I am trying to write a program, that block the usage of keyloggers in Win98 and Me.
I have some questions, so I will as them in a list:

    [*]If I omit a CallNextHookEx call at the end of hook procedure, will other hooks (installed after mine) have a possibiliy to receive control?
    [*]How can I start my program to be sure it'll install its hook the first?
    [*]How I can receive all installed keyboard hooks?
    [*]What will happen, if my hook will be the last that receives windows message (I won't transfer the message to the chain)?
    [*]Can I clear the hook chain except system ones? (clear just user-installed)

    Sorry, but it is hard to find something worthable in MSDN, so I ask you. You may know this.
Posted on 2002-09-26 14:35:00 by Maestro
If I omit a CallNextHookEx call at the end of hook procedure, will other hooks (installed after mine) have a possibiliy to receive control?
MSDN:
To prevent Windows from passing the message to the rest of the hook chain or to the target window procedure, the return value must be a nonzero value.
Many types of hooks can be global and per-thread at the same time. Thread hooks are called first, then global hooks.
If you have installed global hook and some other app installs local hook of the same type, you will recieve hook event of that app second.

The new hook is always installed at the beginning of the hook chain!
So, "other hooks (installed after mine)" means those hooks already have recieved hook event.

How can I start my program to be sure it'll install its hook the first?
See above.

How I can receive all installed keyboard hooks?
What do you mean?

What will happen, if my hook will be the last that receives windows message (I won't transfer the message to the chain)?
It doesn't matter. And you never know whether your hook last or not. You have always to play by the same rule with CallNextHookEx.

Can I clear the hook chain except system ones? (clear just user-installed)
Hmm..? I'm sure there is no documented way to do that.
Posted on 2002-09-27 04:37:58 by Four-F
If I write the following code (in C++, sorry)

LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam) {
return 1L;
}

Will it be the last that receives the WH_KEYBOARD message ?
Posted on 2002-09-27 08:25:29 by Maestro
To allow Windows to pass the message to the target window procedure, bypassing the remaining procedures in the chain, the return value must be zero.

Your code above effectively blocks all keyboard messages.
It's not what you want, i guess. You have to return zero!

BTW, in description for ALL hook procedures is claimed:
If code is less than zero, the hook procedure must pass the message to the CallNextHookEx function without further processing and should return the value returned by CallNextHookEx.


Your proc should be (asm, sorry ;))

KeyboardProc proc nCode:DWORD, wParam:DWORD, lParam:DWORD


.if nCode == HC_ACTION
xor eax, eax
.else
invoke CallNextHookEx, hHook, nCode, wParam, lParam
.endif

ret

KeyProc endp
Posted on 2002-09-28 03:41:09 by Four-F
If you don't CallNextHookEx, other hooks (those installed before yours, if any) will not be executed.
Your hook procedure is the first to receive the messages. You can CallNextHookEx at the beginning of HookProc, or at the end of it. It's up to you to decide.

oh. Already answered above.:stupid:
Posted on 2002-09-28 03:43:03 by C.Z.
Originally posted by Maestro
[*]How I can receive all installed keyboard hooks?
[*]What will happen, if my hook will be the last that receives windows message (I won't transfer the message to the chain)?
[*]Can I clear the hook chain except system ones? (clear just user-installed)

Sorry, but it is hard to find something worthable in MSDN, so I ask you. You may know this.


The best way is http://www.anticracking.sk/EliCZ/export/ShowGWH.zip
However, it only runs under Win9X.
Another way is using WH_DEBUG hook and remembering all the hooks that get called.
Posted on 2002-09-30 13:45:17 by QuickeneR