3

I want to perform a system-wide hook (using SetWindowHook) on a 64bit operating system.

I know that 64bit processes (= proc64) can load only 64bit dlls (= dll64) and 32bit processes (= proc32) can load only 32bit dlls (= dll32).

Currently I am planning to call SetWindowHook twice, once with dll32 and once with dll64, expecting that proc64s will load dll64 and proc32s will load dll32 (while dll32 for proc64s and dll64 for proc32s will fail).

Is that the correct way to do that, or is there a "more correct" way to do that?

Thanks! :-)

TCS
  • 5,790
  • 5
  • 54
  • 86

3 Answers3

1

Approach that you've described is correct and documented.

From http://msdn.microsoft.com/en-us/library/ms644990(v=vs.85).aspx:

SetWindowsHookEx can be used to inject a DLL into another process. A 32-bit DLL cannot be injected into a 64-bit process, and a 64-bit DLL cannot be injected into a 32-bit process. If an application requires the use of hooks in other processes, it is required that a 32-bit application call SetWindowsHookEx to inject a 32-bit DLL into 32-bit processes, and a 64-bit application call SetWindowsHookEx to inject a 64-bit DLL into 64-bit processes. The 32-bit and 64-bit DLLs must have different names.

Note the last statement that names of 32-bit and 64-bit DLLs MUST be different.

Andrey
  • 4,216
  • 1
  • 23
  • 31
0

You'll probably want to look at EasyHook to save yourself a whole bunch of trouble.

snemarch
  • 4,958
  • 26
  • 38
  • I don't want to use easyhook for that task because SetWindowHook is enough for the job... – TCS Feb 28 '11 at 09:59
-3

You should test the machine in your code to see if the word length is 32 or 64 bit. A 64 bit machine will process 32 bit instruction sets by extending the word lengths, but a 32 bit machine that is passed a 64 bit instruction set... could cause really bad things.

In the C standard library limits.h header—INT_MAX will give you maximum size, test it to see 

bool is32 = true;

if ( INT_MAX == 2^63 − 1 ) {
  is32 = false;
}

once you have your flag you will know which file to include, and you can use your flag to include it with.

david
  • 726
  • 1
  • 5
  • 10
  • If INT_MAX is unsigned you will need to test if it is equal to 2^64 − 1, dont remember if it is or not. – david Feb 28 '11 at 07:26
  • why would one have to do that, given there are separate 32-bit and 64-bit versions of DLLs? – Andrey Feb 28 '11 at 07:39
  • So that your program does not try and use a 64 bit dll on a 32 bit machine. A 32 bit machine will chop 64 bit instructions in half and process them in most cases, it is the equivalent of creating pointer in c, not nulling it out or initializing it and running a process on it... you have no idea what will happen. – david Feb 28 '11 at 07:48
  • Firstly, this question explicitly states the fact that there is 64-bit OS. Secondly, there more relevant ways to see whether the platform is AMD64 in compile-time. Third and last - 32-bit DLL will not load from 64-bit process, just like 64-bit DLL won't load from 32-bit process. So there is no chance to get the mix you describe. – Andrey Feb 28 '11 at 08:53