Today I want to concentrate on a new issue called Hooking. This will be an introduction to following articles on a more specific topic, API hooking. Basically, In programming, Hooking refers to a technique employing so-called hooks to make a chain of procedures like an event handler where it handles inputs received in a program. But after the handled event occurs, control flow follows the chain in definite order.
Then the new hook will register its own address as handler for the event and is expected to call the original handler at some point, usually at the end. Bear in mind that each hook has to pass execution to the previous handler, and finally arrive to the default one, otherwise the chain is broken. Unregistering the hook indicates setting the original procedure as the event handler.
Note that hooking is used for many reasons like debugging and extending original functionality. Apart from that it can also be misused to inject (potentially malicious) code into the event handler – for instance, rootkits attempt to make themselves invisible by faking the output of API calls that would otherwise reveal their existence.
Windows hooks seeking to monitor the message traffic of some thread are classified into:
- Local hooks, where you monitor the message traffic of any thread belonging to your process.
- Remote hooks, which can be:
Thread-specific,monitors the message traffic of a thread which belonging to another process;
System-wide,monitors the message traffic for all threads running on the system.
Going deeper there is also:
- A system hook which enables you to insert a callback function which intercepts certain Windows messages (e.g., mouse related messages).
- A local system hook which is a system hook that is called only when the specified messages are processed by a single thread.
- And a global system hook which is a system hook that is called when the specified messages are processed by any application on the entire system.