可以禁用由SetWindowsHookEx运行时创建的挂钩吗? [英] Possible to disable a hook made with SetWindowsHookEx run-time?

问题描述

如果一个名为SetWindowsHookEx的应用程序(例如，在我的外部程序中，或在外部进程中)，我是否可以解开钩子?请记住，不是第一个将钩子放在第一位的人，所以我没有任何变量或指向原始钩子的指针.

If an application (mine, or in an external process, for example) called SetWindowsHookEx, would it be possible for me to unhook the hook? Remember that it wasn't me who made the hook first place, so I don't have any kind of variables or pointers to the original hooks.

推荐答案

不，没有.

在过去(新约时代之前)，您可能已经放弃了使用获得的HHOOK玩某些游戏，因为返回的 HHOOK是要调用的钩子链中的链接.即使那样，我也不确定是否有可能.

Back in the day (pre-NT era) you might have gotten away with playing some games with an HHOOK you obtained, as the returned HHOOK was a link in the chain of hooks to be called. Even then I'm not sure it was possible.

今天，Windows不会将链中下一个钩子的调用委托给您(因此，不推荐使用的参数为

Today, Windows doesn't delegate the invocation of the next hook in the chain to you (thus the deprecated parameter to CallNextHookEx) and HHOOKs don't let you reach out to hooks you didn't register anymore.

更正确地说，没有好的和受支持的方法来做到这一点.
您可以安装一个rootkit，深入研究Windows的内部结构，然后以这种方式找到钩子链.但这显然是荒谬的，而且危险的长度.

More properly, there is no good and supported way to do this.
You could install a rootkit, dig deep into Windows internals and find the hook chain that way; but that's obviously going to ridiculous - and dangerous - lengths.

挂钩(通过多种API挂钩解决方案之一，绕道而行似乎很受欢迎) SetWindowsHookEx 和 CallNextHookEx 可以为您提供大部分符合以下条件的应用程序: NT约定.要点是在调用SetWindowsHookEx之后立即取消新的钩子，将所有传递的钩子(不是您自己的钩子)解钩到CallNextHookEx.为了保证干净"的应用程序，您还必须模拟许多事件，以强制调用任何已被调用的钩子，以便将它们解钩.另外，一旦您遇到过去8年以上编写的任何将NULL传递给CallNextHookEx的应用程序，此机制都将失败.

Hooking (via one of the myriad API hooking solutions out there, Detours seems popular) SetWindowsHookEx and CallNextHookEx can get you most of the way there for applications that conform to pre-NT conventions. The gist is to immediately unhook new hooks after calls to SetWindowsHookEx, unhook any passed hooks (that aren't your own) to CallNextHookEx. To guarantee a "clean" application, you'd also have to simulate a number of events to force any already called hooks to be invoked so they can be unhooked. Also, this regime will fail as soon as you encounter any of the applications written in the last 8+ years that pass NULL to CallNextHookEx.

因此，即使(可能)从技术上(也许)取消钩子您的应用未注册，您最好还是尝试以不同的方式完成您想要的事情极其脆弱的方式.

So even though it is technically possible (maybe) to unhook HHOOKs your app didn't register, you're probably better off trying to accomplish whatever it is you're after a different, less horribly brittle way.

这篇关于可以禁用由SetWindowsHookEx运行时创建的挂钩吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！