Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>See </p> <ul> <li><a href="http://www.ntinternals.org/source.php" rel="nofollow noreferrer">http://www.ntinternals.org/source.php</a> </li> </ul> <hr> <ul> <li><a href="http://blog.airesoft.co.uk/2011/07/hookers-underneath-the-sheets/" rel="nofollow noreferrer">http://blog.airesoft.co.uk/2011/07/hookers-underneath-the-sheets/</a></li> </ul> <blockquote> <p>Finding hooks Compared to other operations, enumerating the installed hooks is quite easy.</p> <p>Thread specific hooks are recorded in a win32k per-thread data structure tagged, rather imaginatively, as THREADINFO<a href="http://www.airesoft.co.uk/files/MsgHookLister.zip" rel="nofollow noreferrer">1</a>. This is essentially an ETHREAD/TEB like structure but one tailored specifically for user and gdi information. One of its members (aphkStart) is a 16 element array of pointers, individually they either point to NULL, or the head of a linked list of HOOK structures. Enumerating the hooks is simply a measure of walking down those chains.</p> <p>For convenience, and probably so that iteration isn’t required to see if any hooks are set, the THREADINFO contains another member, fsHooks, which is a bitfield. If a bit is on, the corresponding index in the hook array is valid. Instead of 33 comparisons (16 for NULL and 17 for a for-loop), telling if there are hooks requires just one, nifty!</p> <p>Global hooks, which are per desktop<a href="https://github.com/prekageo/winhook" rel="nofollow noreferrer">2</a>, are also stored in a per-object structure, also imaginatively named (DESKTOPINFO), and are also stored in an array with an accompanying bitfield. Bridging the two is pDeskInfo, a member of THREADINFO which points to its owning DESKTOPINFO.</p> <p>Despite the bellyaching in the intro, working with all these undocumented structures isn’t actually too hard in practice. The Windows 7 symbols for win32k.sys include their layouts, which is nice. The symbols for the Vista/Server 2008 era don’t though, this is where the assembly studying comes and saves the day.</p> <p>Knowing what these structures look like is one thing, getting at them is another…</p> <p>Having gotten our grubby mitts on them, we find HOOK structures record most of the relevant information themselves:</p> </blockquote> <pre><code>struct tagHOOK { THRDESKHEAD head; // info about the creator struct tagHOOK* phkNext; // next entry in linked list int iHook; // WH_ hook type UINT_PTR offPfn; // RVA to hook function in ihmod library UINT flags; // HF_ flags (GLOBAL, ANSI) int ihmod; THREADINFO* ptiHooked; // the hooked thread PVOID rpDesk; // saved desktop pointer ULONG nTimeout :7; ULONG fLastHookHung :1; }; </code></pre> <p>You can download the <a href="http://www.airesoft.co.uk/files/MsgHookLister.zip" rel="nofollow noreferrer">software here</a></p> <hr> <ul> <li><a href="http://shiftlock.wordpress.com/2011/06/22/windows-hooks-detector" rel="nofollow noreferrer">http://shiftlock.wordpress.com/2011/06/22/windows-hooks-detector</a></li> </ul> <blockquote> <p>An overview for detecting installed global hooks follows:</p> <ol> <li>Call PsGetCurrentThread and get the ETHREAD structure of the current thread. ETHREAD is an opaque data structure according to the MSDN documentation.</li> <li>Extract the THREADINFO structure by calling PsGetThreadWin32Thread. Both of them are undocumented.</li> <li>Extract the DESKTOPINFO.</li> <li>There you can a find all the globally installed hooks. They are organized in a array. Each element is a linked list and corresponds to a specific hook (WH_*).</li> </ol> <p>An overview for detecting installed local hooks follows:</p> <ol> <li>Given a thread ID.</li> <li>Call PsLookupThreadByThreadId and get the ETHREAD structure of the specified thread.</li> <li>Extract the THREADINFO structure by calling PsGetThreadWin32Thread.</li> <li>There you can a find all the locally installed hooks for the specified thread. They are organized in a array. Each element is a linked list and corresponds to a specific hook (WH_*).</li> </ol> </blockquote> <p>You can see the <a href="https://github.com/prekageo/winhook" rel="nofollow noreferrer">source here</a></p> <hr> <ul> <li><a href="https://github.com/tigros/HookTools" rel="nofollow noreferrer">https://github.com/tigros/HookTools</a></li> </ul> <blockquote> <p>Plugin for Process Hacker 2 (<a href="http://processhacker.sourceforge.net" rel="nofollow noreferrer">http://processhacker.sourceforge.net</a>), displays system hooks and able to unhook (right click menu).</p> <p>Grab the Process Hacker source and compile it, then add HookTools.vcxproj to Plugins.sln. VS 2013 was used. Set your library path in VC++ directories.</p> </blockquote> <hr> <p>or related question with answer here </p> <ul> <li><a href="https://stackoverflow.com/questions/1465135/detecting-keyboard-hooks">Detecting Keyboard Hooks</a></li> <li><a href="https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis">https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis</a></li> </ul> <p>But I still haven't found a reliable way to do it.</p>
    singulars
    1. This table or related slice is empty.
    1. POList of installed windows hooks
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USVijay
    1. USVijay
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload