-m monitor mode. check for changes every n seconds (default 7).
-v verbosity. print more information (default level when enabled is 1).
-d include only these desktops: a list of desktops separated by space.
-i include only these hooks: a list of hooks separated by space.
-x exclude only these hooks: a list of hooks separated by space.
-p include only these programs: a list of programs separated by space.
-r exclude only these programs: a list of programs separated by space.
Example to monitor WH_MOUSE hooks associated with workrave.exe or PID/TID 799:
GetHooks.exe -m -i WH_MOUSE -p workrave.exe 799
For an overview: GetHooks.exe --about
For more options: GetHooks.exe --options
For more examples: GetHooks.exe --examples
gethooks --about
gethooks v1.0 - Built on Dec 5 2011 at 00:52:19The original gethooks source can be found at https://jay.github.io/gethooks
For usage use --help
-
Copyright (C) 2011 Jay Satiro <raysatiro$at$yahoo{}com>
All rights reserved. License GPLv3+: GNU GPL version 3 or later
<https://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
-
Overview
GetHooks is a program designed for the passive detection and monitoring of
hooks from a limited user account.
GetHooks lists any hook in the user handle table that is on any desktop in the
current window station, and the threads/processes associated with that hook.
A hook basically allows for intercepting certain messages before they reach
their target. To "hook" is a general term. To be more specific, GetHooks
detects all hooks handled by SetWindowsHookEx(), or in other words all hooks
of user object TYPE_HOOK.
GetHooks does not detect WinEvents, which can be hooked and are of user object
TYPE_WINEVENTHOOK. WinEvent hooks are sometimes referred to as just hooks.
GetHooks also does not detect function hooks. Functions can be hooked any
number of ways. Function hooks are sometimes referred to as just hooks.
The semantics involved might seem confusing. For a list of the hooks
recognized by this program please review the examples.
GetHooks is passive in that unlike other monitors it does not attempt to set
any hooks itself, load any drivers, need administrator privileges to find
hooks or have any type of impact on the operating system.
GetHooks is not passive in that it attempts to read at least several bytes of
each process' memory to identify the owner, origin and target thread of a
hook. If it cannot identify a thread associated with a hook the respective
thread is shown in the hook notice as "<unknown>".
After a lot of research (special thanks to alex$at$ntinternals{}org) I
designed and developed GetHooks as free software. The program's estimated
cost so far has exceeded $6000 as of October 13, 2011. If you find this
program useful and it has saved you time or money then you are welcome to
donate time or money. https://jay.github.io/gethooks/index.html#donate
Please review the options and examples for more information.
gethooks --options
gethooks v1.0 - Built on Dec 5 2011 at 00:52:19The original gethooks source can be found at https://jay.github.io/gethooks
For usage use --help
-
Copyright (C) 2011 Jay Satiro <raysatiro$at$yahoo{}com>
All rights reserved. License GPLv3+: GNU GPL version 3 or later
<https://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
-
These options are compatible with all other options unless stated otherwise.
[-t <num>] [-f] [-e] [-u] [-g] [-z <func> [param]]
-t the maximum number of threads in a snapshot
For each system snapshot this program allocates several buffers whose size is
based on the maximum number of threads in a snapshot. The default maximum
number of threads is currently 20000, resulting in each snapshot taking ~7MB.
Currently gethooks has memory allocated at any one time for 1 snapshot by
default, or 2 if in monitor mode, or maybe more if in test mode. Use this
option to specify a smaller or larger number of threads per snapshot, which
will decrease or increase, respectively, the amount of memory allocated.
-f force successful completion of NtQuerySystemInformation()
For each system snapshot this program uses a thread traversal library which
calls the API function NtQuerySystemInformation() to get a list of threads in
the system. If that call ever fails it is considered an indicator of system
instability and by default this program will terminate. However, you may
decide that the failure is indicative of something else entirely. Use this
option to silently retry on almost any failed NtQuerySystemInformation() call
every second until it succeeds.
-Note that this option is only a workaround for intermittent failures. If you
enable this option and a failure *always* occurs then the code loops endlessly.
-Note that info length mismatch (buffer too small) failures are never retried.
To remedy a small buffer increase the number of threads using option 't'.
-e show external hooks (ignore internal hooks)
You'll notice for each hook found on your desktop that the owner, origin and
target thread are often the same. That means a thread hooked itself. Example:
-
Owner/Origin/Target: notepad++.exe (PID 3408, TID 3412 @ 0xFE6ECDD8)
-
I refer to those hooks as internal hooks. External hooks are any hooks which
are not internal, and are usually more of interest. For example a thread
which has targeted some other thread with a hook or is targeting all threads
with a global hook. This program processes both external and internal hooks
by default, but you may use this option to ignore internal hooks.
-u show unknown hooks (ignore known hooks)
You'll notice for each hook found on your desktop that the owner, origin and
target thread are usually identified by their thread and process info. Example:
-
Owner/Origin: WLSync.exe (PID 148, TID 3280 @ 0xFE2A5B50)
Target: WLSync.exe (PID 148, TID 3556 @ 0xFE5E9B78)
-
I refer to those hooks as known hooks. Unknown hooks are any hooks which do
not have identifiable user or kernel mode owner, origin and/or target thread
information, and may be more of interest to you because they could not be
fully identified. This program processes both known and unknown hooks by
default, but you may use this option to ignore known hooks.
-Note that unknown hooks are often the result of insufficient permissions. To
remedy that you can run this program with administrative privileges.
-g show global hooks (ignore hooks with a target thread)
You may notice hooks on your desktop that have a target of <GLOBAL>. Example:
-
Owner/Origin: hkcmd.exe (PID 2780, TID 3456 @ 0xFF52EC00)
Target: <GLOBAL>
-
Global hooks may be of more interest to you because "the hook procedure is
associated with all existing threads running in the same desktop as the
calling thread." Popular global hooks include WH_KEYBOARD, WH_KEYBOARD_LL
and WH_MOUSE, WH_MOUSE_LL to monitor keyboard and mouse input, respectively.
This program processes both global and non-global (targeted) hooks by
default, but you may use this option to ignore targeted hooks.
-c ignore hook lock count changes
Hook objects can be locked and unlocked by the kernel. The lock count and
the frequency at which the count changes may or may not prove to be viable
diagnostic information for you when you are monitoring a hook. Not a lot is
known about the expected behavior of hook locking and unlocking. Further,
the number of lock count changes you see will largely depend on the interval
at which you are monitoring. You may use this option to ignore lock count
change notifications.
-Note that empirical testing on Win7 x86 SP1 shows that locking and unlocking
is far more frequent with a faulted hook.
-y go completely passive (do not identify owner/origin/target threads)
GetHooks was designed for passive detection of hooks but by default it is not
completely passive. The memory of each process must be read to identify which
threads are associated with which hooks. If it cannot read the memory of a
process which has a thread associated with a hook it refers to that hook's
respective thread as unknown. By using this option no threads will be
traversed and no process' memory will be read, and all hooks will have
threads that show as "<unknown>".
-z run a test mode function with an optional or required parameter.
Test mode is where I am testing functions like walking a hook chain or dumping
an individual HOOK from its kernel address.
Whether or not this option is compatible with any other options depends on the
function and its parameter. For usage and examples: GetHooks.exe -z
gethooks --examples
gethooks v1.0 - Built on Dec 5 2011 at 00:52:19The original gethooks source can be found at https://jay.github.io/gethooks
For usage use --help
-
Copyright (C) 2011 Jay Satiro <raysatiro$at$yahoo{}com>
All rights reserved. License GPLv3+: GNU GPL version 3 or later
<https://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
-
More examples:
GetHooks can filter hooks by name or id. For the sake of posterity if an id
does not have an associated name it is still accepted, though with a warning.
The recognized hook names are:
WH_MSGFILTER(-1)
WH_JOURNALRECORD(0)
WH_JOURNALPLAYBACK(1)
WH_KEYBOARD(2)
WH_GETMESSAGE(3)
WH_CALLWNDPROC(4)
WH_CBT(5)
WH_SYSMSGFILTER(6)
WH_MOUSE(7)
WH_HARDWARE(8)
WH_DEBUG(9)
WH_SHELL(10)
WH_FOREGROUNDIDLE(11)
WH_CALLWNDPROCRET(12)
WH_KEYBOARD_LL(13)
WH_MOUSE_LL(14)
You may use a hook's id instead of its name when including/excluding hooks.
For example, to monitor only WH_KEYBOARD(2) and WH_MOUSE(7) hooks:
GetHooks.exe -m -i 2 7
Show WH_KEYBOARD_LL hooks that are associated with hkcmd.exe:
GetHooks.exe -i WH_KEYBOARD_LL -p hkcmd.exe
Show WH_KEYBOARD_LL hooks that are associated with any process other than
hkcmd.exe:
GetHooks.exe -i WH_KEYBOARD_LL -r hkcmd.exe
Show hooks other than WH_KEYBOARD_LL that are associated with hkcmd.exe:
GetHooks.exe -x WH_KEYBOARD_LL -p hkcmd.exe
Show hooks other than WH_KEYBOARD_LL that are associated with any process
other than hkcmd.exe:
GetHooks.exe -x WH_KEYBOARD_LL -r hkcmd.exe
It is possible to include or exclude a thread id (TID) or a process id (PID)
instead of a process name. To do that just use the id instead of the name.
For example, to monitor hooks associated with thread id 492 or process id 148:
GetHooks.exe -m -p 148 492
If a colon is the first character in an argument to program include/exclude it
is assumed a program name follows. You may prefix a program name with a colon
so that it is not misinterpreted as an option or process id or thread id.
For example, to list hooks associated with program name -h and program name 907
GetHooks.exe -p :-h :907
By default this program attaches to all desktops in the current window station.
Instead you may specify zero or more individual desktops with the 'd' option.
If you specify 'd' without a desktop name it is assumed you want the current.
For example, to list hooks on the current desktop and "Sysinternals Desktop 1":
GetHooks.exe -d -d "Sysinternals Desktop 1"
Use the GNU 'tee' program to copy this program's output to a file.
For example, to monitor hooks and copy output to file "outfile":
GetHooks.exe -m | tee outfile
Verbosity can be enabled to aid advanced users.
When verbosity is enabled the lowest level is 1 and the highest level is 9.
The higher the verbosity level the more information that is printed.
Level 1 shows additional statistics.
Level 2 is reserved for further development.
Level 3 is reserved for further development.
Level 4 is reserved for further development.
Level 5 shows this program's global store (structures) and its descendants.
Level 6 shows the HOOK structs (Microsoft's internal hook structures).
Level 7 shows the hook structs (This program's internal hook structures).
Level >=8 is too noisy/comprehensive to be used in monitoring mode:
Level 8 shows brief information on every thread captured in a snapshot.
Level 9 enables traverse_threads() verbosity when it traverses each thread.
For example, to print Microsoft's internal HOOK struct in each HOOK notice:
GetHooks.exe -v 6
Note that gethooks prints any errors to stdout, not stderr.
If you are looking for the GetHooks homepage click here.