{
	"id": "a84725d4-6d67-4622-b89a-75f0daf4bd7b",
	"created_at": "2026-04-06T00:21:21.525448Z",
	"updated_at": "2026-04-10T03:21:19.459529Z",
	"deleted_at": null,
	"sha1_hash": "7dbde18d85b72e5872fb068c8d0b5b333ab7fcdd",
	"title": "Any application-defined hook procedure on my machine?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50675,
	"plain_text": "Any application-defined hook procedure on my machine?\r\nBy Posted by zairon on December 6, 2006\r\nPublished: 2006-12-05 · Archived: 2026-04-05 15:57:30 UTC\r\nSome times ago my antivirus didn’t recognize a malware on my machine; the malware installed a keylogger and it\r\ndid run silently in background for some hours. In general, you can discover the presence of a keylogger looking at\r\nthe net traffic log or looking for some suspicious file name inside the task manager list but sometimes an\r\napplication able to find out hooks will come in handy. At first I tried to find some informations browsing the net\r\nwithout luck. Hmm, no one has written such a program before? Is it possible or am I unable to use google??? I\r\nonly got one usefull hint about the problem, nothing else.\r\nWell, I decided to take a look at the problem. All my investigations are done under Windows XP/SP1.\r\nBefore starting with the analysis I want to show you the declaration of the function used to set a windows hook:\r\nHHOOK SetWindowsHookEx(\r\nint idHook, // Specifies the type of hook procedure to be installed.\r\nHOOKPROC lpfn, // Pointer to the hook procedure\r\nHINSTANCE hMod, // Handle to the DLL containing the hook procedure pointed to by the lpfn parameter\r\nDWORD dwThreadId // Specifies the identifier of the thread with which the hook procedure is to be associated\r\n);\r\nIt’s always good to know which parameters are passed to the function because you’ll have to deal with them later.\r\nOk, time to start…\r\nA possible starting point is represented by win32k.sys file, it’s everything inside it. Looking at the implementation\r\nof SetWindowsHookEx I’ve seen a call to HMAllocObject. This function is not really known but if you have ever\r\nread ‘Using Softice’ help file you surely read the phrase: “The routine HMAllocObject creates USER object\r\ntypes…”. Interesting, setting a bpx over the function I got the following informations:\r\n.text:BF853AAB push 34h ; nBytes\r\n.text:BF853AAD push 5 ; TYPE_HOOK\r\n.text:BF853AAF push dword ptr [edi+3Ch] ; PTHREADINFO.rpdesk\r\n.text:BF853AB2 push edi ; PTHREADINFO\r\n.text:BF853AB3 call _HMAllocObject@16 ; HMAllocObject(x,x,x,x)\r\nThe function takes four parameters and the 3° parameter is related with the type of object that is created. In this\r\nspecific case I’m dealing with hook so the type is TYPE_HOOK and HMAllocObject returns a pointer to a\r\nstructure named HOOK, it contains general informations about the new object and it looks like:\r\ntypedef struct _HOOK {\r\nULONG hHook;\r\nULONG cLockObj;\r\nPTHREADINFO pti;\r\nhttps://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/\r\nPage 1 of 4\n\nULONG rpdesk;\r\nULONG pSelf;\r\nstruct _HOOK *phkNext;\r\nint iHook;\r\nULONG offPfn;\r\nunsigned int flags;\r\nint ihmod;\r\nPTHREADINFO ptiHooked;\r\nPDESKTOP rpdesk;\r\n} HOOK, *PHOOK;\r\nFields:\r\n– hHook\r\nHandle to the hook procedure, it’s the value returned by SetWindowsHookEx and it comes from HMAllocObject\r\n– clockObj\r\n!?!\r\n– pti\r\nPointer to THREADINFO structure of the process which sets the hook\r\n– rpdesk\r\n!?!\r\n– pSelf\r\nPointer to this HOOK structure\r\n– phkNext\r\nNext structure in the hook chain\r\n– iHook\r\nHook type (i.e. WH_MOUSE or WH_KEYBOARD). This is the first parameter passed to SetWindowsHookEx\r\n– offPfn\r\nOffset of the filter procedure, it is obtained by a simple substration between the address of the hook procedure and\r\nthe initial address of the dll\r\n– flags\r\nHF_xxx flags (HF_GLOBALS, HF_LOCAL, HF_DESTROYED…)\r\n– ihmod\r\nNumber of hooks set into the module\r\n– ptiHooked\r\nPointer to THREADINFO structure of the hooked thread. If HF_GLOBAL is setted the pointer is setted to NULL\r\nbecause the hook works for every running thread\r\n– rpdesk\r\n!?!\r\nAs you can see the fields are not all explained, I’ll try to gain more informations.\r\nSome of the fields are filled by HMAllocObject itself and they are non TYPE_HOOK related field; I mean, the\r\nHOOK structure contains informations about the hook you want to install (i.e. the hook type, the offset of the filter\r\nhttps://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/\r\nPage 2 of 4\n\nprocedure) and informations not so strictly related with the hook (i.e. phkNext, pSelf). Since of all the work is\r\ndone trying to understand if there are global hooks installed on the system I’m only interested in TYPE_HOOK\r\nrelated fields and these are:\r\n1. pti\r\npti is really usefull because it gives me the possibility to access the process that has installed the hook. The first\r\ndword of THREADINFO structure is the pointer to ETHREAD structure which contains a pointer to EPROCESS\r\nstructure. Once you have EPROCESS you can read the image file name (Imagfilename field) and the pid\r\n(UniqueProcessId) of the process that has setted the hook. At this point you can also read which dlls are loaded by\r\nthe process or get any other usefull informations about it, especially which dll has the filter procedure inside. If\r\nyou are not totally confident with undocumented structures you can even retrieve the informations using functions\r\nfrom Psapi library (i.e. EnumProcessModules/GetModuleFileNameEx to obtain a loaded dll…).\r\n2. iHook\r\nwithout it you won’t be able to know which hook was installed.\r\n3. offPfn\r\nonly necessary if you want to know where the filter procedure is located at.\r\nStarting from the HOOK structure I can retrieve all the needed informations about the HOOK but I need a\r\nfundamental information, maybe the most important one. Where can I find the HOOK structure? As I said before I\r\nonly got an hint about the problem, it comes from an old thread at sysinternals forum\r\n(htt://forum.sysinternals.com/); I don’t remember the name of the user, thanks to him btw. The hint sounds like:\r\n“look at aphkStart”, nothing else. aphkStart is defined as:\r\nPHOOK aphkStart[CWINHOOKS];\r\nIt’s an array of pointers to HOOK structure, one for each possible WH_xxx hook; the pointer at index ‘i’ is NULL\r\nif you are not under the hook. As far as I have seen there are two aphkStart arrays, one for local hooks (inside\r\nTHREADINFO structure) and one for global hooks (inside DESKTOPINFO structure). To find out if a global\r\nhook has been installed you only have to scan the entire aphkStart array (the one inside DESKTOPINFO) looking\r\nfor a not NULL entry, if you find it you are under a global hook.\r\nThe picture below represents a little sum-up. You start from the TEB of the current process, the process that check\r\nthe installed hooks. When you have the TEB you can pass through some structures:\r\n1. From TEB.Win32ThreadInfo you get THREADINFO structure\r\n2. From THREADINFO.pDeskInfo you get DESKTOPINFO structure\r\n3. If DESKTOPINFO.aphkStart[i] is not NULL you get HOOK structure of WH_i hook otherwise WH_i hook is\r\nnot installed and you can check the next one, WH_i+1\r\n4. From HOOK.pti you get THREADINFO structure of the process that has setted the hook\r\n5. From THREADINFO.pEthread you get ETHREAD structure\r\n6. From ETHREAD.ThreadsProcess you get EPROCESS structure\r\nInside EPROCESS there are many informations about the process, just read the necessary ones.\r\nWay to installed WH_xxx hook\r\nhttps://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/\r\nPage 3 of 4\n\nSource: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/\r\nhttps://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/"
	],
	"report_names": [
		"any-application-defined-hook-procedure-on-my-machine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434881,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7dbde18d85b72e5872fb068c8d0b5b333ab7fcdd.pdf",
		"text": "https://archive.orkl.eu/7dbde18d85b72e5872fb068c8d0b5b333ab7fcdd.txt",
		"img": "https://archive.orkl.eu/7dbde18d85b72e5872fb068c8d0b5b333ab7fcdd.jpg"
	}
}