[Tigzy]

Hello

Does anybody have an idea about how I could get a list of HOOKS set with this function? http://msdn.microsoft.com/en-us/library ... 85%29.aspx
And why not get a handle on all of them in order to close them...

[Tigzy]

I just found something interesting: http://zairon.wordpress.com/2006/12/06/ ... y-machine/

You start from the TEB of the current process, the process that check the installed hooks. When you have the TEB you can pass through some structures:
1. From TEB.Win32ThreadInfo you get THREADINFO structure
2. From THREADINFO.pDeskInfo you get DESKTOPINFO structure
3. If DESKTOPINFO.aphkStart is not NULL you get HOOK structure of WH_i hook otherwise WH_i hook is not installed and you can check the next one, WH_i+1
4. From HOOK.pti you get THREADINFO structure of the process that has setted the hook
5. From THREADINFO.pEthread you get ETHREAD structure
6. From ETHREAD.ThreadsProcess you get EPROCESS structure
Inside EPROCESS there are many informations about the process, just read the necessary ones.

Will try to see if it can be done.

[Tigzy]

Hello EP_X0FF

Not defending myself, only monitor which processes have registered hook callbacks

EDIT: Found maybe something: http://www.ntinternals.org/other/EnumWindowsHooks.zip

[EP_X0FF]

Dll injection prevention discussion moved to separate topic

[Edi]

Hi,

I have tryed the same thing some days ago, the only problem is that it won't work in windows 7 x64 :/. The handle table pointer in sharedinfo structure is zero on windows 7. I wasn't able to find a way from userland to get that handle table list. Maybe anybody has an idea?

[Vrtule]

Hello,

You can look for Windows 2000 source code (it can still be found somewhere on torrents I think). It contains also part of win32k.sys sources. There is also code managing Windows Hooks (installation and execution). Windows 7 win32k.sys is different but my experience tells that the difference is not too signifficant. If you look to W2K source and than check Windows 7 win32k.sys (with IDA, for example), you should get an idea, how Windows Hooks internally work.