Entire Site
Free Trial
Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.
- Create BookmarkCreate Bookmark
- Create Note or TagCreate Note or Tag
- DownloadDownload
- PrintPrint
PART 9. Models of Software Behaviour > Message Hooks Pattern
Message Hooks Pattern
Here we model Message Hooks pattern (page 76) using MessageHistory tool[56]. It uses window message hooking mechanism to intercept window messages. Download the tool and run either MessageHistory.exe or MessageHistory64.exe and push its Start but-ton. Whenever any process becomes active, either mhhooks.dll or mhhooks64.dll gets injected into the process virtual address space. Then we run WinDbg x86 or WinDbg x64, run notepad.exe and attach the debugger noninvasively to it:
Code View:
Scroll
/
Show All
*** wait with pending attach
Symbol search path is: srv*
Executable search path is:
WARNING: Process 2932 is not attached as a debuggee
The process can be examined but debug events will not be received
(b74.f44): Wake debugger - code 80000007 (first chance)
USER32!NtUserGetMessage+0xa:
00000000'76f9c92a c3 ret
0:000> .symfix
0:000> .reload
0:000> k
Child-SP RetAddr Call Site
00000000'0028f908 00000000'76f9c95e USER32!NtUserGetMessage+0xa
00000000'0028f910 00000000'ff511064 USER32!GetMessageW+0x34
00000000'0028f940 00000000'ff51133c notepad!WinMain+0x182
00000000'0028f9c0 00000000'76e7f56d notepad!DisplayNonGenuineDlgWorker+0x2da
00000000'0028fa80 00000000'770b3281 kernel32!BaseThreadInitThunk+0xd
00000000'0028fab0 00000000'00000000 ntdll!RtlUserThreadStart+0x1d
