Hello,
I’ve need to control Windows hook’s mechanism. For example, when
an application trying to install some type of hook, I need to handle
this action and block or permit it depending on the predefined rules.
I know, that it can be done by patching the export or import table
of known dll (SetWindowsHookEx() in user32.dll). But in that case
any application can make a direct call of SetWindowsHookEx() using
predefined offset and my control system will fail to handle it.
I’d like to know, is it possible to hook SetWindowsHookEx() from
kernel mode? Are there any mirror or analog functions (Nt or Zw)
above 2Gb? Which functions I need to patch?
Thank you in advance.
Felix
Try to reverse-engineer the SetWindowsHookEx routine - will it call
anything named NtUserxxx?
Max
----- Original Message -----
From: “Felix K”
To: “NT Developers Interest List”
Sent: Sunday, April 06, 2003 12:49 AM
Subject: [ntdev] How to hook SetWindowsHookEx() ?
> Hello,
>
> I’ve need to control Windows hook’s mechanism. For example, when
> an application trying to install some type of hook, I need to handle
> this action and block or permit it depending on the predefined
rules.
>
> I know, that it can be done by patching the export or import table
> of known dll (SetWindowsHookEx() in user32.dll). But in that case
> any application can make a direct call of SetWindowsHookEx() using
> predefined offset and my control system will fail to handle it.
>
> I’d like to know, is it possible to hook SetWindowsHookEx() from
> kernel mode? Are there any mirror or analog functions (Nt or Zw)
> above 2Gb? Which functions I need to patch?
>
> Thank you in advance.
> —
> Felix
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
I don’t think you can plug something like this. The other team can
dynamically assemble code to establish the hook.