system-wide hook for 64-bit operating systems

Question

I want to perform a system-wide hook (using SetWindowHook) on a 64bit operating system.

I know that 64bit processes (= proc64) can load only 64bit dlls (= dll64) and 32bit processes (= proc32) can load only 32bit dlls (= dll32).

Currently I am planning to call SetWindowHook twice, once with dll32 and once with dll64, expecting that proc64s will load dll64 and proc32s will load dll32 (while dll32 for proc64s and dll64 for proc32s will fail).

Is that the correct way to do that, or is there a "more correct" way to do that?

Thanks! :-)

Answer 1

Approach that you've described is correct and documented.

From http://msdn.microsoft.com/en-us/library/ms644990(v=vs.85).aspx:

SetWindowsHookEx can be used to inject a DLL into another process. A 32-bit DLL cannot be injected into a 64-bit process, and a 64-bit DLL cannot be injected into a 32-bit process. If an application requires the use of hooks in other processes, it is required that a 32-bit application call SetWindowsHookEx to inject a 32-bit DLL into 32-bit processes, and a 64-bit application call SetWindowsHookEx to inject a 64-bit DLL into 64-bit processes. The 32-bit and 64-bit DLLs must have different names.

Note the last statement that names of 32-bit and 64-bit DLLs MUST be different.

Answer 2

You should test the machine in your code to see if the word length is 32 or 64 bit. A 64 bit machine will process 32 bit instruction sets by extending the word lengths, but a 32 bit machine that is passed a 64 bit instruction set... could cause really bad things.

In the C standard library limits.h header—INT_MAX will give you maximum size, test it to see

bool is32 = true;

if ( INT_MAX == 2^63 − 1 ) {
  is32 = false;
}

once you have your flag you will know which file to include, and you can use your flag to include it with.

Answer 3

You'll probably want to look at EasyHook to save yourself a whole bunch of trouble.