-
April 21st, 2014, 06:39 AM
#1
How to start process without loading global hook?
Hi, everyone,
I had created a global hook by SetWindowsHookEx with WH_CALLWNDPROC. It is used to create a new toolbar button in specific window in the specific (3rd party) program (named HOOKEE.exe for example), and it works perfectly fine most of the time.
Normally HOOKEE.exe is launched by double clicking the shortcut icon on desktop. But this program could be also launched in another way (provided by the provider of HOOKEE.exe), with this new way, HOOKEE.exe is by conhost.exe (on Windows 7), and then I could see (via ProcessMonitor) my hook is loaded by conhost.exe, but not the process HOOKEE.exe.
In my understanding global hook would be loaded by whatever process, I have no idea on the exception, and what conhost.exe does to the HOOKEE.exe.
Anyone has any idea?
Thanks in advance
Stone
-
April 21st, 2014, 06:53 AM
#2
Re: How to start process without loading global hook?
Originally Posted by stoneyrh
...WH_CALLWNDPROC...
In my understanding global hook would be loaded by whatever process
Your understanding is correct, in case you talk about applications hosting message queue and creating windows.
About what?
Best regards,
Igor
-
April 21st, 2014, 07:43 AM
#3
Re: How to start process without loading global hook?
Originally Posted by Igor Vartanov
Your understanding is correct, in case you talk about applications hosting message queue and creating windows.
About what?
About why exactly the same HOOKEE.exe running in same box, but when launched by double clicking the shortcut icon, it loads the global hook, but when launched by some other (unknown to me) ways, it does not load the global hook.
Stone
-
April 21st, 2014, 09:44 AM
#4
Re: How to start process without loading global hook?
Global hook is set in scope of the same session, the same window station and the same desktop. Otherwise it is not loaded.
Best regards,
Igor
-
April 21st, 2014, 10:29 PM
#5
Re: How to start process without loading global hook?
Originally Posted by Igor Vartanov
Global hook is set in scope of the same session, the same window station and the same desktop. Otherwise it is not loaded.
As I see in the Task Manager, the HOOKEE.exe is running with the same session ID as that the process installing the HOOK.
For the station and desktop, how can I check them?
Stone
-
April 21st, 2014, 11:19 PM
#6
Re: How to start process without loading global hook?
Security on hooks had really been "re-enforced" since Windows Vista, so most code examples you'd see online (since XP days) no longer work. It's hard to tell in your case (without seeing the code), but I'm assuming that you know the following:
1. If you're setting the global WH_CALLWNDPROC hook, it must reside in its own DLL.
2. The "bitness" of the DLL with your hook must match the "bitness" of the process being hooked. Or, in other words, if you're hooking 64-bit process, your DLL must be also compiled as 64-bit. (The same holds true for 32-bit processes.)
3. I bet your Windows user account that you're double-clicking your hook.exe from is an administrator account that gives your hook a user token with administrative privileges by default, while running it from some other process (like, a console process, in the case of conhost.exe) gives your hook user token with less privileges. That might be your problem.
Did you see what error you're getting if hooking fails?
-
April 22nd, 2014, 12:35 AM
#7
Re: How to start process without loading global hook?
Originally Posted by dc_2000
Security on hooks had really been "re-enforced" since Windows Vista, so most code examples you'd see online (since XP days) no longer work. It's hard to tell in your case (without seeing the code), but I'm assuming that you know the following:
1. If you're setting the global WH_CALLWNDPROC hook, it must reside in its own DLL.
2. The "bitness" of the DLL with your hook must match the "bitness" of the process being hooked. Or, in other words, if you're hooking 64-bit process, your DLL must be also compiled as 64-bit. (The same holds true for 32-bit processes.)
3. I bet your Windows user account that you're double-clicking your hook.exe from is an administrator account that gives your hook a user token with administrative privileges by default, while running it from some other process (like, a console process, in the case of conhost.exe) gives your hook user token with less privileges. That might be your problem.
Did you see what error you're getting if hooking fails?
Sure, I understand both items 1 and 2, both my hook(DLL) and HOOKEE.exe are 32bit
The problem happens in the same logon session, which means, I launch the HOOKEE.exe by double clicking the shortcut icon, it works, and exit the HOOKEE.exe. Then (without log off) I launch HOOKEE.exe with the other way(just clicking the other icon, and via conhost.exe, I don't know the detail...), HOOKEE.exe does NOT load the DLL, but as I could see in process monitor, conhost.exe DO load it.
The privilege might be a problem, but I have no idea on how to start a program via conhost.exe, could not get any help on it.
Stone
-
April 22nd, 2014, 01:04 AM
#8
Re: How to start process without loading global hook?
So log the error codes that you get from the APIs that fail. That will clue you in to the cause of the issue.
Last edited by dc_2000; April 22nd, 2014 at 01:50 AM.
-
April 22nd, 2014, 01:12 AM
#9
Re: How to start process without loading global hook?
Originally Posted by dc_2000
So log the errors codes that you get from the APIs that fail. That will clue you in to the cause of the issue.
The problem is my hook (DLL) does NOT get loaded at all for that process, but I am sure calling to SetWindowsHookEx success, because the HOOKLOADER.exe is always running there, and if I launch the program just by double clicking the shortcut icon on desktop, everything works fine.
Just in this way, I don't know why HOOKEE.exe doesn't load the hook, but conhost.exe (parent process of HOOKEE.exe) DOES so.
Stone
-
April 22nd, 2014, 03:47 AM
#10
Re: How to start process without loading global hook?
Okay, let's start from the beginning. You say the hook is WH_CALLWNDPROC, which implies a Win32 GUI application only is going to be hooked with the type, according to MSDN:
Originally Posted by MSDN
The system calls this function before calling the window procedure to process a message sent to the thread.
Then you say your application appears to be hosted by conhost.exe, with what information I understand your app is a console app, and therefore it has no window procedure.
Don't you see any contradiction here?
Best regards,
Igor
-
April 22nd, 2014, 06:54 AM
#11
Re: How to start process without loading global hook?
this behaviour is normal. conhost is the surrogation process used to load dll's in the context for explorer without affecting explorer (dll isolation).
Since vista, you typically want to exclude conhost and explorer exe from your hook dll.
if you really need your hook to be active in explorer, then you should create a shell extention instead for that purpose.
-
April 22nd, 2014, 07:00 AM
#12
Re: How to start process without loading global hook?
Originally Posted by Igor Vartanov
Okay, let's start from the beginning. You say the hook is WH_CALLWNDPROC, which implies a Win32 GUI application only is going to be hooked with the type, according to MSDN:
Then you say your application appears to be hosted by conhost.exe, with what information I understand your app is a console app, and therefore it has no window procedure.
Don't you see any contradiction here?
Oh, I am sorry, my bad.
The HOOKEE.exe is actually a GUI application, normally it is running only by double clicking on the icon on the desktop, with this way, no conhost.exe is involved during the starting process.
But in other way, provided by the provider of HOOKEE.exe, the use could launch it by clicking the item named "Change User" in Start Menu, with this way, a logon window will be displayed for accepting username and password (this is NOT in HOOKEE.exe). Then when the user click OK, the logon window disappears, and you can see the conhost.exe flash and disappear, and the reall HOOKEE.exe is launched.
Via this way, the user can use the software (HOOKEE.exe) in a different Windows user withoug needing to log off and login again.
Stone
-
April 22nd, 2014, 08:01 AM
#13
Re: How to start process without loading global hook?
Originally Posted by stoneyrh
the use could launch it by clicking the item named "Change User" in Start Menu
Change User creates a new logon session, isn't it?
Best regards,
Igor
-
April 22nd, 2014, 09:01 AM
#14
Re: How to start process without loading global hook?
Originally Posted by Igor Vartanov
Change User creates a new logon session, isn't it?
I thought it would create a new session, but as I checked in Task Manager, the newly created HOOKEE.exe process has the same session ID as that installing the HOOK. Can it say they are in same session?
Stone
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|