326 PART 9: Models of Software Behaviour Message Hooks Pattern Here we model Message Hooks pattern (page 76) using MessageHistory tool 56 . It uses window message hooking mechanism to intercept window messages. Download the tool and run either MessageHistory.exe or MessageHistory64.exe and push its Start but- ton. Whenever any process becomes active, either mhhooks.dll or mhhooks64.dll gets injected into the process virtual address space. Then we run WinDbg x86 or WinDbg x64, run notepad.exe and attach the debugger noninvasively to it: *** wait with pending attach Symbol search path is: srv* Executable search path is: WARNING: Process 2932 is not attached as a debuggee The process can be examined but debug events will not be received (b74.f44): Wake debugger - code 80000007 (first chance) USER32!NtUserGetMessage+0xa: 00000000`76f9c92a c3 ret 0:000> .symfix 0:000> .reload 0:000> k Child-SP 00000000`0028f908 00000000`0028f910 00000000`0028f940 00000000`0028f9c0 00000000`0028fa80 00000000`0028fab0 RetAddr 00000000`76f9c95e 00000000`ff511064 00000000`ff51133c 00000000`76e7f56d 00000000`770b3281 00000000`00000000 Call Site USER32!NtUserGetMessage+0xa USER32!GetMessageW+0x34 notepad!WinMain+0x182 notepad!DisplayNonGenuineDlgWorker+0x2da kernel32!BaseThreadInitThunk+0xd ntdll!RtlUserThreadStart+0x1d If we don't select "Noninvasive" in "Attach to Process" dialog box we need to switch from the debugger injected thread to our main notepad application thread: 0:001> .symfix 0:001> .reload 0:001> k Child-SP 00000000`024bfe18 00000000`024bfe20 00000000`024bfe50 00000000`024bfe80 RetAddr 00000000`77178638 00000000`76e7f56d 00000000`770b3281 00000000`00000000 Call Site ntdll!DbgBreakPoint ntdll!DbgUiRemoteBreakin+0x38 kernel32!BaseThreadInitThunk+0xd ntdll!RtlUserThreadStart+0x1d 56 http://support.citrix.com/article/CTX111068