to install a hook, you call setwindowshookex which has the following syntax:
setwindowshookex proto hooktype:dword, phookproc:dword, hinstance:dword, threadid:dwordyou can uninstall a hook by calling unhookwindowshookex which accepts only one parameter, the handle of the hook you want to uninstall. if the call succeeds, it returns a non-zero value in eax. otherwise, it returns null.if the call is successful, it returns the hook handle in eax. if not, null is returned. you must save the hook handle for unhooking later.
- hooktype is one of the values listed above, e.g., wh_mouse, wh_keyboard
- phookproc is the address of the hook procedure that will be called to process the messages for the specified hook. if the hook is a remote one, it must reside in a dll. if not, it must be in your process.
- hinstance is the instance handle of the dll in which the hook procedure resides. if the hook is a local one, this value must be null
- threadid is the id of the thread you want to install the hook to spy on. this parameter is the one that determines whether a hook is local or remote. if this parameter is null, windows will interpret the hook as a system-wide remote hook that affects all threads in the system. if you specify the thread id of a thread in your own process, this hook is a local one. if you specify the thread id from other process, the hook is a thread-specific remote one. there are two exceptions to this rule: wh_journalrecord and wh_journalplayback are always local system-wide hooks that are not required to be in a dll. and wh_sysmsgfilter is always a system-wide remote hook. actually it is identical to wh_msgfilter hook with threadid==0.
now that you know how to install/uninstall hooks, we can examine the hook procedure.
the hook procedure will be called whenever an event that is associated with the type of hook you have installed occurs. for example, if you install wh_mouse hook, when a mouse event occurs, your hook procedure will be called. regardless of the type of hook you installed, the hook procedure always has the following prototype:
- hookproc proto ncode:dword, wparam:dword, lparam:dword
- ncode specifies the hook code.
- wparam and lparam contain additional information about the event
wh_callwndprocthe bottom line is: you must consult your win32 api reference for details about the meanings of the parameters and return value of the hook you want to install.wh_mouse
- ncode can be only hc_action which means there is a message sent to a window
- wparam contains the message being sent, if it's not zero
- lparam points to a cwpstruct structure
- return value: not used, return zero
- ncode can be hc_action or hc_noremove
- wparam contains the mouse message
- lparam points to a mousehookstruct structure
- return value: zero if the message should be processed. 1 if the message should be discarded.
