Jun 29, 2018

HOOK is divided into three types: LOCAL HOOK and REMOTE HOOK, and one is SYSTEM-WIDE LOCAL HOOK. LOCAL HOOK refers to the program HOOK is the thread in this program. REMOTE HOOK comes in two forms: one is for a specific thread in another program; the other is for the entire system. SYSTEM–WIDE LOCAL HOOK is a special kind of thing. It has the function of REMOTE HOOK, but also can use the expression of LOCAL HOOK, in fact, WH_JOURNALRECORD and WH_JOURNALPLAYBACK two HOOK. REMOTE HOOK must be encapsulated in a DLL. This is because REMOTE HOOK is a thread for the entire system or other processes, so HOOK must be packaged into a DLL before it can be implanted into other processes for monitoring. The SYSTEM-WIDE LOCAL HOOK uses another

If the architecture requests a thread in the system or obtains a hardware message, the system will call the thread with HOOK installed and execute its FILTER FUNCTION. Then it will return to the thread requesting the hardware message. One disadvantage of this architecture is that if the HOOK FILTER FUNCTION enters an infinite loop in processing, then the entire system will stay in the loop and cannot switch to other threads. In order to deal with this defect, WINDOW uses a way to deal with: is CTRL + ESC key, if the user presses CTRL + ESC key, the system will send a WM_CANCELJOUNAL message to the thread that hangs on the JOUNAL series HOOK above

