Log in

View Full Version : Reversing Windows hook chains

BlackBerry
April 5th, 2008, 04:34
Hello,

I was doing some Windows reversing about Windows hooks that can be set thru SetWindowsHookEx.

I saw that, after a call to SetWindowsHookEx, there's a direct call thru KiFastSystemCall to Win32k!NtUserSetWindowsHookEx.

Now, I'm going to reverse this but, anyway, I try to ask if anyone has already did it and could help me.

Every hook, global or local, is added in a hook chain, a linked list checked by Windows to have hooks working. Every new hook is added to the head of the this linked list.

Has anyone already reversed the struct used by Windows for this linked list and where the function NtUserSetWindowsHookEx gets the address to the head of this linked list?

I wasn't looking for the struct used for different kind of hooks - those are already documented by Microsoft. I'm looking for the struct used to define the linked list where the hooks are added.

Many thanks in advance
omega_red
April 5th, 2008, 05:04
Is there any such list at all? As far as I know, hook procedures are responsible for calling previous hooks to form the chain, just like in window subclassing.

Quote:
Calling the CallNextHookEx function to chain to the next hook procedure is optional, but it is highly recommended; otherwise, other applications that have installed hooks will not receive hook notifications and may behave incorrectly as a result. You should call CallNextHookEx unless you absolutely need to prevent the notification from being seen by other applications.
BlackBerry
April 5th, 2008, 05:14
Hi, many thanks for your reply

It should be what is defined in ReactOS as:
Code:


PHOOK Hook;

PHOOKTABLE Table;


with PHOOK defined as:
Code:


LIST_ENTRY 	Chain

HHOOK 	Self

PETHREAD 	Thread

int 	HookId

HOOKPROC 	Proc

BOOLEAN 	Ansi

ULONG 	Flags

UNICODE_STRING 	ModuleName


and PHOOKTABLE as:
Code:


LIST_ENTRY 	Hooks [NB_HOOKS]

UINT 	Counts [NB_HOOKS]
dELTA
April 7th, 2008, 05:34
Quote:
[Originally Posted by omega_red]Is there any such list at all? As far as I know, hook procedures are responsible for calling previous hooks to form the chain, just like in window subclassing.
Yes, there should indeed be such a list. Ring 3 applications may be responsible for having the OS execute the rest of the handlers in every specific hook call instance, but it's still the OS that keeps track of the addresses of these handlers, in this list.
Kayaker
April 7th, 2008, 08:48
I seem to remember tracing SetWindowsHookEx / CallNextHookEx and finding such a table(s) referenced deep in kernel mode. Personally I never followed up on it to sort it all out.

However...

Any application-defined hook procedure on my machine?
http://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
BlackBerry
April 7th, 2008, 19:32
Hello!

Still many thanks to everyone for your precious posts

Yes, going on with reversing I reached HMAllocObject and PHOOK structure.

The problem is still to get to aphkStart, 'cause DESKTOPINFO structure is totally undocumented.
Kayaker
April 7th, 2008, 23:34
Oh, it's surprising what you can find on this board

Code:
typedef struct _DESKTOPINFO { 

    PVOID            pvDesktopBase; 

    PVOID            pvDesktopLimit; 

    struct WND        *spwnd; 

    DWORD            fsHooks; 

    struct HOOK        *aphkStart[CWINHOOKS]; 

    struct WND        *spwndShell; 

    PPROCESSINFO        ppiShellProcess; 

    struct WND        *spwndBkGnd; 

    struct WND        *spwndTaskman; 

    struct WND        *spwndProgman; 

    int            nShellHookPwnd 

    struct WND        **papwndShellHook; 

    int            cntMBox; 

} DESKTOPINFO, *PDESKTOPINFO;


http://www.woodmann.com/forum/showthread.php?t=9643

Don't take the structure as currently definitive.

Perhaps you can document your findings when you are done?
Kalimako
September 10th, 2008, 13:41
Hello, I get the PHOOK pointer on desktop struct in order to get all global hooks


so, I get this struct:

typedef struct tagHOOK {
THRDESKHEAD head;
struct tagHOOK* pNext;
int iHook;
PVOID pfn;
UINT flags;
int imod;
PTHREADINFO ptiHooked;
PDESKTOP rpdesk;
} HOOK;

but I have no idea how to get the module where the hook-function is located.
there is a "imod" member, I assume that integer is an index in a module list, but I have no idea...

any ideas please?
Kayaker
September 11th, 2008, 22:39
Read Zairon's blog I posted above and you'll find what imod is. Also a possible method of finding the originator of the hook.