hooks.c File Reference

#include "precomp.h"

Go to the source code of this file.

Defines
#define	HKF_SYSTEM   0x01
#define	HKF_TASK   0x02
#define	HKF_JOURNAL   0x04
#define	HKF_NZRET   0x08
#define	HKF_INTERSENDABLE   0x10
#define	HKF_LOWLEVEL   0x20
#define	IS_CHAR_MSG(msg)   ((msg) & 0x02)
#define	DbgValidatefsHook(phk, nFilterType, pti, fGlobal)
Functions
void	UnlinkHook (PHOOK phkFree)
BOOL	zzzJournalAttach (PTHREADINFO pti, BOOL fAttach)
void	InterQueueMsgCleanup (DWORD dwTimeFromLastRead)
void	zzzCancelJournalling (void)
PROC	zzzSetWindowsHookAW (int nFilterType, PROC pfnFilterProc, DWORD dwFlags)
PHOOK	zzzSetWindowsHookEx (HANDLE hmod, PUNICODE_STRING pstrLib, PTHREADINFO ptiThread, int nFilterType, PROC pfnFilterProc, DWORD dwFlags)
LRESULT	xxxCallNextHookEx (int nCode, WPARAM wParam, LPARAM lParam)
VOID	CheckWHFBits (PTHREADINFO pti, int nFilterType)
BOOL	zzzUnhookWindowsHook (int nFilterType, PROC pfnFilterProc)
BOOL	zzzUnhookWindowsHookEx (PHOOK phkFree)
BOOL	_CallMsgFilter (LPMSG pmsg, int nCode)
int	xxxCallHook (int nCode, WPARAM wParam, LPARAM lParam, int iHook)
LRESULT	xxxCallHook2 (PHOOK phkCall, int nCode, WPARAM wParam, LPARAM lParam, LPBOOL lpbAnsiHook)
BOOL	xxxCallMouseHook (UINT message, PMOUSEHOOKSTRUCTEX pmhs, BOOL fRemove)
void	xxxCallJournalRecordHook (PQMSG pqmsg)
DWORD	xxxCallJournalPlaybackHook (PQMSG pqmsg)
VOID	FreeHook (PHOOK phkFree)
PHOOK	PhkFirstGlobalValid (PTHREADINFO pti, int nFilterType)
PHOOK	PhkFirstValid (PTHREADINFO pti, int nFilterType)
VOID	FreeThreadsWindowHooks (VOID)
VOID	zzzRegisterSystemThread (DWORD dwFlags, DWORD dwReserved)
Variables
CONST int	ampiHookError [CWINHOOKS]
CONST BYTE	abHookFlags [CWINHOOKS]

---

Define Documentation

#define DbgValidatefsHook (  phk, nFilterType, pti, fGlobal   )

Definition at line 274 of file hooks.c. Referenced by PhkFirstGlobalValid(), and PhkFirstValid().

#define HKF_INTERSENDABLE   0x10

Definition at line 24 of file hooks.c. Referenced by xxxCallHook2(), zzzSetWindowsHookEx(), and zzzUnhookWindowsHookEx().

#define HKF_JOURNAL   0x04

Definition at line 22 of file hooks.c. Referenced by xxxCallHook2(), zzzSetWindowsHookEx(), and zzzUnhookWindowsHookEx().

#define HKF_LOWLEVEL   0x20

Definition at line 25 of file hooks.c. Referenced by xxxCallHook2().

#define HKF_NZRET   0x08

Definition at line 23 of file hooks.c. Referenced by zzzSetWindowsHookAW().

#define HKF_SYSTEM   0x01

Definition at line 20 of file hooks.c.

#define HKF_TASK   0x02

Definition at line 21 of file hooks.c. Referenced by zzzSetWindowsHookEx().

#define IS_CHAR_MSG (  msg   )     ((msg) & 0x02)

Definition at line 126 of file hooks.c. Referenced by xxxCallJournalPlaybackHook().

---

Function Documentation

BOOL _CallMsgFilter (  LPMSG  pmsg, int  nCode )

Definition at line 1210 of file hooks.c. References BOOL, FALSE, IsHooked, PtiCurrent, TRUE, WHF_MSGFILTER, WHF_SYSMSGFILTER, and xxxCallHook(). Referenced by NtUserCallMsgFilter(), xxxMNLoop(), xxxMoveSize(), xxxOldNextWindow(), xxxSBTrackLoop(), and xxxSendMenuSelect(). { PTHREADINFO pti; pti = PtiCurrent(); /* * First call WH_SYSMSGFILTER. If it returns non-zero, don't * bother calling WH_MSGFILTER, just return TRUE. Otherwise * return what WH_MSGFILTER gives us. */ if (IsHooked(pti, WHF_SYSMSGFILTER) && xxxCallHook(nCode, 0, (LPARAM)pmsg, WH_SYSMSGFILTER)) { return TRUE; } if (IsHooked(pti, WHF_MSGFILTER)) { return (BOOL)xxxCallHook(nCode, 0, (LPARAM)pmsg, WH_MSGFILTER); } return FALSE; }

VOID CheckWHFBits (  PTHREADINFO  pti, int  nFilterType )

Definition at line 986 of file hooks.c. References BOOL, FALSE, tagHOOK::flags, tagDESKTOPINFO::fsHooks, _CLIENTINFO::fsHooks, tagTHREADINFO::fsHooks, HF_GLOBAL, KeAttachProcess(), KeDetachProcess(), NULL, tagTHREADINFO::pClientInfo, tagTHREADINFO::pDeskInfo, PhkFirstGlobalValid(), PhkFirstValid(), tagTHREADINFO::ppi, PpiCurrent, TRUE, VOID(), and WHF_FROM_WH. Referenced by FreeHook(). { BOOL fClearThreadBits; BOOL fClearDesktopBits; PHOOK phook; /* * Assume we're are going to clear local(thread) and * global(desktop) bits. */ fClearThreadBits = TRUE; fClearDesktopBits = TRUE; /* * Get the first valid hook for this thread */ phook = PhkFirstValid(pti, nFilterType); if (phook != NULL) { /* * If it found a global hook, don't clear the desktop bits * (that would mean that there are no local(thread) hooks * so we fall through to clear the thread bits) */ if (phook->flags & HF_GLOBAL) { fClearDesktopBits = FALSE; } else { /* * It found a thread hook so don't clear the thread bits */ fClearThreadBits = FALSE; /* * Check for global hooks now. If there is one, don't * clear the desktop bits */ phook = PhkFirstGlobalValid(pti, nFilterType); fClearDesktopBits = (phook == NULL); } } /* if (phook != NULL) */ if (fClearThreadBits) { pti->fsHooks &= ~(WHF_FROM_WH(nFilterType)); /* * Set the flags in the thread's TEB */ if (pti->pClientInfo) { BOOL fAttached; /* * If the hooked thread is in another process, attach * to that process to access its address space. */ if (pti->ppi != PpiCurrent()) { KeAttachProcess(&pti->ppi->Process->Pcb); fAttached = TRUE; } else fAttached = FALSE; pti->pClientInfo->fsHooks = pti->fsHooks; if (fAttached) KeDetachProcess(); } } if (fClearDesktopBits) { pti->pDeskInfo->fsHooks &= ~(WHF_FROM_WH(nFilterType)); } }

VOID FreeHook (  PHOOK  phkFree  )

Definition at line 1976 of file hooks.c. References CheckWHFBits(), DbgValidateHooks, tagHOOK::flags, GETPTI, HF_DESTROYED, HF_GLOBAL, HMFreeObject(), HMMarkObjectDestroy(), tagHOOK::iHook, NULL, tagHOOK::ptiHooked, RemoveHmodDependency(), UnlinkHook(), and VOID(). Referenced by FreeThreadsWindowHooks(), xxxCallHook2(), and zzzUnhookWindowsHookEx(). { /* * Paranoia... */ UserAssert(!(phkFree->flags & HF_FREED)); /* * BUGBUG * Unless we come from zzzUnhookWindowsHook, if this was a journaling hook * we don't unattach the threads. We should reconsider this one day. * MCostea Jan 21, 99 */ /* * Clear fsHooks bits the first time around (and mark it as destroyed). */ if (!(phkFree->flags & HF_DESTROYED)) { DbgValidateHooks (phkFree, phkFree->iHook); phkFree->flags |= HF_DESTROYED; /* * This hook has been marked as destroyed so CheckWHSBits * won't take it into account when updating the fsHooks bits. * However, this means that right at this moment fsHooks is * out of sync. So we need a flag to make the assertion freaks * (i.e., me) happy. */ #if DBG phkFree->flags |= HF_INCHECKWHF; #endif UserAssert((phkFree->ptiHooked != NULL) || (phkFree->flags & HF_GLOBAL)); CheckWHFBits(phkFree->ptiHooked != NULL ? phkFree->ptiHooked : GETPTI(phkFree), phkFree->iHook); #if DBG phkFree->flags &= ~HF_INCHECKWHF; #endif } /* * Mark it for destruction. If it the object is locked it can't * be freed right now. */ if (!HMMarkObjectDestroy((PVOID)phkFree)) { return; } /* * We're going to free this hook so get it off the list. */ UnlinkHook(phkFree); /* * Now remove the hmod dependency and free the * HOOK structure. */ if (phkFree->ihmod >= 0) { RemoveHmodDependency(phkFree->ihmod); } #ifdef HOOKBATCH /* * Free the cached Events */ if (phkFree->aEventCache) { UserFreePool(phkFree->aEventCache); phkFree->aEventCache = NULL; } #endif //HOOKBATCH #if DBG phkFree->flags |= HF_FREED; #endif HMFreeObject((PVOID)phkFree); return; }

VOID FreeThreadsWindowHooks (  VOID   )

Definition at line 2227 of file hooks.c. References tagTHREADINFO::aphkStart, tagDESKTOPINFO::aphkStart, tagHOOK::flags, FreeHook(), tagTHREADINFO::fsHooks, GETPTI, HF_DESTROYED, HF_GLOBAL, NULL, tagTHREADINFO::pDeskInfo, tagHOOK::phkNext, PtiCurrent, tagHOOK::ptiHooked, tagTHREADINFO::rpdesk, tagTHREADINFO::sphkCurrent, tagTHREADINFO::TIF_flags, TIF_INCLEANUP, UnlinkHook(), Unlock, and VOID(). Referenced by xxxDestroyThreadInfo(). { int iHook; PHOOK phk, phkNext; PTHREADINFO ptiCurrent = PtiCurrent(); /* * If there is not thread info, there are not hooks to worry about */ if (ptiCurrent == NULL || ptiCurrent->rpdesk == NULL) { return; } /* * In case we have a hook locked in as the current hook unlock it * so it can be freed */ Unlock(&ptiCurrent->sphkCurrent); UserAssert(ptiCurrent->TIF_flags & TIF_INCLEANUP); // Why bother doing this? We won't be calling back to user mode again! // if (ptiCurrent->pClientInfo) { // ptiCurrent->pClientInfo->phkCurrent = NULL; // } /* * Loop through all the hook types. */ for (iHook = WH_MIN ; iHook <= WH_MAX ; ++iHook) { /* * Loop through all the hooks of this type, including the * ones already marked as destroyed (so don't call * PhkFirstValid and PhkNextValid). */ phk = ptiCurrent->aphkStart[iHook + 1]; if (phk == NULL) { phk = ptiCurrent->pDeskInfo->aphkStart[iHook + 1]; UserAssert((phk == NULL) || (phk->flags & HF_GLOBAL)); } while (phk != NULL) { /* * We might free phk below, so grab the next now * If at end of local chain, jump to the global chain */ phkNext = phk->phkNext; if ((phkNext == NULL) && !(phk->flags & HF_GLOBAL)) { phkNext = ptiCurrent->pDeskInfo->aphkStart[iHook + 1]; UserAssert((phkNext == NULL) || (phkNext->flags & HF_GLOBAL)); } /* * If this is a local(thread) hook, unlink it and mark it as * destroyed so we won't call it anymore. We want to do * this even if not calling FreeHook; also note that * FreeHook won't unlink it if locked so we do it here anyway. */ if (!(phk->flags & HF_GLOBAL)) { UserAssert(ptiCurrent == phk->ptiHooked); UnlinkHook(phk); phk->flags |= HF_DESTROYED; phk->phkNext = NULL; } /* * If this hook was created by this thread, free it */ if (GETPTI(phk) == ptiCurrent) { FreeHook(phk); } phk = phkNext; } /* * All local hooks should be unlinked */ UserAssert(ptiCurrent->aphkStart[iHook + 1] == NULL); } /* for (iHook = WH_MIN....*/ /* * Keep fsHooks in sync. */ ptiCurrent->fsHooks = 0; }

void InterQueueMsgCleanup (  DWORD  dwTimeFromLastRead  )

Definition at line 339 of file hooks.c. References CheckCritIn, FHungApp(), gpsmsList, NULL, PSMS, and ReceiverDied(). Referenced by zzzCancelJournalling(). { PSMS *ppsms; PSMS psmsNext; CheckCritIn(); /* * Walk gpsmsList */ for (ppsms = &gpsmsList; *ppsms; ) { psmsNext = (*ppsms)->psmsNext; /* * If this is an inter queue message */ if (((*ppsms)->ptiSender != NULL) && ((*ppsms)->ptiReceiver != NULL) && ((*ppsms)->ptiSender->pq != (*ppsms)->ptiReceiver->pq)) { /* * If the receiver has been hung for a while */ if (FHungApp ((*ppsms)->ptiReceiver, dwTimeFromLastRead)) { switch ((*ppsms)->message) { /* * Activation messages */ case WM_NCACTIVATE: case WM_ACTIVATEAPP: case WM_ACTIVATE: case WM_SETFOCUS: case WM_KILLFOCUS: case WM_QUERYNEWPALETTE: /* * Sent to spwndFocus, which now can be in a different queue */ case WM_INPUTLANGCHANGE: RIPMSG3 (RIP_WARNING, "InterQueueMsgCleanup: ptiSender:%#p ptiReceiver:%#p message:%#lx", (*ppsms)->ptiSender, (*ppsms)->ptiReceiver, (*ppsms)->message); ReceiverDied(*ppsms, ppsms); break; } /* switch */ } /* If hung receiver */ } /* If inter queue message */ /* * If the message was not unlinked, go to the next one. */ if (*ppsms != psmsNext) ppsms = &(*ppsms)->psmsNext; } /* for */ }

PHOOK PhkFirstGlobalValid (  PTHREADINFO  pti, int  nFilterType )

Definition at line 2151 of file hooks.c. References tagDESKTOPINFO::aphkStart, CheckCritIn, DbgValidatefsHook, DbgValidateHooks, tagHOOK::flags, HF_DESTROYED, NULL, tagTHREADINFO::pDeskInfo, PhkNextValid(), and TRUE. Referenced by CheckWHFBits(), GetJournallingQueue(), xxxCallJournalPlaybackHook(), xxxCallJournalRecordHook(), xxxGetNextSysMsg(), xxxInternalGetMessage(), xxxSkipSysMsg(), zzzCancelJournalling(), and zzzUnhookWindowsHookEx(). { PHOOK phk; CheckCritIn(); phk = pti->pDeskInfo->aphkStart[nFilterType + 1]; /* * Return the first hook that it's not destroyed (i.e, the * first valid one). */ if ((phk != NULL) && (phk->flags & HF_DESTROYED)) { phk = PhkNextValid(phk); } /* * Good place to check fsHooks. If the bits are out of sync, * someone must be adjusting them. */ DbgValidatefsHook(phk, nFilterType, pti, TRUE); DbgValidateHooks(phk, nFilterType); return phk; }

PHOOK PhkFirstValid (  PTHREADINFO  pti, int  nFilterType )

Definition at line 2183 of file hooks.c. References tagTHREADINFO::aphkStart, tagDESKTOPINFO::aphkStart, CheckCritIn, DbgValidatefsHook, DbgValidateHooks, FALSE, tagHOOK::flags, HF_DESTROYED, NULL, tagTHREADINFO::pDeskInfo, and PhkNextValid(). Referenced by CheckWHFBits(), xxxButtonEvent(), xxxCallHook(), xxxCallMouseHook(), xxxDoButtonEvent(), xxxKeyEvent(), xxxMoveEventAbsolute(), and zzzUnhookWindowsHook(). { PHOOK phk; CheckCritIn(); /* * Grab the first hook off the local hook-list * for the current queue. */ phk = pti->aphkStart[nFilterType + 1]; /* * If there aren't any local hooks, try the global hooks. */ if (phk == NULL) { phk = pti->pDeskInfo->aphkStart[nFilterType + 1]; } /* * Return the first hook that it's not destroyed (i.e, the * first valid one). */ if ((phk != NULL) && (phk->flags & HF_DESTROYED)) { phk = PhkNextValid(phk); } /* * Good place to check fsHooks. If the bits are out of sync, * someone must be adjusting them. */ DbgValidatefsHook(phk, nFilterType, pti, FALSE); DbgValidateHooks(phk, nFilterType); return phk; }

void UnlinkHook (  PHOOK  phkFree  )

Definition at line 2061 of file hooks.c. References tagDESKTOPINFO::aphkStart, tagTHREADINFO::aphkStart, CheckCritIn, tagHOOK::flags, GETPTI, gptiRit, tagHOOK::head, HF_GLOBAL, tagHOOK::iHook, NULL, tagTHREADINFO::pDeskInfo, tagDESKTOP::pDeskInfo, tagHOOK::phkNext, tagHOOK::ptiHooked, tagHOOK::rpdesk, and UnlockDesktop. Referenced by FreeHook(), and FreeThreadsWindowHooks(). { PHOOK *pphkNext; PTHREADINFO ptiT; CheckCritIn(); /* * Since we have the HOOK structure, we can tell if this a global * or local hook and start on the right list. */ if (phkFree->flags & HF_GLOBAL) { pphkNext = &GETPTI(phkFree)->pDeskInfo->aphkStart[phkFree->iHook + 1]; } else { ptiT = phkFree->ptiHooked; if (ptiT == NULL) { /* * Already unlinked (by FreeThreadsWindowHooks) */ return; } else { /* * Clear ptiHooked so we won't try to unlink it again. */ phkFree->ptiHooked = NULL; } pphkNext = &(ptiT->aphkStart[phkFree->iHook + 1]); /* * There must be at least one hook in the chain */ UserAssert(*pphkNext != NULL); } /* * Find the address of the phkNext pointing to phkFree */ while ((*pphkNext != phkFree) && (*pphkNext != NULL)) { pphkNext = &(*pphkNext)->phkNext; } /* * If we haven't found it, it must be global hook whose owner is gone or * has switched desktops. */ if (*pphkNext == NULL) { UserAssert(phkFree->flags & HF_GLOBAL); /* * if we saved a pdesk, use it. Else use the one we allocated it from */ if (phkFree->rpdesk != NULL) { UserAssert(GETPTI(phkFree) == gptiRit); UserAssert(phkFree->rpdesk != NULL); UserAssert(phkFree->rpdesk->pDeskInfo != gptiRit->pDeskInfo); pphkNext = &phkFree->rpdesk->pDeskInfo->aphkStart[phkFree->iHook + 1]; } else { UserAssert(GETPTI(phkFree)->pDeskInfo != phkFree->head.rpdesk->pDeskInfo); pphkNext = &phkFree->head.rpdesk->pDeskInfo->aphkStart[phkFree->iHook + 1]; } UserAssert(*pphkNext != NULL); while ((*pphkNext != phkFree) && (*pphkNext != NULL)) { pphkNext = &(*pphkNext)->phkNext; } } /* * We're supposed to find it */ UserAssert(*pphkNext == phkFree); /* * Unlink it */ *pphkNext = phkFree->phkNext; phkFree->phkNext = NULL; /* * If we had a desktop, unlock it */ if (phkFree->rpdesk != NULL) { UserAssert(phkFree->flags & HF_GLOBAL); UserAssert(GETPTI(phkFree) == gptiRit); UnlockDesktop(&phkFree->rpdesk, LDU_HOOK_DESK, 0); } }

int xxxCallHook (  int  nCode, WPARAM  wParam, LPARAM  lParam, int  iHook )

Definition at line 1246 of file hooks.c. References BOOL, PhkFirstValid(), PtiCurrent, and xxxCallHook2(). Referenced by _CallMsgFilter(), xxxActivateThisWindow(), xxxCallHook2(), xxxCallJournalPlaybackHook(), xxxCreateWindowEx(), xxxDefWindowProc(), xxxDestroyWindow(), xxxEndDeferWindowPosEx(), xxxFlashWindow(), xxxGetInputEvent(), xxxHandleOwnerSwitch(), xxxInternalActivateKeyboardLayout(), xxxInternalGetMessage(), xxxInternalUnloadKeyboardLayout(), xxxIsDragging(), xxxLoadKeyboardLayoutEx(), xxxMinMaximize(), xxxMoveSize(), xxxMS_TrackMove(), xxxMsgWaitForMultipleObjects(), xxxNotifyIMEStatus(), xxxProcessEventMessage(), xxxReceiveMessage(), xxxRedrawFrameAndHook(), xxxRedrawTitle(), xxxScanSysQueue(), xxxSendMessageCallback(), xxxSendMessageTimeout(), xxxSendMinRectMessages(), xxxSetFocus(), xxxSetTrayWindow(), xxxSleepTask(), xxxSleepThread(), xxxSysCommand(), and xxxSystemParametersInfo(). { BOOL bAnsiHook; return (int)xxxCallHook2(PhkFirstValid(PtiCurrent(), iHook), nCode, wParam, lParam, &bAnsiHook); }

LRESULT xxxCallHook2 (  PHOOK  phkCall, int  nCode, WPARAM  wParam, LPARAM  lParam, LPBOOL  lpbAnsiHook )

Definition at line 1288 of file hooks.c. References abHookFlags, ampiHookError, BOOL, BYTE, CheckCritIn, CMSHUNGAPPTIMEOUT, FHungApp(), tagHOOK::flags, FreeHook(), tagINTERSENDMSGEX::fuCall, tagINTERSENDMSGEX::fuSend, GETPTI, gnllHooksTimeout, gptiRit, HF_ANSI, HF_GLOBAL, HF_HOOKFAULTED, HF_WX86KNOWNDLL, HKF_INTERSENDABLE, HKF_JOURNAL, HKF_LOWLEVEL, HMIsMarkDestroy, HOOKMSGSTRUCT, tagHOOK::ihmod, tagHOOK::iHook, INTRSENDMSGEX, IsHooked, ISM_TIMEOUT, IsRestricted(), Lock, tagHOOKMSGSTRUCT::lParam, tagINTERSENDMSGEX::lpdwResult, tagPROCESSINFO::luidSession, luidSystem, tagHOOKMSGSTRUCT::nCode, NULL, tagTHREADINFO::pClientInfo, tagHOOKMSGSTRUCT::phk, _CLIENTINFO::phkCurrent, PhkNextValid(), tagTHREADINFO::ppi, PtiCurrent, tagHOOK::ptiHooked, tagTHREADINFO::rpdesk, RtlEqualLuid(), SET_TIME_LAST_READ, tagTHREADINFO::sphkCurrent, TESTHMODLOADED, ThreadLockAlwaysWithPti, ThreadLockWithPti, ThreadUnlock, TIDq, TIF_16BIT, TIF_ALLOWOTHERACCOUNTHOOK, TIF_CSRSSTHREAD, TIF_DISABLEHOOKS, TIF_DOSEMULATOR, tagTHREADINFO::TIF_flags, TIF_INCLEANUP, TIF_SYSTEMTHREAD, TIF_WOW64, UINT, tagINTERSENDMSGEX::uTimeout, WHF_DEBUG, xxxCallHook(), xxxHkCallHook(), xxxInterSendMsgEx(), and xxxLoadHmodIndex(). Referenced by xxxButtonEvent(), xxxCallHook(), xxxCallJournalPlaybackHook(), xxxCallJournalRecordHook(), xxxCallMouseHook(), xxxCallNextHookEx(), xxxDoButtonEvent(), xxxKeyEvent(), xxxMoveEventAbsolute(), and xxxReceiveMessage(). { UINT iHook; PHOOK phkSave; LONG_PTR nRet; PTHREADINFO ptiCurrent; BOOL fLoadSuccess; TL tlphkCall; TL tlphkSave; BYTE bHookFlags; BOOL fMustIntersend; CheckCritIn(); if (phkCall == NULL) { return 0; } iHook = phkCall->iHook; ptiCurrent = PtiCurrent(); /* * Only low level hooks are allowed in the RIT context * (This check used to be done in PhkFirstValid). */ if (ptiCurrent == gptiRit) { switch (iHook) { case WH_MOUSE_LL: case WH_KEYBOARD_LL: #ifdef REDIRECTION case WH_HITTEST: #endif // REDIRECTION break; default: return 0; } } /* * If this queue is in cleanup, exit: it has no business calling back * a hook proc. Also check if hooks are disabled for the thread. */ if ( ptiCurrent->TIF_flags & (TIF_INCLEANUP | TIF_DISABLEHOOKS) || ((ptiCurrent->rpdesk == NULL) && (phkCall->iHook != WH_MOUSE_LL))) { return ampiHookError[iHook + 1]; } /* * Try to call each hook in the list until one is successful or * we reach the end of the list. */ do { *lpbAnsiHook = phkCall->flags & HF_ANSI; bHookFlags = abHookFlags[phkCall->iHook + 1]; /* * Some WH_SHELL hook types can be called from console * HSHELL_APPCOMMAND added for bug 346575 DefWindowProc invokes a shell hook * for console windows if they don't handle the wm_appcommand message - we need the hook * to go through for csrss. */ if ((phkCall->iHook == WH_SHELL) && (ptiCurrent->TIF_flags & TIF_CSRSSTHREAD)) { if ((nCode == HSHELL_LANGUAGE) || (nCode == HSHELL_WINDOWACTIVATED) || (nCode == HSHELL_APPCOMMAND)) { bHookFlags |= HKF_INTERSENDABLE; } } if ((phkCall->iHook == WH_SHELL) && (ptiCurrent->TIF_flags & TIF_SYSTEMTHREAD)) { if ((nCode == HSHELL_ACCESSIBILITYSTATE) ) { bHookFlags |= HKF_INTERSENDABLE; } } fMustIntersend = (GETPTI(phkCall) != ptiCurrent) && ( /* * We always want to intersend journal hooks. * CONSIDER (adams): Why? There's a performance hit by * doing so, so if we haven't a reason, we shouldn't * do it. * * we also need to intersend low level hooks. They can be called * from the desktop thread, the raw input thread AND also from * any thread that calls CallNextHookEx. */ (bHookFlags & (HKF_JOURNAL | HKF_LOWLEVEL)) /* * We must intersend if a 16bit app hooks a 32bit app * because we can't load a 16bit dll into a 32bit process. * We must also intersend if a 16bit app hooks another 16bit app * in a different VDM, because we can't load a 16bit dll from * one VDM into a 16bit app in another VDM (because that * VDM is actually a 32bit process). */ || ( GETPTI(phkCall)->TIF_flags & TIF_16BIT && ( !(ptiCurrent->TIF_flags & TIF_16BIT) || ptiCurrent->ppi != GETPTI(phkCall)->ppi)) #if defined(_WIN64) /* * Intersend if a 64bit app hooks a 32bit app or * a 32bit app hooks a 64bit app. * This is necessary since a hook DLL can not be loaded * cross bit type. */ || ( (GETPTI(phkCall)->TIF_flags & TIF_WOW64) != (ptiCurrent->TIF_flags & TIF_WOW64) ) #endif /* defined(_WIN64) */ /* * We must intersend if a console or system thread is calling a hook * that is not in the same console or the system process. */ || ( ptiCurrent->TIF_flags & (TIF_CSRSSTHREAD | TIF_SYSTEMTHREAD) && GETPTI(phkCall)->ppi != ptiCurrent->ppi) /* * If this is a global and non-journal hook, do a security * check on the current desktop to see if we can call here. * Note that we allow processes with the SYSTEM_LUID to hook * other processes even if the other process says that it * doesn't allow other accounts to hook them. We did this * because there was a bug in NT 3.x that allowed it and some * services were written to use it. */ || ( phkCall->flags & HF_GLOBAL && !RtlEqualLuid(&GETPTI(phkCall)->ppi->luidSession, &ptiCurrent->ppi->luidSession) && !(ptiCurrent->TIF_flags & TIF_ALLOWOTHERACCOUNTHOOK) && !RtlEqualLuid(&GETPTI(phkCall)->ppi->luidSession, &luidSystem)) /* * We must intersend if the hooking thread is running in * another process and is restricted. */ || ( GETPTI(phkCall)->ppi != ptiCurrent->ppi && IsRestricted(GETPTI(phkCall)->pEThread)) ); /* * We're calling back... make sure the hook doesn't go away while * we're calling back. We've thread locked here: we must unlock before * returning or enumerating the next hook in the chain. */ ThreadLockAlwaysWithPti(ptiCurrent, phkCall, &tlphkCall); if (!fMustIntersend) { /* * Make sure the DLL for this hook, if any, has been loaded * for the current process. */ if ((phkCall->ihmod != -1) && (TESTHMODLOADED(ptiCurrent, phkCall->ihmod) == 0)) { BOOL bWx86KnownDll; /* * Try loading the library, since it isn't loaded in this processes * context. First lock this hook so it doesn't go away while we're * loading this library. */ bWx86KnownDll = (phkCall->flags & HF_WX86KNOWNDLL) != 0; fLoadSuccess = (xxxLoadHmodIndex(phkCall->ihmod, bWx86KnownDll) != NULL); /* * If the LoadLibrary() failed, skip to the next hook and try * again. */ if (!fLoadSuccess) { goto LoopAgain; } } /* * Is WH_DEBUG installed? If we're not already calling it, do so. */ if (IsHooked(ptiCurrent, WHF_DEBUG) && (phkCall->iHook != WH_DEBUG)) { DEBUGHOOKINFO debug; debug.idThread = TIDq(ptiCurrent); debug.idThreadInstaller = 0; debug.code = nCode; debug.wParam = wParam; debug.lParam = lParam; if (xxxCallHook(HC_ACTION, phkCall->iHook, (LPARAM)&debug, WH_DEBUG)) { /* * If WH_DEBUG returned non-zero, skip this hook and * try the next one. */ goto LoopAgain; } } /* * Make sure the hook is still around before we * try and call it. */ if (HMIsMarkDestroy(phkCall)) { goto LoopAgain; } /* * Time to call the hook! Lock it first so that it doesn't go away * while we're using it. Thread lock right away in case the lock frees * the previous contents. */ #if DBG if (phkCall->flags & HF_GLOBAL) { UserAssert(phkCall->ptiHooked == NULL); } else { UserAssert(phkCall->ptiHooked == ptiCurrent); } #endif phkSave = ptiCurrent->sphkCurrent; ThreadLockWithPti(ptiCurrent, phkSave, &tlphkSave); Lock(&ptiCurrent->sphkCurrent, phkCall); if (ptiCurrent->pClientInfo) ptiCurrent->pClientInfo->phkCurrent = phkCall; nRet = xxxHkCallHook(phkCall, nCode, wParam, lParam); Lock(&ptiCurrent->sphkCurrent, phkSave); if (ptiCurrent->pClientInfo) ptiCurrent->pClientInfo->phkCurrent = phkSave; ThreadUnlock(&tlphkSave); /* * This hook proc faulted, so unhook it and try the next one. */ if (phkCall->flags & HF_HOOKFAULTED) { PHOOK phkFault; phkCall = PhkNextValid(phkCall); phkFault = ThreadUnlock(&tlphkCall); if (phkFault != NULL) { FreeHook(phkFault); } continue; } /* * Lastly, we're done with this hook so it is ok to unlock it (it may * get freed here! */ ThreadUnlock(&tlphkCall); return nRet; } else if (bHookFlags & HKF_INTERSENDABLE) { /* * Receiving thread can access this structure since the * sender thread's stack is locked down during xxxInterSendMsgEx */ HOOKMSGSTRUCT hkmp; int timeout = 200; // 1/5 second !!! hkmp.lParam = lParam; hkmp.phk = phkCall; hkmp.nCode = nCode; /* * Thread lock right away in case the lock frees the previous contents */ phkSave = ptiCurrent->sphkCurrent; ThreadLockWithPti(ptiCurrent, phkSave, &tlphkSave); Lock(&ptiCurrent->sphkCurrent, phkCall); if (ptiCurrent->pClientInfo) ptiCurrent->pClientInfo->phkCurrent = phkCall; /* * Make sure we don't get hung! */ if (bHookFlags & HKF_LOWLEVEL) timeout = gnllHooksTimeout; /* * CONSIDER(adams): Why should a journaling hook be allowed to * hang the console or a system thread? Will that interfere with * the user's ability to cancel journaling through Ctrl+Esc? */ if (((bHookFlags & HKF_LOWLEVEL) == 0) && ( (bHookFlags & HKF_JOURNAL) || !(ptiCurrent->TIF_flags & (TIF_CSRSSTHREAD | TIF_SYSTEMTHREAD)))) { nRet = xxxInterSendMsgEx(NULL, WM_HOOKMSG, wParam, (LPARAM)&hkmp, ptiCurrent, GETPTI(phkCall), NULL); } else { /* * We are a server thread (console/desktop) and we aren't * journalling, so we can't allow the hookproc to hang us - * we must use a timeout. */ INTRSENDMSGEX ism; ism.fuCall = ISM_TIMEOUT; ism.fuSend = SMTO_ABORTIFHUNG | SMTO_NORMAL; ism.uTimeout = timeout; ism.lpdwResult = &nRet; /* * Don't hook DOS apps connected to the emulator - they often * grab too much CPU for the callback to the hookproc to * complete in a timely fashion, causing poor response. */ if ((ptiCurrent->TIF_flags & TIF_DOSEMULATOR) || FHungApp(GETPTI(phkCall), CMSHUNGAPPTIMEOUT) || !xxxInterSendMsgEx(NULL, WM_HOOKMSG, wParam, (LPARAM)&hkmp, ptiCurrent, GETPTI(phkCall), &ism)) { nRet = ampiHookError[iHook + 1]; } /* * If the low-level hook is eaten, the app may wake up from * MsgWaitForMultipleObjects, clear the wake mask, but not get * anything in GetMessage / PeekMessage and we will think it's * hung. This causes problems in DirectInput because then the * app may miss some hooks if FHungApp returns true, see bug * 430342 for more details on this. */ if ((bHookFlags & HKF_LOWLEVEL) && nRet) { SET_TIME_LAST_READ(GETPTI(phkCall)); } } Lock(&ptiCurrent->sphkCurrent, phkSave); if (ptiCurrent->pClientInfo) ptiCurrent->pClientInfo->phkCurrent = phkSave; ThreadUnlock(&tlphkSave); ThreadUnlock(&tlphkCall); return nRet; } // fall-through LoopAgain: phkCall = PhkNextValid(phkCall); ThreadUnlock(&tlphkCall); } while (phkCall != NULL); return ampiHookError[iHook + 1]; }

DWORD xxxCallJournalPlaybackHook (  PQMSG  pqmsg  )

Definition at line 1797 of file hooks.c. References BOOL, BYTE, dt(), DWORD, gpsi, IS_CHAR_MSG, IS_DBCS_ENABLED, IsWinEventNotifyDeferredOK, L, LOBYTE, tagQMSG::msg, NtGetTickCount(), NULL, tagHOOK::offPfn, PhkFirstGlobalValid(), tagTHREADINFO::pq, PtiCurrent, RevalidateHwnd, tagQ::spwndActive, StoreQMessage(), TestKeyStateDown, ThreadLockWithPti, ThreadUnlock, tagTHREADINFO::TIF_flags, TIF_IGNOREPLAYBACKDELAY, UINT, tagTHREADINFO::wchInjected, xxxCallHook(), xxxCallHook2(), and zzzInternalSetCursorPos(). Referenced by xxxGetNextSysMsg(). { EVENTMSG emsg; LONG dt; PWND pwnd; WPARAM wParam; LPARAM lParam; POINT pt; PTHREADINFO ptiCurrent; BOOL bAnsiHook; PHOOK phkCall; TL tlphkCall; UserAssert(IsWinEventNotifyDeferredOK()); TryNextEvent: /* * Initialized to the current time for compatibility with * <= 3.0. */ emsg.time = NtGetTickCount(); ptiCurrent = PtiCurrent(); pwnd = NULL; phkCall = PhkFirstGlobalValid(ptiCurrent, WH_JOURNALPLAYBACK); ThreadLockWithPti(ptiCurrent, phkCall, &tlphkCall); dt = (DWORD)xxxCallHook2(phkCall, HC_GETNEXT, 0, (LPARAM)&emsg, &bAnsiHook); /* * -1 means some error occured. Return -1 for error. */ if (dt == 0xFFFFFFFF) { ThreadUnlock(&tlphkCall); return dt; } /* * Update the message id. Need this if we decide to sleep. */ pqmsg->msg.message = emsg.message; if (dt > 0) { if (ptiCurrent->TIF_flags & TIF_IGNOREPLAYBACKDELAY) { /* * This flag tells us to ignore the requested delay (set in mnloop) * We clear it to indicate that we did so. */ RIPMSG1(RIP_WARNING, "Journal Playback delay ignored (%lx)", emsg.message); ptiCurrent->TIF_flags &= ~TIF_IGNOREPLAYBACKDELAY; dt = 0; } else { ThreadUnlock(&tlphkCall); return dt; } } /* * The app is ready to be asked for the next event */ if ((emsg.message >= WM_MOUSEFIRST) && (emsg.message <= WM_MOUSELAST)) { pt.x = (int)emsg.paramL; pt.y = (int)emsg.paramH; lParam = MAKELONG(LOWORD(pt.x), LOWORD(pt.y)); wParam = 0; /* * If the message has changed the mouse position, * update the cursor. */ if (pt.x != gpsi->ptCursor.x || pt.y != gpsi->ptCursor.y) { zzzInternalSetCursorPos(pt.x, pt.y); } } else if ((emsg.message >= WM_KEYFIRST) && (emsg.message <= WM_KEYLAST)) { UINT wExtraStuff = 0; if ((emsg.message == WM_KEYUP) || (emsg.message == WM_SYSKEYUP)) { wExtraStuff |= 0x8000; } if ((emsg.message == WM_SYSKEYUP) || (emsg.message == WM_SYSKEYDOWN)) { wExtraStuff |= 0x2000; } if (emsg.paramH & 0x8000) { wExtraStuff |= 0x0100; } if (TestKeyStateDown(ptiCurrent->pq, (BYTE)emsg.paramL)) { wExtraStuff |= 0x4000; } lParam = MAKELONG(1, (UINT)((emsg.paramH & 0xFF) | wExtraStuff)); if ((LOWORD(emsg.paramL) == VK_PACKET) && (LOBYTE(emsg.paramH) == 0)) { /* * We are playing back an injected Unicode char (see SendInput) * save the character for TranslateMessage to pick up. */ ptiCurrent->wchInjected = HIWORD(emsg.paramL); } else { /* * Raid# 65331 * WM_KEY* and WM_SYSKEY* messages should only contain 8bit Virtual Keys. * Some applications passes scan code in HIBYTE and could screw up * the system. E.g. Tab Keydown, paramL: 0x0f09 where 0f is scan code */ DWORD dwMask = 0xff; /* * There are old ANSI apps that only fill in the byte for when * they generate journal playback so we used to strip everything * else off. That however breaks unicode journalling; 22645 * (Yes, some apps apparently do Playback WM_*CHAR msgs!) * */ if (!bAnsiHook || IS_DBCS_ENABLED()) { if (IS_CHAR_MSG(emsg.message)) { RIPMSG1(RIP_VERBOSE, "Unusual char message(%x) passed through JournalPlayback.", emsg.message); /* * Don't mask off HIBYTE(LOWORD(paramL)) for DBCS and UNICODE. */ dwMask = 0xffff; } } wParam = emsg.paramL & dwMask; } } else if (emsg.message == WM_QUEUESYNC) { if (emsg.paramL == 0) { pwnd = ptiCurrent->pq->spwndActive; } else { if ((pwnd = RevalidateHwnd((HWND)IntToPtr( emsg.paramL ))) == NULL) pwnd = ptiCurrent->pq->spwndActive; } } else { /* * This event doesn't match up with what we're looking * for. If the hook is still valid, then skip this message * and try the next. */ if (phkCall == NULL || phkCall->offPfn == 0L) { /* Hook is nolonger valid, return -1 */ ThreadUnlock(&tlphkCall); return 0xFFFFFFFF; } RIPMSG1(RIP_WARNING, "Bad journal playback message=0x%08lx", emsg.message); xxxCallHook(HC_SKIP, 0, 0, WH_JOURNALPLAYBACK); ThreadUnlock(&tlphkCall); goto TryNextEvent; } StoreQMessage(pqmsg, pwnd, emsg.message, wParam, lParam, 0, 0, 0); ThreadUnlock(&tlphkCall); return 0; }

void xxxCallJournalRecordHook (  PQMSG  pqmsg  )

Definition at line 1695 of file hooks.c. References BOOL, BYTE, tagQMSG::dwQEvent, HIBYTE, LOBYTE, tagQMSG::msg, NULL, PBYTE, PhkFirstGlobalValid(), PtiCurrent, RevalidateHwnd, UINT, and xxxCallHook2(). Referenced by xxxSkipSysMsg(). { EVENTMSG emsg; BOOL bAnsiHook; /* * Setup the EVENTMSG structure. */ emsg.message = pqmsg->msg.message; emsg.time = pqmsg->msg.time; if (RevalidateHwnd(pqmsg->msg.hwnd)) { emsg.hwnd = pqmsg->msg.hwnd; } else { emsg.hwnd = NULL; } if ((emsg.message >= WM_MOUSEFIRST) && (emsg.message <= WM_MOUSELAST)) { emsg.paramL = (UINT)pqmsg->msg.pt.x; emsg.paramH = (UINT)pqmsg->msg.pt.y; } else if ((emsg.message >= WM_KEYFIRST) && (emsg.message <= WM_KEYLAST)) { BYTE bScanCode = LOBYTE(HIWORD(pqmsg->msg.lParam)); /* * Build up a Win 3.1 compatible journal record key * Win 3.1 ParamL 00 00 SC VK (SC=scan code VK=virtual key) * Also set ParamH 00 00 00 SC to be compatible with our Playback * * If WM_*CHAR messages ever come this way we would have a problem * because we would lose the top byte of the Unicode character. We'd * We'd get ParamL 00 00 SC CH (SC=scan code, CH = low byte of WCHAR) * */ if ((LOWORD(pqmsg->msg.wParam) == VK_PACKET) && (bScanCode == 0)) { /* * If we have an injected Unicode char (from SendInput), the * character value was cached, let's give that to them too. */ emsg.paramL = (UINT)MAKELONG(pqmsg->msg.wParam, PtiCurrent()->wchInjected); } else { emsg.paramL = MAKELONG(MAKEWORD(pqmsg->msg.wParam, bScanCode),0); } emsg.paramH = bScanCode; UserAssert((emsg.message != WM_CHAR) && (emsg.message != WM_DEADCHAR) && (emsg.message != WM_SYSCHAR) && (emsg.message != WM_SYSDEADCHAR)); /* * Set extended-key bit. */ if (pqmsg->msg.lParam & 0x01000000) { emsg.paramH |= 0x8000; } } else { RIPMSG2(RIP_WARNING, "Bad journal record message!\n" " message = 0x%08lx\n" " dwQEvent = 0x%08lx", pqmsg->msg.message, pqmsg->dwQEvent); } /* * Call the journal recording hook. */ xxxCallHook2(PhkFirstGlobalValid(PtiCurrent(), WH_JOURNALRECORD), HC_ACTION, 0, (LPARAM)&emsg, &bAnsiHook); /* * Write the MSG parameters back because the app may have modified it. * AfterDark's screen saver password actually zero's out the keydown * chars. * * If it was a mouse message patch up the mouse point. If it was a * WM_KEYxxx message convert the Win 3.1 compatible journal record key * back into a half backed WM_KEYxxx format. Only the VK and SC fields * where initialized at this point. * * wParam 00 00 00 VK lParam 00 SC 00 00 */ if ((pqmsg->msg.message >= WM_MOUSEFIRST) && (pqmsg->msg.message <= WM_MOUSELAST)) { pqmsg->msg.pt.x = emsg.paramL; pqmsg->msg.pt.y = emsg.paramH; } else if ((pqmsg->msg.message >= WM_KEYFIRST) && (pqmsg->msg.message <= WM_KEYLAST)) { (BYTE)pqmsg->msg.wParam = (BYTE)emsg.paramL; ((PBYTE)&pqmsg->msg.lParam)[2] = HIBYTE(LOWORD(emsg.paramL)); } }

BOOL xxxCallMouseHook (  UINT  message, PMOUSEHOOKSTRUCTEX  pmhs, BOOL  fRemove )

Definition at line 1666 of file hooks.c. References BOOL, DWORD, FALSE, PhkFirstValid(), PtiCurrent, TRUE, and xxxCallHook2(). Referenced by xxxScanSysQueue(). { BOOL bAnsiHook; /* * Call the mouse hook. */ if (xxxCallHook2(PhkFirstValid(PtiCurrent(), WH_MOUSE), fRemove ? HC_ACTION : HC_NOREMOVE, (DWORD)message, (LPARAM)pmhs, &bAnsiHook)) { return TRUE; } return FALSE; }

LRESULT xxxCallNextHookEx (  int  nCode, WPARAM  wParam, LPARAM  lParam )

Definition at line 961 of file hooks.c. References BOOL, NULL, PhkNextValid(), PtiCurrent, and xxxCallHook2(). Referenced by fnHkINLPCWPEXSTRUCT(), fnHkINLPCWPRETEXSTRUCT(), NtUserCallNextHookEx(), NtUserfnHkINLPCBTACTIVATESTRUCT(), NtUserfnHkINLPCBTCREATESTRUCT(), NtUserfnHkINLPDEBUGHOOKSTRUCT(), NtUserfnHkINLPKBDLLHOOKSTRUCT(), NtUserfnHkINLPMOUSEHOOKSTRUCTEX(), NtUserfnHkINLPMSG(), NtUserfnHkINLPMSLLHOOKSTRUCT(), NtUserfnHkINLPRECT(), and NtUserfnHkOPTINLPEVENTMSG(). { BOOL bAnsiHook; if (PtiCurrent()->sphkCurrent == NULL) { return 0; } return xxxCallHook2(PhkNextValid(PtiCurrent()->sphkCurrent), nCode, wParam, lParam, &bAnsiHook); }

void zzzCancelJournalling (  void   )

Definition at line 404 of file hooks.c. References _PostThreadMessage(), ClrWF, CMSWAITTOKILLTIMEOUT, DeferWinEventNotify, gppiLockSFW, gptiRit, grpdeskRitInput, gwMouseOwnerButton, tagHOOK::head, InterQueueMsgCleanup(), NULL, tagTHREADINFO::pDeskInfo, tagDESKTOP::pDeskInfo, PhkFirstGlobalValid(), PhkNextValid(), SendMsgCleanup(), tagDESKTOPINFO::spwnd, TestWF, WFDISABLED, zzzEndDeferWinEventNotify, and zzzUnhookWindowsHookEx(). Referenced by xxxDoHotKeyStuff(), and xxxSwitchDesktop(). { PTHREADINFO ptiCancelJournal; PHOOK phook; PHOOK phookNext; /* * Mouse buttons sometimes get stuck down due to hardware glitches, * usually due to input concentrator switchboxes or faulty serial * mouse COM ports, so clear the global button state here just in case, * otherwise we may not be able to change focus with the mouse. * Also do this in Alt-Tab processing. */ #if DBG if (gwMouseOwnerButton) RIPMSG1(RIP_WARNING, "gwMouseOwnerButton=%x, being cleared forcibly\n", gwMouseOwnerButton); #endif gwMouseOwnerButton = 0; /* * Remove journal hooks. This'll cause threads to associate with * different queues. * DeferWinEventNotify() so we can traverse the phook list safely */ DeferWinEventNotify(); UserAssert(gptiRit->pDeskInfo == grpdeskRitInput->pDeskInfo); phook = PhkFirstGlobalValid(gptiRit, WH_JOURNALPLAYBACK); while (phook != NULL) { ptiCancelJournal = phook->head.pti; if (ptiCancelJournal != NULL) { /* * Let the thread that set the journal hook know this is happening. */ _PostThreadMessage(ptiCancelJournal, WM_CANCELJOURNAL, 0, 0); /* * If there was an app waiting for a response back from the journal * application, cancel that request so the app can continue running * (for example, we don't want winlogon or console to wait for an * app that may be hung!) */ SendMsgCleanup(ptiCancelJournal); } phookNext = PhkNextValid(phook); zzzUnhookWindowsHookEx(phook); // May free phook memory phook = phookNext; } zzzEndDeferWinEventNotify(); /* * DeferWinEventNotify() so we can traverse the phook list safely */ DeferWinEventNotify(); UserAssert(gptiRit->pDeskInfo == grpdeskRitInput->pDeskInfo); phook = PhkFirstGlobalValid(gptiRit, WH_JOURNALRECORD); while (phook != NULL) { ptiCancelJournal = phook->head.pti; if (ptiCancelJournal != NULL) { /* * Let the thread that set the journal hook know this is happening. */ _PostThreadMessage(ptiCancelJournal, WM_CANCELJOURNAL, 0, 0); /* * If there was an app waiting for a response back from the journal * application, cancel that request so the app can continue running * (for example, we don't want winlogon or console to wait for an * app that may be hung!) */ SendMsgCleanup(ptiCancelJournal); } phookNext = PhkNextValid(phook); zzzUnhookWindowsHookEx(phook); // May free phook memory phook = phookNext; } zzzEndDeferWinEventNotify(); /* * Make sure journalling ssync mode didn't hose any one */ InterQueueMsgCleanup(CMSWAITTOKILLTIMEOUT); /* * Unlock SetForegroundWindow (if locked) */ gppiLockSFW = NULL; /* * NT5's last minute hack for evil applications, who disables the desktop window * (perhaps by accidents though) leaving the system pretty unusable. * See Raid #423704. */ if (grpdeskRitInput && grpdeskRitInput->pDeskInfo) { PWND pwndDesktop = grpdeskRitInput->pDeskInfo->spwnd; if (pwndDesktop && TestWF(pwndDesktop, WFDISABLED)) { ClrWF(pwndDesktop, WFDISABLED); } } }

BOOL zzzJournalAttach (  PTHREADINFO  pti, BOOL  fAttach )

Definition at line 285 of file hooks.c. References AllocQueue(), BOOL, tagQ::cThreads, FALSE, NULL, tagTHREADINFO::pqAttach, tagDESKTOP::PtiList, tagTHREADINFO::rpdesk, TIF_DONTJOURNALATTACH, tagTHREADINFO::TIF_flags, TIF_INCLEANUP, and zzzReattachThreads(). Referenced by zzzRegisterSystemThread(), zzzSetWindowsHookEx(), and zzzUnhookWindowsHookEx(). { PTHREADINFO ptiT; PQ pq; PLIST_ENTRY pHead, pEntry; /* * If we're attaching, calculate the pqAttach for all threads journalling. * If we're unattaching, just call zzzReattachThreads() and it will calculate * the non-journalling queues to attach to. */ if (fAttach) { if ((pq = AllocQueue(pti, NULL)) == NULL) return FALSE; pHead = &pti->rpdesk->PtiList; for (pEntry = pHead->Flink; pEntry != pHead; pEntry = pEntry->Flink) { ptiT = CONTAINING_RECORD(pEntry, THREADINFO, PtiLink); /* * This is the Q to attach to for all threads that will do * journalling. */ if (!(ptiT->TIF_flags & (TIF_DONTJOURNALATTACH | TIF_INCLEANUP))) { ptiT->pqAttach = pq; ptiT->pqAttach->cThreads++; } } } return zzzReattachThreads(fAttach); }

VOID zzzRegisterSystemThread (  DWORD  dwFlags, DWORD  dwReserved )

Definition at line 2318 of file hooks.c. References dwFlags, FALSE, FJOURNALPLAYBACK, FJOURNALRECORD, PtiCurrent, TIF_DONTATTACHQUEUE, TIF_DONTJOURNALATTACH, tagTHREADINFO::TIF_flags, TRUE, VOID(), and zzzJournalAttach(). { PTHREADINFO ptiCurrent; UserAssert(dwReserved == 0); if (dwReserved != 0) return; ptiCurrent = PtiCurrent(); if (dwFlags & RST_DONTATTACHQUEUE) ptiCurrent->TIF_flags |= TIF_DONTATTACHQUEUE; if (dwFlags & RST_DONTJOURNALATTACH) { ptiCurrent->TIF_flags |= TIF_DONTJOURNALATTACH; /* * If we are already journaling, then this queue was already * journal attached. We need to unattach and reattach journaling * so that we are removed from the journal attached queues. */ if (FJOURNALPLAYBACK() || FJOURNALRECORD()) { zzzJournalAttach(ptiCurrent, FALSE); zzzJournalAttach(ptiCurrent, TRUE); } } }

PROC zzzSetWindowsHookAW (  int  nFilterType, PROC  pfnFilterProc, DWORD  dwFlags )

Definition at line 528 of file hooks.c. References abHookFlags, dwFlags, HKF_NZRET, NULL, tagHOOK::phkNext, PtiCurrent, and zzzSetWindowsHookEx(). Referenced by NtUserSetWindowsHookAW(). { PHOOK phk; phk = zzzSetWindowsHookEx(NULL, NULL, PtiCurrent(), nFilterType, pfnFilterProc, dwFlags); /* * If we get an error from zzzSetWindowsHookEx() then we return * -1 to be compatible with older version of Windows. */ if (phk == NULL) { return (PROC)-1; } /* * Handle the backwards compatibility return value cases for * SetWindowsHook. If this was the first hook in the chain, * then return NULL, else return something non-zero. HKF_NZRET * is a special case where SetWindowsHook would always return * something because there was a default hook installed. Some * apps relied on a non-zero return value in those cases. */ if ((phk->phkNext != NULL) || (abHookFlags[nFilterType + 1] & HKF_NZRET)) { return (PROC)phk; } return NULL; }

PHOOK zzzSetWindowsHookEx (  HANDLE  hmod, PUNICODE_STRING  pstrLib, PTHREADINFO  ptiThread, int  nFilterType, PROC  pfnFilterProc, DWORD  dwFlags )

Definition at line 576 of file hooks.c. References abHookFlags, AddHmodDependency(), tagTHREADINFO::amdesk, tagTHREADINFO::aphkStart, tagDESKTOPINFO::aphkStart, BOOL, DbgValidateHooks, dwFlags, tagWINDOWSTATION::dwWSF_Flags, FALSE, tagHOOK::flags, tagTHREADINFO::fsHooks, _CLIENTINFO::fsHooks, tagDESKTOPINFO::fsHooks, GetHmodTableIndex(), gppiInputProvider, HF_ANSI, HF_GLOBAL, HF_WX86KNOWNDLL, HKF_INTERSENDABLE, HKF_JOURNAL, HKF_TASK, HMAllocObject(), HMFreeObject(), tagHOOK::ihmod, tagHOOK::iHook, KeAttachProcess(), KeDetachProcess(), KeSetPriorityThread(), tagPROCESSINFO::luidSession, NULL, tagHOOK::offPfn, tagTHREADINFO::pClientInfo, tagTHREADINFO::pDeskInfo, tagHOOK::phkNext, tagTHREADINFO::ppi, PtiCurrent, tagHOOK::ptiHooked, tagTHREADINFO::rpdesk, tagDESKTOP::rpwinstaParent, RtlAreAllAccessesGranted(), RtlEqualLuid(), THREAD_TO_PROCESS, ThreadLockAlwaysWithPti, ThreadUnlock, TIF_ALLOWOTHERACCOUNTHOOK, TIF_CSRSSTHREAD, tagTHREADINFO::TIF_flags, TIF_GLOBALHOOKER, TIF_SYSTEMTHREAD, TRUE, TYPE_HOOK, WHF_FROM_WH, WSF_NOIO, zzzJournalAttach(), zzzSetFMouseMoved(), and zzzUnhookWindowsHookEx(). Referenced by NtUserSetWindowsHookEx(), and zzzSetWindowsHookAW(). { ACCESS_MASK amDesired; PHOOK phkNew; TL tlphkNew; PHOOK *pphkStart; PTHREADINFO ptiCurrent; /* * Check to see if filter type is valid. */ if ((nFilterType < WH_MIN) || (nFilterType > WH_MAX)) { RIPERR0(ERROR_INVALID_HOOK_FILTER, RIP_VERBOSE, ""); return NULL; } /* * Check to see if filter proc is valid. */ if (pfnFilterProc == NULL) { RIPERR0(ERROR_INVALID_FILTER_PROC, RIP_VERBOSE, ""); return NULL; } ptiCurrent = PtiCurrent(); if (ptiThread == NULL) { /* * Is the app trying to set a global hook without a library? * If so return an error. */ if (hmod == NULL) { RIPERR0(ERROR_HOOK_NEEDS_HMOD, RIP_VERBOSE, ""); return NULL; } } else { /* * Is the app trying to set a local hook that is global-only? * If so return an error. */ if (!(abHookFlags[nFilterType + 1] & HKF_TASK)) { RIPERR0(ERROR_GLOBAL_ONLY_HOOK, RIP_VERBOSE, ""); return NULL; } /* * Can't hook outside our own desktop. */ if (ptiThread->rpdesk != ptiCurrent->rpdesk) { RIPERR0(ERROR_ACCESS_DENIED, RIP_WARNING, "Access denied to desktop in zzzSetWindowsHookEx - can't hook other desktops"); return NULL; } if (ptiCurrent->ppi != ptiThread->ppi) { /* * Is the app trying to set hook in another process without a library? * If so return an error. */ if (hmod == NULL) { RIPERR0(ERROR_HOOK_NEEDS_HMOD, RIP_VERBOSE, ""); return NULL; } /* * Is the app hooking another user without access? * If so return an error. Note that this check is done * for global hooks every time the hook is called. */ if ((!RtlEqualLuid(&ptiThread->ppi->luidSession, &ptiCurrent->ppi->luidSession)) && !(ptiThread->TIF_flags & TIF_ALLOWOTHERACCOUNTHOOK)) { RIPERR0(ERROR_ACCESS_DENIED, RIP_WARNING, "Access denied to other user in zzzSetWindowsHookEx"); return NULL; } if ((ptiThread->TIF_flags & (TIF_CSRSSTHREAD | TIF_SYSTEMTHREAD)) && !(abHookFlags[nFilterType + 1] & HKF_INTERSENDABLE)) { /* * Can't hook console or GUI system thread if inter-thread * calling isn't implemented for this hook type. */ RIPERR1(ERROR_HOOK_TYPE_NOT_ALLOWED, RIP_WARNING, "nFilterType (%ld) not allowed in zzzSetWindowsHookEx", nFilterType); return NULL; } } } /* * Check if this thread has access to hook its desktop. */ switch( nFilterType ) { case WH_JOURNALRECORD: amDesired = DESKTOP_JOURNALRECORD; break; case WH_JOURNALPLAYBACK: amDesired = DESKTOP_JOURNALPLAYBACK; break; default: amDesired = DESKTOP_HOOKCONTROL; break; } if (!RtlAreAllAccessesGranted(ptiCurrent->amdesk, amDesired)) { RIPERR0(ERROR_ACCESS_DENIED, RIP_WARNING, "Access denied to desktop in zzzSetWindowsHookEx"); return NULL; } if (amDesired != DESKTOP_HOOKCONTROL && (ptiCurrent->rpdesk->rpwinstaParent->dwWSF_Flags & WSF_NOIO)) { RIPERR0(ERROR_REQUIRES_INTERACTIVE_WINDOWSTATION, RIP_WARNING, "Journal hooks invalid on a desktop belonging to a non-interactive WindowStation."); return NULL; } #if 0 /* * Is this a journal hook? */ if (abHookFlags[nFilterType + 1] & HKF_JOURNAL) { /* * Is a journal hook of this type already installed? * If so it's an error. * If this code is enabled, use PhkFirstGlobalValid instead * of checking phkStart directly */ if (ptiCurrent->pDeskInfo->asphkStart[nFilterType + 1] != NULL) { RIPERR0(ERROR_JOURNAL_HOOK_SET, RIP_VERBOSE, ""); return NULL; } } #endif /* * Allocate the new HOOK structure. */ phkNew = (PHOOK)HMAllocObject(ptiCurrent, ptiCurrent->rpdesk, TYPE_HOOK, sizeof(HOOK)); if (phkNew == NULL) { return NULL; } /* * If a DLL is required for this hook, register the library with * the library management routines so we can assure it's loaded * into all the processes necessary. */ phkNew->ihmod = -1; if (hmod != NULL) { #if defined(WX86) phkNew->flags |= (dwFlags & HF_WX86KNOWNDLL); #endif phkNew->ihmod = GetHmodTableIndex(pstrLib); if (phkNew->ihmod == -1) { RIPERR0(ERROR_MOD_NOT_FOUND, RIP_VERBOSE, ""); HMFreeObject((PVOID)phkNew); return NULL; } /* * Add a dependency on this module - meaning, increment a count * that simply counts the number of hooks set into this module. */ if (phkNew->ihmod >= 0) { AddHmodDependency(phkNew->ihmod); } } /* * Depending on whether we're setting a global or local hook, * get the start of the appropriate linked-list of HOOKs. Also * set the HF_GLOBAL flag if it's a global hook. */ if (ptiThread != NULL) { pphkStart = &ptiThread->aphkStart[nFilterType + 1]; /* * Set the WHF_* in the THREADINFO so we know it's hooked. */ ptiThread->fsHooks |= WHF_FROM_WH(nFilterType); /* * Set the flags in the thread's TEB */ if (ptiThread->pClientInfo) { BOOL fAttached; /* * If the thread being hooked is in another process, attach * to that process so that we can access its ClientInfo. */ if (ptiThread->ppi != ptiCurrent->ppi) { KeAttachProcess(&ptiThread->ppi->Process->Pcb); fAttached = TRUE; } else fAttached = FALSE; ptiThread->pClientInfo->fsHooks = ptiThread->fsHooks; if (fAttached) KeDetachProcess(); } /* * Remember which thread we're hooking. */ phkNew->ptiHooked = ptiThread; } else { pphkStart = &ptiCurrent->pDeskInfo->aphkStart[nFilterType + 1]; phkNew->flags |= HF_GLOBAL; /* * Set the WHF_* in the SERVERINFO so we know it's hooked. */ ptiCurrent->pDeskInfo->fsHooks |= WHF_FROM_WH(nFilterType); phkNew->ptiHooked = NULL; } /* * Does the hook function expect ANSI or Unicode text? */ phkNew->flags |= (dwFlags & HF_ANSI); /* * Initialize the HOOK structure. Unreferenced parameters are assumed * to be initialized to zero by LocalAlloc(). */ phkNew->iHook = nFilterType; /* * Libraries are loaded at different linear addresses in different * process contexts. For this reason, we need to convert the filter * proc address into an offset while setting the hook, and then convert * it back to a real per-process function pointer when calling a * hook. Do this by subtracting the 'hmod' (which is a pointer to the * linear and contiguous .exe header) from the function index. */ phkNew->offPfn = ((ULONG_PTR)pfnFilterProc) - ((ULONG_PTR)hmod); #ifdef HOOKBATCH phkNew->cEventMessages = 0; phkNew->iCurrentEvent = 0; phkNew->CacheTimeOut = 0; phkNew->aEventCache = NULL; #endif //HOOKBATCH /* * Link this hook into the front of the hook-list. */ phkNew->phkNext = *pphkStart; *pphkStart = phkNew; /* * If this is a journal hook, setup synchronized input processing * AFTER we set the hook - so this synchronization can be cancelled * with control-esc. */ if (abHookFlags[nFilterType + 1] & HKF_JOURNAL) { /* * Attach everyone to us so journal-hook processing * will be synchronized. * No need to DeferWinEventNotify() here, since we lock phkNew. */ ThreadLockAlwaysWithPti(ptiCurrent, phkNew, &tlphkNew); if (!zzzJournalAttach(ptiCurrent, TRUE)) { RIPMSG1(RIP_WARNING, "zzzJournalAttach failed, so abort hook %#p", phkNew); if (ThreadUnlock(&tlphkNew) != NULL) { zzzUnhookWindowsHookEx(phkNew); } return NULL; } if ((phkNew = ThreadUnlock(&tlphkNew)) == NULL) { return NULL; } } UserAssert(phkNew != NULL); /* * Later 5.0 GerardoB: The old code just to check this but * I think it's some left over stuff from server side days. .* Let's assert on it for a while * Also, I added the assertions in the else's below because I reorganized * the code and want to make sure we don't change behavior */ UserAssert(ptiCurrent->pEThread && THREAD_TO_PROCESS(ptiCurrent->pEThread)); /* * Can't allow a process that has set a global hook that works * on server-side winprocs to run at background priority! Bump * up it's dynamic priority and mark it so it doesn't get reset. */ if ((phkNew->flags & HF_GLOBAL) && (abHookFlags[nFilterType + 1] & HKF_INTERSENDABLE)) { ptiCurrent->TIF_flags |= TIF_GLOBALHOOKER; KeSetPriorityThread(&ptiCurrent->pEThread->Tcb, LOW_REALTIME_PRIORITY-2); if (abHookFlags[nFilterType + 1] & HKF_JOURNAL) { ThreadLockAlwaysWithPti(ptiCurrent, phkNew, &tlphkNew); /* * If we're changing the journal hooks, jiggle the mouse. * This way the first event will always be a mouse move, which * will ensure that the cursor is set properly. */ zzzSetFMouseMoved(); phkNew = ThreadUnlock(&tlphkNew); /* * If setting a journal playback hook, this process is the input * provider. This gives it the right to call SetForegroundWindow */ if (nFilterType == WH_JOURNALPLAYBACK) { gppiInputProvider = ptiCurrent->ppi; } } else { UserAssert(nFilterType != WH_JOURNALPLAYBACK); } } else { UserAssert(!(abHookFlags[nFilterType + 1] & HKF_JOURNAL)); UserAssert(nFilterType != WH_JOURNALPLAYBACK); } /* * Return pointer to our internal hook structure so we know * which hook to call next in CallNextHookEx(). */ DbgValidateHooks(phkNew, phkNew->iHook); return phkNew; }

BOOL zzzUnhookWindowsHook (  int  nFilterType, PROC  pfnFilterProc )

Definition at line 1068 of file hooks.c. References BOOL, FALSE, GETPTI, NULL, PFNHOOK, PhkFirstValid(), PhkNextValid(), PtiCurrent, and zzzUnhookWindowsHookEx(). { PHOOK phk; PTHREADINFO ptiCurrent; if ((nFilterType < WH_MIN) || (nFilterType > WH_MAX)) { RIPERR0(ERROR_INVALID_HOOK_FILTER, RIP_VERBOSE, ""); return FALSE; } ptiCurrent = PtiCurrent(); for (phk = PhkFirstValid(ptiCurrent, nFilterType); phk != NULL; phk = PhkNextValid(phk)) { /* * Is this the hook we're looking for? */ if (PFNHOOK(phk) == pfnFilterProc) { /* * Are we on the thread that set the hook? * If not return an error. */ if (GETPTI(phk) != ptiCurrent) { RIPERR0(ERROR_ACCESS_DENIED, RIP_WARNING, "Access denied in zzzUnhookWindowsHook: " "this thread is not the same as that which set the hook"); return FALSE; } return zzzUnhookWindowsHookEx( phk ); } } /* * Didn't find the hook we were looking for so return FALSE. */ RIPERR0(ERROR_HOOK_NOT_INSTALLED, RIP_VERBOSE, ""); return FALSE; }

BOOL zzzUnhookWindowsHookEx (  PHOOK  phkFree  )

Definition at line 1126 of file hooks.c. References abHookFlags, BOOL, FALSE, tagHOOK::flags, FreeHook(), GETPTI, HF_DESTROYED, HKF_INTERSENDABLE, HKF_JOURNAL, tagHOOK::iHook, NULL, PhkFirstGlobalValid(), PhkNextValid(), tagTHREADINFO::TIF_flags, TIF_GLOBALHOOKER, TRUE, and zzzJournalAttach(). Referenced by NtUserUnhookWindowsHookEx(), zzzCancelJournalling(), zzzSetWindowsHookEx(), and zzzUnhookWindowsHook(). { PTHREADINFO pti; pti = GETPTI(phkFree); /* * If this hook is already destroyed, bail */ if (phkFree->flags & HF_DESTROYED) { RIPMSG1(RIP_WARNING, "_UnhookWindowsHookEx(%#p) already destroyed", phkFree); return FALSE; } /* * Clear the journaling flags in all the queues. */ if (abHookFlags[phkFree->iHook + 1] & HKF_JOURNAL) { zzzJournalAttach(pti, FALSE); /* * If someone got stuck because of the hook, let him go * * I want to get some performance numbers before checking this in. * MSTest hooks and unhooks all the time when running a script. * This code has never been in. 5/22/96. GerardoB */ // InterQueueMsgCleanup(3 * CMSWAITTOKILLTIMEOUT); } /* * If no one is currently calling this hook, * go ahead and free it now. */ FreeHook(phkFree); /* * If this thread has no more global hooks that are able to hook * server-side window procs, we must clear it's TIF_GLOBALHOOKER bit. */ if (pti->TIF_flags & TIF_GLOBALHOOKER) { int iHook; PHOOK phk; for (iHook = WH_MIN ; iHook <= WH_MAX ; ++iHook) { /* * Ignore those that can't hook server-side winprocs */ if (!(abHookFlags[iHook + 1] & HKF_INTERSENDABLE)) { continue; } /* * Scan the global hooks */ for (phk = PhkFirstGlobalValid(pti, iHook); phk != NULL; phk = PhkNextValid(phk)) { if (GETPTI(phk) == pti) { goto StillHasGlobalHooks; } } } pti->TIF_flags &= ~TIF_GLOBALHOOKER; } StillHasGlobalHooks: /* * Success, return TRUE. */ return TRUE; }

---

Variable Documentation

CONST BYTE abHookFlags[CWINHOOKS]

Initial value: { HKF_SYSTEM | HKF_TASK | HKF_NZRET , HKF_SYSTEM | HKF_JOURNAL | HKF_INTERSENDABLE , HKF_SYSTEM | HKF_JOURNAL | HKF_INTERSENDABLE , HKF_SYSTEM | HKF_TASK | HKF_NZRET | HKF_INTERSENDABLE , HKF_SYSTEM | HKF_TASK , HKF_SYSTEM | HKF_TASK , HKF_SYSTEM | HKF_TASK , HKF_SYSTEM , HKF_SYSTEM | HKF_TASK | HKF_INTERSENDABLE , HKF_SYSTEM | HKF_TASK , HKF_SYSTEM | HKF_TASK , HKF_SYSTEM | HKF_TASK , HKF_SYSTEM | HKF_TASK , HKF_SYSTEM | HKF_TASK , HKF_SYSTEM | HKF_LOWLEVEL | HKF_INTERSENDABLE , HKF_SYSTEM | HKF_LOWLEVEL | HKF_INTERSENDABLE } Definition at line 49 of file hooks.c. Referenced by xxxCallHook2(), zzzSetWindowsHookAW(), zzzSetWindowsHookEx(), and zzzUnhookWindowsHookEx().

CONST int ampiHookError[CWINHOOKS]

Initial value: { 0, 0, -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } Definition at line 27 of file hooks.c. Referenced by xxxCallHook2().

---