIENTRY	co_EVENT_CallEvents (DWORD, HWND, UINT_PTR, LONG_PTR)

PHOOK FASTCALL	IntGetHookObject (HHOOK)

PHOOK FASTCALL	IntGetNextHook (PHOOK Hook)

LRESULT APIENTRY	UserCallNextHookEx (PHOOK pHook, int Code, WPARAM wParam, LPARAM lParam, BOOL Ansi)

BOOL FASTCALL	IntUnhookWindowsHook (int, HOOKPROC)

BOOLEAN	IntRemoveHook (PVOID Object)

BOOLEAN	IntRemoveEvent (PVOID Object)

BOOL FASTCALL	UserLoadApiHook (VOID)

BOOL	IntLoadHookModule (int iHookID, HHOOK hHook, BOOL Unload)

BOOL FASTCALL	UserUnregisterUserApiHook (VOID)

Variables
PPROCESSINFO	ppiUahServer

Macro Definition Documentation

◆ HOOK_THREAD_REFERENCED

#define HOOK_THREAD_REFERENCED (0x1)

Definition at line 3 of file hook.h.

◆ HOOKID_TO_FLAG

#define HOOKID_TO_FLAG ( HookId ) (1 << ((HookId) + 1))

Definition at line 5 of file hook.h.

◆ HOOKID_TO_INDEX

#define HOOKID_TO_INDEX ( HookId ) (HookId - WH_MINHOOK)

Definition at line 4 of file hook.h.

◆ ISITHOOKED

#define ISITHOOKED ( HookId ) (((PTHREADINFO)PsGetCurrentThreadWin32Thread())->fsHooks & HOOKID_TO_FLAG(HookId))

Definition at line 6 of file hook.h.

◆ WH_APIHOOK

#define WH_APIHOOK WH_MAX + 1

Definition at line 12 of file hook.h.

Typedef Documentation

◆ EVENTHOOK

typedef struct tagEVENTHOOK EVENTHOOK

◆ EVENTTABLE

typedef struct tagEVENTTABLE EVENTTABLE

◆ NOTIFYEVENT

typedef struct _NOTIFYEVENT NOTIFYEVENT

◆ PEVENTHOOK

typedef struct tagEVENTHOOK * PEVENTHOOK

◆ PEVENTTABLE

typedef struct tagEVENTTABLE * PEVENTTABLE

◆ PNOTIFYEVENT

typedef struct _NOTIFYEVENT * PNOTIFYEVENT

Function Documentation

◆ co_CallHook()

LRESULT APIENTRY co_CallHook	(	INT	HookId,
		INT	Code,
		WPARAM	wParam,
		LPARAM	lParam
	)

Definition at line 321 of file hook.c.

{
    LRESULT Result = 0;
    PHOOK phk;
    PHOOKPACK pHP = (PHOOKPACK)lParam;
 
    phk = pHP->pHk;
    lParam = pHP->lParam;
 
    switch(HookId)
    {
       case WH_JOURNALPLAYBACK:
       case WH_JOURNALRECORD:
       case WH_KEYBOARD_LL:
       case WH_MOUSE_LL:
       case WH_MOUSE:
          lParam = (LPARAM)pHP->pHookStructs;
       case WH_KEYBOARD:
          break;
    }
 
    if (!UserObjectInDestroy(UserHMGetHandle(phk))) 
    {
    /* The odds are high for this to be a Global call. */
    Result = co_IntCallHookProc( HookId,
                                 Code,
                                 wParam,
                                 lParam,
                                 phk->Proc,
                                 phk->ihmod,
                                 phk->offPfn,
                                 phk->Ansi,
                                &phk->ModuleName);
    }
    /* The odds so high, no one is waiting for the results. */
    if (pHP->pHookStructs) ExFreePoolWithTag(pHP->pHookStructs, TAG_HOOK);
    ExFreePoolWithTag(pHP, TAG_HOOK);
    return Result;
}

Referenced by co_MsqDispatchOneSentMessage().

◆ co_EVENT_CallEvents()

LRESULT APIENTRY co_EVENT_CallEvents	(	DWORD	event,
		HWND	hwnd,
		UINT_PTR	idObject,
		LONG_PTR	idChild
	)

Definition at line 150 of file event.c.

{
   PEVENTHOOK pEH;
   LRESULT Result;
   PEVENTPACK pEP = (PEVENTPACK)idChild;
 
   pEH = pEP->pEH;
   TRACE("Dispatch Event 0x%lx, idObject %uI hwnd %p\n", event, idObject, hwnd);
   Result = co_IntCallEventProc( UserHMGetHandle(pEH),
                                 event,
                                 hwnd,
                                 pEP->idObject,
                                 pEP->idChild,
                                 pEP->idThread,
                                 EngGetTickCount32(),
                                 pEH->Proc,
                                 pEH->ihmod,
                                 pEH->offPfn);
 
   ExFreePoolWithTag(pEP, TAG_HOOK);
   return Result;
}

Referenced by handle_internal_events().

◆ co_HOOK_CallHooks()

LRESULT APIENTRY co_HOOK_CallHooks	(	INT	HookId,
		INT	Code,
		WPARAM	wParam,
		LPARAM	lParam
	)

Definition at line 1102 of file hook.c.

{
    PHOOK Hook, SaveHook;
    PTHREADINFO pti;
    PCLIENTINFO ClientInfo;
    PLIST_ENTRY pLastHead;
    PDESKTOP pdo;
    BOOL Local = FALSE, Global = FALSE;
    LRESULT Result = 0;
    USER_REFERENCE_ENTRY Ref;
 
    ASSERT(WH_MINHOOK <= HookId && HookId <= WH_MAXHOOK);
 
    pti = PsGetCurrentThreadWin32Thread();
    if (!pti || !pti->rpdesk || !pti->rpdesk->pDeskInfo)
    {
       pdo = IntGetActiveDesktop();
    /* If KeyboardThread|MouseThread|(RawInputThread or RIT) aka system threads,
       pti->fsHooks most likely, is zero. So process KbT & MsT to "send" the message.
     */
       if ( !pti || !pdo || (!(HookId == WH_KEYBOARD_LL) && !(HookId == WH_MOUSE_LL)) )
       {
          TRACE("No PDO %d\n", HookId);
          goto Exit;
       }
    }
    else
    {
       pdo = pti->rpdesk;
    }
 
    if ( pti->TIF_flags & (TIF_INCLEANUP|TIF_DISABLEHOOKS))
    {
       TRACE("Hook Thread dead %d\n", HookId);
       goto Exit;
    }
 
    if ( ISITHOOKED(HookId) )
    {
       TRACE("Local Hooker %d\n", HookId);
       Local = TRUE;
    }
 
    if ( pdo->pDeskInfo->fsHooks & HOOKID_TO_FLAG(HookId) )
    {
       TRACE("Global Hooker %d\n", HookId);
       Global = TRUE;
    }
 
    if ( !Local && !Global ) goto Exit; // No work!
 
    Hook = NULL;
 
    /* SetWindowHookEx sorts out the Thread issue by placing the Hook to
       the correct Thread if not NULL.
     */
    if ( Local )
    {
       pLastHead = &pti->aphkStart[HOOKID_TO_INDEX(HookId)];
       if (IsListEmpty(pLastHead))
       {
          ERR("No Local Hook Found!\n");
          goto Exit;
       }
 
       Hook = CONTAINING_RECORD(pLastHead->Flink, HOOK, Chain);
       ObReferenceObject(pti->pEThread);
       IntReferenceThreadInfo(pti);
       UserRefObjectCo(Hook, &Ref);
 
       ClientInfo = pti->pClientInfo;
       SaveHook = pti->sphkCurrent;
       /* Note: Setting pti->sphkCurrent will also lock the next hook to this
        *       hook ID. So, the CallNextHookEx will only call to that hook ID
        *       chain anyway. For Thread Hooks....
        */
 
       /* Load it for the next call. */
       pti->sphkCurrent = Hook;
       Hook->phkNext = IntGetNextHook(Hook);
       if (ClientInfo)
       {
          _SEH2_TRY
          {
             ClientInfo->phkCurrent = Hook;
          }
          _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
          {
             ClientInfo = NULL; // Don't bother next run.
          }
          _SEH2_END;
       }
       Result = co_IntCallHookProc( HookId,
                                    Code,
                                    wParam,
                                    lParam,
                                    Hook->Proc,
                                    Hook->ihmod,
                                    Hook->offPfn,
                                    Hook->Ansi,
                                   &Hook->ModuleName);
       if (ClientInfo)
       {
          _SEH2_TRY
          {
             ClientInfo->phkCurrent = SaveHook;
          }
          _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
          {
              /* Do nothing */
              (void)0;
          }
          _SEH2_END;
       }
       pti->sphkCurrent = SaveHook;
       Hook->phkNext = NULL;
       UserDerefObjectCo(Hook);
       IntDereferenceThreadInfo(pti);
       ObDereferenceObject(pti->pEThread);
    }
 
    if ( Global )
    {
       PTHREADINFO ptiHook;
       HHOOK *pHookHandles;
       unsigned i;
 
       /* Keep hooks in array because hooks can be destroyed in user world */
       pHookHandles = IntGetGlobalHookHandles(pdo, HookId);
       if(!pHookHandles)
          goto Exit;
 
      /* Performance goes down the drain. If more hooks are associated to this
       * hook ID, this will have to post to each of the thread message queues
       * or make a direct call.
       */
       for(i = 0; pHookHandles[i]; ++i)
       {
          Hook = (PHOOK)UserGetObject(gHandleTable, pHookHandles[i], TYPE_HOOK);
          if(!Hook)
          {
              ERR("Invalid hook!\n");
              continue;
          }
 
         /* Hook->Thread is null, we hax around this with Hook->head.pti. */
          ptiHook = Hook->head.pti;
 
          if ( (pti->TIF_flags & TIF_DISABLEHOOKS) || (ptiHook->TIF_flags & TIF_INCLEANUP))
          {
             TRACE("Next Hook %p, %p\n", ptiHook->rpdesk, pdo);
             continue;
          }
          UserRefObjectCo(Hook, &Ref);
 
          if (ptiHook != pti )
          {
                                                  // Block | TimeOut
             if ( HookId == WH_JOURNALPLAYBACK || //   1   |    0
                  HookId == WH_JOURNALRECORD   || //   1   |    0
                  HookId == WH_KEYBOARD        || //   1   |   200
                  HookId == WH_MOUSE           || //   1   |   200
                  HookId == WH_KEYBOARD_LL     || //   0   |   300
                  HookId == WH_MOUSE_LL )         //   0   |   300
             {
                TRACE("\nGlobal Hook posting to another Thread! %d\n",HookId );
                Result = co_IntCallLowLevelHook(Hook, Code, wParam, lParam);
             }
             else if (ptiHook->ppi == pti->ppi)
             {
                TRACE("\nGlobal Hook calling to another Thread! %d\n",HookId );
                ObReferenceObject(ptiHook->pEThread);
                IntReferenceThreadInfo(ptiHook);
                Result = co_IntCallHookProc( HookId,
                                             Code,
                                             wParam,
                                             lParam,
                                             Hook->Proc,
                                             Hook->ihmod,
                                             Hook->offPfn,
                                             Hook->Ansi,
                                            &Hook->ModuleName);
                IntDereferenceThreadInfo(ptiHook);
                ObDereferenceObject(ptiHook->pEThread);
             }
          }
          else
          { /* Make the direct call. */
             TRACE("Global going Local Hook calling to Thread! %d\n",HookId );
             ObReferenceObject(pti->pEThread);
             IntReferenceThreadInfo(pti);
             Result = co_IntCallHookProc( HookId,
                                          Code,
                                          wParam,
                                          lParam,
                                          Hook->Proc,
                                          Hook->ihmod,
                                          Hook->offPfn,
                                          Hook->Ansi,
                                         &Hook->ModuleName);
             IntDereferenceThreadInfo(pti);
             ObDereferenceObject(pti->pEThread);
          }
          UserDerefObjectCo(Hook);
       }
       ExFreePoolWithTag(pHookHandles, TAG_HOOK);
       TRACE("Ret: Global HookId %d Result 0x%x\n", HookId,Result);
    }
Exit:
    return Result;
}

Referenced by co_CallLowLevelKeyboardHook(), co_IntGetPeekMessage(), co_IntProcessKeyboardMessage(), co_IntProcessMouseMessage(), co_IntSetActiveWindow(), co_IntShellHookNotify(), co_MsqInsertMouseMessage(), co_UserCreateWindowEx(), co_UserDestroyWindow(), co_UserSetFocus(), co_WinPosMinMaximize(), DefWndDoSizeMove(), DefWndHandleSysCommand(), IdlePing(), IntCallMsgFilter(), IntCallWndProc(), IntCallWndProcRet(), IntDefWindowProc(), NtUserCallMsgFilter(), NtUserDragDetect(), and NtUserNotifyIMEStatus().

◆ IntGetHookObject()

PHOOK FASTCALL IntGetHookObject ( HHOOK hHook )

Definition at line 937 of file hook.c.

{
    PHOOK Hook;
 
    if (!hHook)
    {
       EngSetLastError(ERROR_INVALID_HOOK_HANDLE);
       return NULL;
    }
 
    Hook = (PHOOK)UserGetObject(gHandleTable, hHook, TYPE_HOOK);
    if (!Hook)
    {
       EngSetLastError(ERROR_INVALID_HOOK_HANDLE);
       return NULL;
    }
 
    UserReferenceObject(Hook);
 
    return Hook;
}

Referenced by NtUserUnhookWindowsHookEx().

◆ IntGetNextHook()

PHOOK FASTCALL IntGetNextHook ( PHOOK Hook )

Definition at line 995 of file hook.c.

{
    int HookId = Hook->HookId;
    PLIST_ENTRY pLastHead, pElem;
    PTHREADINFO pti;
 
    if (Hook->ptiHooked)
    {
       pti = Hook->ptiHooked;
       pLastHead = &pti->aphkStart[HOOKID_TO_INDEX(HookId)];
    }
    else
    {
       pti = PsGetCurrentThreadWin32Thread();
       pLastHead = &pti->rpdesk->pDeskInfo->aphkStart[HOOKID_TO_INDEX(HookId)];
    }
 
    pElem = Hook->Chain.Flink;
    if (pElem != pLastHead)
       return CONTAINING_RECORD(pElem, HOOK, Chain);
    return NULL;
}

Referenced by co_HOOK_CallHooks(), NtUserCallNextHookEx(), and NtUserMessageCall().

◆ IntLoadHookModule()

BOOL IntLoadHookModule	(	int	iHookID,
		HHOOK	hHook,
		BOOL	Unload
	)

Definition at line 30 of file hook.c.

{
   PPROCESSINFO ppi;
   BOOL bResult;
 
   ppi = PsGetCurrentProcessWin32Process();
 
   TRACE("IntLoadHookModule. Client PID: %p\n", PsGetProcessId(ppi->peProcess));
 
    /* Check if this is the api hook */
    if(iHookID == WH_APIHOOK)
    {
        if(!Unload && !(ppi->W32PF_flags & W32PF_APIHOOKLOADED))
        {
            /* A callback in user mode can trigger UserLoadApiHook to be called and
               as a result IntLoadHookModule will be called recursively.
               To solve this we set the flag that means that the application has
               loaded the api hook before the callback and in case of error we remove it */
            ppi->W32PF_flags |= W32PF_APIHOOKLOADED;
 
            /* Call ClientLoadLibrary in user32 */
            bResult = co_IntClientLoadLibrary(&strUahModule, &strUahInitFunc, Unload, TRUE);
            TRACE("co_IntClientLoadLibrary returned %d\n", bResult );
            if (!bResult)
            {
                /* Remove the flag we set before */
                ppi->W32PF_flags &= ~W32PF_APIHOOKLOADED;
            }
            return bResult;
        }
        else if(Unload && (ppi->W32PF_flags & W32PF_APIHOOKLOADED))
        {
            /* Call ClientLoadLibrary in user32 */
            bResult = co_IntClientLoadLibrary(NULL, NULL, Unload, TRUE);
            if (bResult)
            {
                ppi->W32PF_flags &= ~W32PF_APIHOOKLOADED;
            }
            return bResult;
        }
 
        return TRUE;
    }
 
    STUB;
 
    return FALSE;
}

Referenced by co_MsqDispatchOneSentMessage(), and UserLoadApiHook().

◆ IntRemoveEvent()

BOOLEAN IntRemoveEvent ( PVOID Object )

Definition at line 126 of file event.c.

{
   PEVENTHOOK pEH = Object;
   if (pEH)
   {
      TRACE("IntRemoveEvent pEH %p\n", pEH);
      KeEnterCriticalRegion();
      RemoveEntryList(&pEH->Chain);
      GlobalEvents->Counts--;
      if (!GlobalEvents->Counts) gpsi->dwInstalledEventHooks = 0;
      UserDeleteObject(UserHMGetHandle(pEH), TYPE_WINEVENTHOOK);
      KeLeaveCriticalRegion();
      return TRUE;
   }
   return FALSE;
}

Referenced by NtUserUnhookWinEvent().

◆ IntRemoveHook()

BOOLEAN IntRemoveHook ( PVOID Object )

Definition at line 1036 of file hook.c.

{
    INT HookId;
    PTHREADINFO ptiHook, pti;
    PDESKTOP pdo;
    PHOOK Hook = Object;
 
    NT_ASSERT(UserIsEnteredExclusive());
 
    HookId = Hook->HookId;
    pti = PsGetCurrentThreadWin32Thread();
 
    if (Hook->ptiHooked) // Local
    {
        ptiHook = Hook->ptiHooked;
 
        IntFreeHook(Hook);
 
        if (IsListEmpty(&ptiHook->aphkStart[HOOKID_TO_INDEX(HookId)]))
        {
            BOOL bOtherProcess;
            KAPC_STATE ApcState;
 
            ptiHook->fsHooks &= ~HOOKID_TO_FLAG(HookId);
            bOtherProcess = (ptiHook->ppi != pti->ppi);
 
            if (bOtherProcess)
                KeStackAttachProcess(&ptiHook->ppi->peProcess->Pcb, &ApcState);
 
            _SEH2_TRY
            {
                ptiHook->pClientInfo->fsHooks = ptiHook->fsHooks;
            }
            _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
            {
                /* Do nothing */
                (void)0;
            }
            _SEH2_END;
 
            if (bOtherProcess)
                KeUnstackDetachProcess(&ApcState);
       }
    }
    else // Global
    {
        IntFreeHook(Hook);
 
        pdo = IntGetActiveDesktop();
 
        if (pdo &&
             pdo->pDeskInfo &&
             IsListEmpty(&pdo->pDeskInfo->aphkStart[HOOKID_TO_INDEX(HookId)]))
        {
            pdo->pDeskInfo->fsHooks &= ~HOOKID_TO_FLAG(HookId);
        }
    }
 
    return TRUE;
}

Referenced by IntUnhookWindowsHook(), NtUserSetWindowsHookEx(), and NtUserUnhookWindowsHookEx().

◆ IntUnhookWindowsHook()

BOOL FASTCALL IntUnhookWindowsHook	(	int	HookId,
		HOOKPROC	pfnFilterProc
	)

Definition at line 1319 of file hook.c.

{
    PHOOK Hook;
    PLIST_ENTRY pLastHead, pElement;
    PTHREADINFO pti = PsGetCurrentThreadWin32Thread();
 
    if (HookId < WH_MINHOOK || WH_MAXHOOK < HookId )
    {
       EngSetLastError(ERROR_INVALID_HOOK_FILTER);
       return FALSE;
    }
 
    if (pti->fsHooks)
    {
       pLastHead = &pti->aphkStart[HOOKID_TO_INDEX(HookId)];
 
       pElement = pLastHead->Flink;
       while (pElement != pLastHead)
       {
          Hook = CONTAINING_RECORD(pElement, HOOK, Chain);
 
          /* Get the next element now, we might free the hook in what follows */
          pElement = Hook->Chain.Flink;
 
          if (Hook->Proc == pfnFilterProc)
          {
             if (Hook->head.pti == pti)
             {
                IntRemoveHook(Hook);
                return TRUE;
             }
             else
             {
                EngSetLastError(ERROR_ACCESS_DENIED);
                return FALSE;
             }
          }
       }
    }
    return FALSE;
}

Referenced by NtUserCallTwoParam().

◆ UserCallNextHookEx()

LRESULT APIENTRY UserCallNextHookEx	(	PHOOK	pHook,
		int	Code,
		WPARAM	wParam,
		LPARAM	lParam,
		BOOL	Ansi
	)

◆ UserLoadApiHook()

BOOL FASTCALL UserLoadApiHook ( VOID )

Definition at line 131 of file hook.c.

{
    return IntLoadHookModule(WH_APIHOOK, 0, FALSE);
}

Referenced by NtUserCallNoParam().

◆ UserUnregisterUserApiHook()

BOOL FASTCALL UserUnregisterUserApiHook ( VOID )

Definition at line 206 of file hook.c.

{
    PTHREADINFO pti;
 
    pti = PsGetCurrentThreadWin32Thread();
 
    /* Fail if the api hook is not registered */
    if(!(gpsi->dwSRVIFlags & SRVINFO_APIHOOK))
    {
        return FALSE;
    }
 
    /* Only the process that registered the api hook can uregister it */
    if(ppiUahServer != PsGetCurrentProcessWin32Process())
    {
        return FALSE;
    }
 
    TRACE("UserUnregisterUserApiHook. Server PID: %p\n", PsGetProcessId(pti->ppi->peProcess));
 
    /* Unregister the api hook */
    gpsi->dwSRVIFlags &= ~SRVINFO_APIHOOK;
    ppiUahServer = NULL;
    ReleaseCapturedUnicodeString(&strUahModule, UserMode);
    ReleaseCapturedUnicodeString(&strUahInitFunc, UserMode);
 
    /* Notify all applications that the api hook module must be unloaded */
    return IntHookModuleUnloaded(pti->rpdesk, WH_APIHOOK, 0);
}

Referenced by ExitThreadCallback(), and NtUserUnregisterUserApiHook().

Variable Documentation

◆ ppiUahServer

PPROCESSINFO ppiUahServer

extern

Definition at line 24 of file hook.c.

Referenced by ExitThreadCallback(), UserRegisterUserApiHook(), and UserUnregisterUserApiHook().

Classes

Macros

Typedefs

Functions

Variables