| View previous topic :: View next topic |
| Author |
Message |
majkinetor
Joined: 24 May 2006
Posts: 3615
Location: Belgrade
|
 Posted: Mon May 21, 2007 8:24 pm Post subject: |
 |
|
| Quote: | | any one of the events monitored by CBT will cause the hook to be loaded, |
Yes, when it happens. Not, until it happens. That may be the reason why your CBT hoo was loaded in half of processes...
| Quote: | | If you are just monitoring one window, it is easier to just inject a DLL and reassign the WndProc to it using SetWindowLong, and filter the messages, than to use a hook IMO. |
Yes, subclasing is for single window monitoring much better and easier solution.
_________________
 |
|
| Back to top |
|
 |
JGR
Joined: 15 Jun 2006
Posts: 52
Location: Unavailable until ~30th August
|
| Posted: Mon May 21, 2007 8:45 pm Post subject: |
|
|
| Quote: | | That may be the reason why your CBT hook was loaded in half of processes |
I doubt it. I moved, activated, minimised, etc. windows and certain applications worked every time and certain applications wouldn't.
I create a notepad window, zilch.
I open my text editor: ConTEXT, hook injected immediately and working.
My API reference, never injected. The autohotkey help, and process explorer, always injected...
I suspect that certain applications pass different flags to the window perhaps?, or some registry key somewhere, you can only speculate with Windows  ...
JGR |
|
| Back to top |
|
|
majkinetor
Joined: 24 May 2006
Posts: 3615
Location: Belgrade
|
| Posted: Mon May 21, 2007 9:11 pm Post subject: |
|
|
I will try to find time to check out if I can find what causes the problems you mention above in you SetWindowsHookEx project. I also had similar bugs in my projects back in days. I remember that I was using other hook types in some ocasions just to enable some other hook. For instance, hook OBJECT CREATE just to hook OBJECT MOVING as for some reason 1st hook was always injected while other one wasn't... Well, the point was to enter the process address space anyway, one way or another.
_________________
|
|
| Back to top |
|
|
Sean
Joined: 12 Feb 2007
Posts: 1281
|
| Posted: Tue May 22, 2007 1:33 am Post subject: |
|
|
| JGR wrote: | | My API reference, never injected. The autohotkey help, and process explorer, always injected... |
I was playing a little with ahkhook.dll.
Yes, it wasn't injected into explorer or notepad, but injected well into wordpad.
Although I can't tell if it's related with the cause of this or not, Process Explorer reported ahkhook.dll (and callback.dll too) as packed images.
This may have a trouble with sort of legacy apps like notepad?
BTW, do you have any reason to use PostMessage instead of SendMessage with ahkhook.dll?
As the hook procedures clearly expect/depend on the return values, I became curious about using PostMessage instead. |
|
| Back to top |
|
|
JGR
Joined: 15 Jun 2006
Posts: 52
Location: Unavailable until ~30th August
|
| Posted: Tue May 22, 2007 6:31 am Post subject: |
|
|
Process explorer thinks that anything which doesn't set up a stack frame is "packed".
As for PostMessage, I can't remember why I finally used it rather than SendMessage... I believe it was to prevent AHK deadlocking the system.
As for the hook's return value, it just calls the next hook function and returns that.
I planned at one point to call SendMessage, and only call the next hook function, if the return value was greater than 1.
I will probably implement this later today... |
|
| Back to top |
|
|
majkinetor
Joined: 24 May 2006
Posts: 3615
Location: Belgrade
|
| Posted: Tue May 22, 2007 9:16 am Post subject: |
|
|
| Quote: | | As for PostMessage, I can't remember why I finally used it rather than SendMessage... I believe it was to prevent AHK deadlocking the system. |
But value that can be returned by SM is important as this value determines is it certain action alowed or not.
_________________
|
|
| Back to top |
|
|
Sean
Joined: 12 Feb 2007
Posts: 1281
|
| Posted: Tue May 22, 2007 12:12 pm Post subject: |
|
|
| JGR wrote: | | I suspect that certain applications pass different flags to the window perhaps?, or some registry key somewhere, you can only speculate with Windows ... |
I tried to do manually LoadLibrary via CreateRemoteThread.
As I suspected, LoadLibrary ahkhook.dll does not work with notepad, while does work with wordpad. |
|
| Back to top |
|
|
Sean
Joined: 12 Feb 2007
Posts: 1281
|
| Posted: Tue May 22, 2007 2:28 pm Post subject: |
|
|
| Sean wrote: | I tried to do manually LoadLibrary via CreateRemoteThread.
As I suspected, LoadLibrary ahkhook.dll does not work with notepad, while does work with wordpad. |
I think I found out the culprit which prevent ahkhook.dll from loading into notepad:
| Code: | | C:\WINDOWS\AppPatch\acgenral.dll |
This dll exports two APIs: GetHookAPIs, NotifyShims
and loaded into notepad when it's launched.
After renaming it to arbitrary one, then ahkhook.dll could be injected into notepad without a problem.
BTW, another hook.dll by Zippo didn't show this symptom:
http://www.autohotkey.com/forum/topic16473.html
PS. I forgot one thing, just in case. This acgenral.dll is a protected file.
So, have to disable the Windows File Protection, or at least delete the copy in dllcache folder first before renaming it. |
|
| Back to top |
|
|
JGR
Joined: 15 Jun 2006
Posts: 52
Location: Unavailable until ~30th August
|
| Posted: Tue May 22, 2007 2:55 pm Post subject: |
|
|
I am going to investigate this acgenral.dll file.
I found this blog by Alex Ionescu...
http://www.alex-ionescu.com/?p=40
Good work working that out, Thanks...
JGR
Edit:
Renaming notepad.exe also works...
There is probably an entry for notepad in the system compatibility database.
I will look and try and find it. |
|
| Back to top |
|
|
majkinetor
Joined: 24 May 2006
Posts: 3615
Location: Belgrade
|
| Posted: Tue May 22, 2007 3:49 pm Post subject: |
|
|
Great discovery guys.... 
I am geting ready for real hooks
In the meantime I improved docking. It was slow cuz of SetWinDelay which defaults to 100ms.
Now dock even with WinEvent hooks works fine.
_________________
|
|
| Back to top |
|
|
JGR
Joined: 15 Jun 2006
Posts: 52
Location: Unavailable until ~30th August
|
| Posted: Tue May 22, 2007 4:11 pm Post subject: |
|
|
There is an entry in C:\windows\AppPatch\sysmain.sdb for notepad, but I can't extract what it means or if we can get rid of it...
JGR |
|
| Back to top |
|
|
majkinetor
Joined: 24 May 2006
Posts: 3615
Location: Belgrade
|
| Posted: Tue May 22, 2007 4:14 pm Post subject: |
|
|
Does it have any other problems ? If not, why don't we use that one ?
_________________
|
|
| Back to top |
|
|
JGR
Joined: 15 Jun 2006
Posts: 52
Location: Unavailable until ~30th August
|
| Posted: Tue May 22, 2007 4:28 pm Post subject: |
|
|
That hook dll hooks low level mouse events.
This is the same hook that autohotkey uses internally...
The hook dll is only mapped into the process which calls it, not all processes which need to be hooked.
Low level mouse events are not specific to a process...
This is useful, but not the same type of hook (although my hook dll will quite happily hook low level mouse events) as a global CBT hook.
I have recently updated the code to use send instead of post message, and to call the next hook function only if the return value is not zero or one, signaling a definite allow or block respectively.
The link will be reposted here: http://www.autohotkey.net/~JGR/cbthook.rar |
|
| Back to top |
|
|
Sean
Joined: 12 Feb 2007
Posts: 1281
|
| Posted: Tue May 22, 2007 11:00 pm Post subject: |
|
|
| JGR wrote: | I have recently updated the code to use send instead of post message, and to call the next hook function only if the return value is not zero or one, signaling a definite allow or block respectively.
The link will be reposted here: http://www.autohotkey.net/~JGR/cbthook.rar |
Thanks for the new version. It became even smaller!
But, the real pleasant surprise is: it's now injected into notepad and explorer without any tweak!
PS. I noticed that this new dll has no import table for kernel32.dll (:ExitProcess) while the older one has.
And, Process Explorer doesn't report the dll as a packed image any more.
Which one could be the cure of LoadLibrary trouble?
Anyway, would you do the similar modification to callback.dll?
It shows the same symptom with LoadLibrary. |
|
| Back to top |
|
|
JGR
Joined: 15 Jun 2006
Posts: 52
Location: Unavailable until ~30th August
|
| Posted: Wed May 23, 2007 9:04 am Post subject: |
|
|
I have done the same thing to callback.dll and reuploaded the archive...
It is now 1024 bytes, and does not import ExitProcess, I could not determine whether this works any better in my five minutes of testing it, but it is only really going to be loaded into autohotkey's process anyway.
I verified that the new hook dll works properly on all processes, I suspect it has more to do that I switched linker from an OMF to a COFF one and reduced the number of sections from 5 to 2.
(I personally prefer OMF for assembly, but the linkers are a bit basic... )
JGR |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
