How can I get the INSTANCE handle from a HHOOK?

How can I get the INSTANCE handle from a HHOOK?

Post by Kevin Le » Tue, 13 Sep 2005 16:01:05


How to get the INSTANCE handle of the HOOK dll through a given HHOOK handle?
Any comments will be appreciated! Thanks in advance!

regards,
Kevin
 
 
 

How can I get the INSTANCE handle from a HHOOK?

Post by Gary Chans » Tue, 13 Sep 2005 19:25:35


You can't get it from the hook handle. It's the first parameter passed to
your dllmain for the DLL_PROCESS_ATTACH event. You should only need it for
the call to SetWindowsHookEx. If you need it later, you can save it or call
GetModuleHandle with the name of your DLL.

--

- Gary Chanson (Windows SDK MVP)
- Abolish Public Schools

 
 
 

How can I get the INSTANCE handle from a HHOOK?

Post by Kevin Le » Wed, 14 Sep 2005 10:44:33

Hi, Gary Chanson,
You know, I have been working on a project that will remove some predefined
system hooks.

I have already hooked the API CallNextHookEx, when a target installed hook
call this function,
I will receive a hook handle, if I can get the dll's instance handle from
the HOOK handle,
I can do some extra work, for example, I can extract the whole dll from the
memory to a disk file...etc.

So, that's my purpose. Any help will be appreciated.

Kevin
 
 
 

How can I get the INSTANCE handle from a HHOOK?

Post by Mike » Wed, 14 Sep 2005 11:32:18


Have a look at the article
http://www.yqcomputer.com/
can use any of it. You can use VirtualQuery to locate the image base that
you are running in..... Which is your Instance handle.

Mike P
 
 
 

How can I get the INSTANCE handle from a HHOOK?

Post by Gary Chans » Wed, 14 Sep 2005 12:14:45


I think the only sure way to get it is to hook SetWindowsHookEx and grab
it from that function's parameters.

--

- Gary Chanson (Windows SDK MVP)
- Abolish Public Schools
 
 
 

How can I get the INSTANCE handle from a HHOOK?

Post by Gary Chans » Wed, 14 Sep 2005 12:14:52


Inside of CallNextHookEx, he can't be sure that the instance of the DLL
executing wasn't relocated (unless what the OP really wants is the current
instance instead of the original instance). It will usually be loaded at the
same address as in the instance which set the hook, but it's not guaranteed.

--

- Gary Chanson (Windows SDK MVP)
- Abolish Public Schools
 
 
 

How can I get the INSTANCE handle from a HHOOK?

Post by Kevin Le » Wed, 14 Sep 2005 16:24:34

But, I must ensure that hooking SetWindowsHookEx earlier than it was be
called.

I think that HHook must be a pointer points to a HOOK sturct, and through
this struct, i can find a hinstance handle of that dll.
Is it possible?
 
 
 

How can I get the INSTANCE handle from a HHOOK?

Post by Scherbina » Wed, 14 Sep 2005 16:36:39

you may use NtQueryInformationProcess to retrieve information about all
loaded modules into process.

NTSTATUS NtQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);

put ProcessBasicInformation value to ProcessInformationClass paramter and
you will get in ProcessInformation parameter a pointer to
PROCESS_BASIC_INFORMATION:

typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;

PebBaseAddress+0x28h is the adress of InInitializationOrderModuleList,
here is the part of this structure:

typedef struct _IN_INITIALIZATION_ORDER_MODULE_LIST {
PVOID Next,
PVOID Prev,
DWORD ImageBase,
DWORD ImageEntry,
DWORD ImageSize,
...
);

I guess, you're interested in ImageBase.

hope this helps.

--
Scherbina Vladimir
 
 
 

How can I get the INSTANCE handle from a HHOOK?

Post by Gary Chans » Wed, 14 Sep 2005 23:44:37


I don't know. My strong policy is to not poke around inside of
undocumented structures because they're too prone to change. What are your
trying to do? Maybe there's another way of doing it.

--

- Gary Chanson (Windows SDK MVP)
- Abolish Public Schools