From: Bartjan Wattel [bartjan@ascit.com] Sent: Friday, November 12, 1999 1:52 AM To: ntdev@atria.com; 71774.362@compuserve.com; mpietrek@tiac.com Cc: mike@ascit.com Subject: [ntdev] Microsoft SPY / SetWindowsHookEx questions At the moment we are programming an application that intercepts messages from Windows application’s, like the Spy-utility from Microsoft Visual C++ does. We analysed the sourcecode of this program and read the documentation on Win32 Hooks (which can be found in the MSDN tool). As explained in this documentation we put the functions that intercept the messages together in one DLL. The function that calls the SetWindowsHookEx function is in an application. So, the program loads the DLL (with the functions that intercepts messages). Next the program gets the addresses of all functions that are in the DLL. The last step is installing 2 system-wide hooks (WH_GETMESSAGE and WH_CALLWNDPROC) via the function SetWindowsHookEx. We’ve got some questions for you: A. When we install a system-wide hook, the DLLmain function of my DLL is called everytime when a application starts or ends. 1) Does Windows create instances of my DLL? 2) Why is this? 3) Can we avoid this? B. Because the DLL is reloaded for each application that starts, we cannot use "global variables" in the DLL because the data segments for the DLL are also reloaded and hence the variables are back in their "initialized" state 1) If Windows create instances of my DLL, can we use shared memory (memory mapped file), so that all the instances use the same variables? 2) Any other hints or comments on this one ? Thanks for your reply, With kind regards, Bartjan Wattel ----------- --- Your security partner --- ASCIT B.V. - ThunderStore HeadQuarters Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440 Web: http://www.thunderstore.com ----------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [ To unsubscribe, send email to ntdev-request@atria.com with body UNSUBSCRIBE (the subject is ignored). ]