Managed Interception of External Window Messages Using Win32 Hooks

Hello, and Happy New Year! This article is the second in a series that looks at the interception of window messages with managed code and shall be my first article in this (hopefully glorious) new year of 2024.

Whereas the first article focused on intercepting messages from windows belonging to the same process hosting our .NET code via subclassing, this article will look at a much spicier topic: viewing messages being sent to external, out-of-process windows using Win32 hooks.

This topic is extra spicy because, as you may or may not know, (the vast majority of) Win32 hooks are not supported in .NET. And by not supported, I mean they do not work. And for good reason.

So how do we get them to work and spy on those juicy external window messages? Well, read on…

Receiving Out-Of-Process Window Messages

When thinking of intercepting messages sent to arbitrary windows, the first thing that comes to mind is the Spy++ tool that gets bundled with Visual Studio.

Shows a screenshot of the Spy++ (spyxx.exe) tool.
The original window message interception program!

So, when asking myself how to intercept external window messages, what better teacher to learn from than this fabled debugging tool? I donned my research hat and did some Googling until I came across an older article written by a VC++ design engineer who worked on Spy++ that answered this very question.

As the article explains, it intercepts messages through the use of three Win32 hooks, namely:

  • WH_CALLWNDPROC (called prior to a window procedure executing)
  • WH_CALLWNDPROCRET (called after a window procedure returns)
  • WH_GETMESSAGE (called when a message is about to be returned from a message queue)

WH_CALLWNDPROC is all we need to leverage to intercept external window messages, but we will also be spending some time looking at WH_GETMESSAGE for a bit of extra credit.

But, What Are Win32 Hooks Anyway?

Microsoft documentation refers to them simply as hooks; however, I find that much too general of a designation, so I find myself having to add the additional qualifier of “Win32”.

Win32 hooks are a means to be notified of potentially system-wide events. You can find general documentation on their use on Microsoft’s website.

The use of Win32 hooks is an advanced Windows OS programming topic, where little mistakes can bring your whole system down to its knees!

That isn’t what we should be worried about, however. Rather, we should be more concerned with the fact that we’re writing managed code, something that doesn’t get along nicely with Win32 hooks.

Why Win32 Hooks Don’t Work With .NET

External hook procedures are installed via the injection of DLLs containing said procedures into a target process or processes. There are a few issues when trying to do this with .NET:

  • Managed DLL assemblies cannot export functions like native DLLs can.
  • Processes running only unmanaged code and lacking a loaded .NET runtime cannot execute managed code.

There’s really no way around it: our hook procedure for capturing external window messages cannot be written in managed code.

A Deeper Look At Hook DLL Injection

Hook procedures are installed using the SetWindowsHookEx Win32 function and can be installed either to a specific thread or system-wide (resulting in a global hook).

If either a thread not belonging to the current process (*cough* such as a thread an external window is running on) or a global hook is intended, then the hMod parameter of SetWindowsHookEx must be set to a handle to the DLL containing the hook procedure pointed to by the lpfn parameter.

The DLL pointed to by hMod is injected into the target process or processes, with the expectation that the hook procedure is a DLL export that can act as a valid, consistent function to call into.

.NET does not support DLL exports: managed DLL assemblies lack the necessary facilities that allow arbitrary processes to execute code via proffered “function pointers”. Managed code has no concept of consistent values for function pointers because marshalled function pointers are merely dynamically built proxies.

Even if .NET DLLs did have such facilities, there is as good a chance as any that our targeted processes are unmanaged and do not have a loaded .NET runtime.

Some Hooks Do Work With .NET

Hooks that always run on the same thread as the code that installed them actually do work with .NET. That’s because there is no DLL injection required. Two examples of hooks like this are the low-level keyboard and mouse hooks.

These kinds of hooks are unique in the sense that despite being global, they are run on the thread that installed them as opposed to the thread processing the hook.

A Native Hooks Library We Can Inject

If you thought you would get to spy on those juicy external window messages without having to step out of the safety of Land of the Managed Code, you were dead wrong my friend.

Shows us creating a native DLL project in Visual Studio.
Oh boy, time to wade into unmanaged waters.

We will need to write a native DLL, and we’ll be doing it using good ol’ C++ (though the code we write will be a bit more C-like as we’re not going to deal with creating any classes or the like). We’ll add the things we need it to do in order for it to intercept external window messages, and we’ll also take a look at how we can add support for other hook types.

But, to start things off just what does it need to do?

Native Hooks Library Requirements

  • Exports functions that will add/remove Win32 hooks
  • Has some type of IPC allowing it to share data with other (injected) instances of itself
  • Has some kind of mechanism allowing for the native DLL to send message data back to a managed caller
  • Has the means for a managed caller to modify hook messages that are mutable (this depends on the hook type)

Lets examine each of the requirements and how we’ll fulfill them.

Function Exports For Adding/Removing Win32 Hooks

We’ll have one function for installing the hook procedure, and one for uninstalling them.

Hooks.h – Adding/Removing Hooks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#define HOOKS_API extern "C" __declspec(dllexport)
 
/**
 * Installs a new Win32 hook procedure into the specified thread.
 * @param hookType The type of hook procedure to install.
 * @param threadId The identifier of the thread with which the hook procedure is to be associated.
 * @param destination A handle to the window that will receive messages sent to the hook procedure.
 * @return True if successful; otherwise, false.
 */
HOOKS_API bool __cdecl AddHook(HookType hookType, int threadId, HWND destination);
 
/**
 * Uninstalls a Win32 hook procedure from the specified thread.
 * @param hookType The type of hook procedure to uninstall.
 * @param threadId The identifier of the thread to remove the hook procedure from.
 * @return True if successful; otherwise, false.
 */
HOOKS_API bool __cdecl RemoveHook(HookType hookType, int threadId);

There are two exported functions for installing and uninstalling hook procedures shown above. The specific hook type installed/uninstalled when invoking them depends on the HookType enum value provided.

As one can judge by the signatures, these functions are for hooks targeting specific threads/processes, as evidenced by the threadId. We’ll add some additional functions

Hooks.h – HookType Enum
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/**
 * Specifies a type of hook procedure.
 */
enum HookType
{  
    /**
     * Monitors \c WH_CALLWNDPROC messages before the system sends them to a destination window
     * procedure.
     */
    CallWindowProcedure,
    /**
     * Monitors \c WH_CALLWNDPROCRET messages after they have been processed by the destination
     * window procedure.
     */
    CallWindowProcedureReturn,
    /**
     * Monitors \c WH_GETMESSAGE messages posted to a message queue prior to their retrieval.
     */
    GetMessage
};

We only have three hook types specified in the above enum definition; however, this is all we’ll need for this article. CallWindowProcedure will be used to intercept external window messages, and we’ll also look at GetMessage and all the interesting things that emerge with its use.

An individual callback for each hook procedure type is used.

Hooks.h – Hook Procedures
1
2
3
4
// Installable hook procedures.
LRESULT CALLBACK CallWndProc(int nCode, WPARAM wParam, LPARAM lParam);
LRESULT CALLBACK CallWndProcRet(int nCode, WPARAM wParam, LPARAM lParam);
LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam);

That’s not a typo in the first parameter for GetMsgProc…for whatever reason, Microsoft kept flip-flopping between using code and nCode for their various hook procedures (I like to be at parity with Microsoft’s docs, for the most part).

We’ll go into implementations for all the above declarations later in the article; for now, let’s look at some of the other requirements our native Hooks DLL must fulfill.

Sharing Memory Between DLL Instances

Our managed code will call hook registration functions exported from our native Hooks library via P/Invoke. These registration functions will call SetWindowsHookEx and provide a handle to the DLL that contains them for the hMod parameter, causing the Hooks DLL to be injected into the targeted process.

These registration functions will also accept some configuration information, such as where or how to relay messages received by the hook procedure. However, the instance of our DLL processing the hook procedure will be in a separate process and share no memory with the instance we have configured via P/Invoke.

So, how do we get the configuration information over to the injected DLL instances? By sharing memory, of course! Memory shall be shared by means of memory-mapped files that the system paging file stores.

This is done by calling CreateFileMapping, passing INVALID_HANDLE_VALUE so the paging file is used, and then MapViewOfFile to associate the shared data with the virtual address space of the process. This will be done while inside the DllMain method.

DllMain.cpp – Shared Memory Initialization
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
BOOL APIENTRY DllMain(HINSTANCE instance, DWORD reason, LPVOID)
{
    BOOL init;
 
    switch (reason)
    {
        case DLL_PROCESS_ATTACH:       
            Instance = instance;
            FileMapping = CreateFileMapping(
                INVALID_HANDLE_VALUE,
                nullptr,
                PAGE_READWRITE,
                0,
                SharedMemorySize,
                TEXT("BadEcho.Hooks.FileMappingObject"));           
 
            if (FileMapping == nullptr)
                return FALSE;
 
            init = GetLastError() != ERROR_ALREADY_EXISTS;
 
            SharedMemory
                = MapViewOfFile(FileMapping, FILE_MAP_WRITE, 0, 0, 0);
 
            if (SharedMemory == nullptr)
                return FALSE;
 
            SharedSectionMutex
                = CreateMutex(nullptr, FALSE, TEXT("BadEcho.Hooks.MutexObject"));
 
            if (SharedSectionMutex == nullptr)
                return FALSE;
 
            if (init)
                memset(SharedMemory, '\0', SharedMemorySize);
 
            SharedData = static_cast<ThreadData*>(SharedMemory);
            break;
 
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
            break;     
        case DLL_PROCESS_DETACH:
            UnmapViewOfFile(SharedMemory);
            CloseHandle(FileMapping);
            CloseHandle(SharedSectionMutex);
            break;
        default:
            return FALSE;
    }
 
    return TRUE;   
}

The above code will load the shared memory for every instance of the DLL being injected into a process, initializing the memory during the first DllMain invocation (typically from a P/Invoke call).

You’ll notice that the data stored in the shared memory is a pointer to a bunch of ThreadData objects. Let’s take a look at that.

Hook.h – ThreadData and HookData
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
/**
 * Represents configurations settings for a hook procedure.
 */
struct HookData
{
    /**
     * A handle to the hook procedure.
     */
    HHOOK Handle;
    /**
     * A handle to the window that hook messages will be sent to.
     */
    HWND Destination;
};
 
/**
 * Represents shared hook data specific to a thread.
 */
struct ThreadData
{
    /**
     * The thread the data is associated with.
     */
    int ThreadId;
    /**
     * The installed \c WH_CALLWNDPROC hook procedure for the thread, if one exists.
     */
    HookData CallWndProcHook;
    /**
     * The installed \c WH_CALLWNDPROCRET hook procedure for the thread, if one exists.
     */
    HookData CallWndProcRetHook;
    /**
     * The installed \c WH_GETMESSAGE hook procedure for the thread, if one exists.
     */
    HookData GetMessageHook;
};

Each thread targeted by one or more installed hooks gets allocated an associated ThreadData value. Each value contains the thread’s ID and the various HookData values for the hooks that we’ve registered.

HookData values contain the handle to the hook and where to send the message when our hook procedure is processing it — a topic we’ll cover now.

Sending Messages Back to Managed Code

One of the biggest seeming challenges here is the matter of relaying the intercepted messages from the process that is receiving them back to the one running our managed code. We need a way for unmanaged code running in one process to notify a managed component running in another.

Not the simplest of problems to solve. One potential solution would be to have our managed code run as a managed out-of-proc COM server; however, that approach is, for lack of better words a bit much

Perhaps that’s something that can be explored later; until then, a much simpler solution would be to actually reroute the messages via a call to SendMessage, with the target HWND being a message-only window running in our managed process.

This target HWND is what the Destination member of the relevant HookData will be set to, and it is provided as a parameter when calling the AddHook registration function.

We’ll take a closer look at how we receive the messages on the managed side of things during the .NET counterpart of this article.

Modifying Mutable Hook Messages From Managed Code

Some hook types have message parameters that can be modified by the hook procedure, potentially affecting the behavior of the process we’ve injected into. If we wish to engage in this practice, we must devise a way to propagate the desired changes from our managed code following a message notification back to the appropriate DLL instance.

The first thing we’ll need is another exported function that we can call from our managed code to modify the hook message’s details.

Hooks.h – Changing Message Details
1
2
3
4
5
6
7
8
9
10
/**
 * Changes the details of a hook message currently being intercepted.
 * @param message The message identifier to use.
 * @param wParam Additional information about the message to use.
 * @param lParam Additional information about the message to use.
 * @note
 * This function should only be called from window procedures that handle hook types supporting
 * mutable messages.
 */
HOOKS_API void __cdecl ChangeMessageDetails(UINT message, WPARAM wParam, LPARAM lParam);

The above function can be P/Invoked while a managed window procedure set as a destination for a hook type supporting mutable messages is executing. The supplied parameter values will overwrite the values found in the message details struct passed in by the hook procedure.

However, the DLL instance receiving this function call will be the one loaded into the managed caller’s process. How will it share these updated values with the DLL instance processing the hook message?

There are a number of ways, but let us mix it up a bit and use DLL shared data segments.

Hooks.h – Shared Data Segments
1
2
3
4
5
6
7
8
9
10
11
12
// Add a data section to our binary file for variables we want shared across all injected
// processes.
// The variables that are shared mainly deal with the number of active hooks and message
// parameters up for modification.
#pragma data_seg(".shared")
inline bool ChangeMessage = false;
inline UINT ChangedMessage = 0;
inline WPARAM ChangedWParam = 0;
inline LPARAM ChangedLParam = 0;
inline int ThreadCount = 0;
#pragma data_seg()
#pragma comment(linker, "/SECTION:.shared,RWS")

The PE format Windows uses for its EXE and DLL files defines the notion of data sections. The above code creates a new data section that will appear in our binary file and then instructs the linker that the just-created section should be marked as shared.

By default, each process using a DLL has its own instance of all the DLL’s global and static variables. However, variables declared inside a shared data segment will be shared across all processes using the DLL.

Note that the DLL instances must all originate from the exact same physical file for the shared data segment members to be shared. This will be the case for us, so we needn’t worry.

Using a memory-mapped file like we do with our ThreadData would also work here, but again, I wanted to mix it up a bit (not to mention that this approach simplifies things).

However, we will need to provide synchronization in the form of a mutex to support having the particular hook procedure installed in multiple processes.

Function Definitions

With the groundwork laid out, let’s take a look at the actual body of code for the various functions mentioned above.

DllMain.cpp – Function Definitions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
ThreadData *GetLocalData(int threadId, bool addEntry)
{
    int index;
 
    for (index = 0; index < ThreadCount; index++)
    {
        if (SharedData[index].ThreadId == threadId)
            break;
    }
 
    // Thread not registered -- attempt to initialize data.
    if (index == ThreadCount)
    {
        if (!addEntry || ThreadCount == MaxThreads)
            return nullptr;
 
        SharedData[index].ThreadId = threadId;
 
        SharedData[index].CallWndProcHook.Handle = nullptr;
        SharedData[index].CallWndProcHook.Destination = nullptr;
        SharedData[index].CallWndProcRetHook.Handle = nullptr;
        SharedData[index].CallWndProcRetHook.Destination = nullptr;
        SharedData[index].GetMessageHook.Handle = nullptr;
        SharedData[index].GetMessageHook.Destination = nullptr;
 
        // Synchronization is required as multiple processes may be attempting to increment the
        // thread count.
        WaitForSingleObject(SharedSectionMutex, INFINITE);
        ThreadCount++;
        ReleaseMutex(SharedSectionMutex);
    }
 
    return &SharedData[index];
}
 
bool __cdecl AddHook(HookType hookType, int threadId, HWND destination)
{
    ThreadData* localData = GetLocalData(threadId, true);
 
    if (localData == nullptr)
        return false;
     
    HookData* hookData;
    int idHook;
    HOOKPROC lpfn;
 
    switch (hookType)
    {
        case CallWindowProcedure:
            hookData = &localData->CallWndProcHook;
            idHook = WH_CALLWNDPROC;
            lpfn = CallWndProc;
            break;
 
        case CallWindowProcedureReturn:
            hookData = &localData->CallWndProcRetHook;
            idHook = WH_CALLWNDPROCRET;
            lpfn = CallWndProcRet;
            break;
 
        case GetMessage:
            hookData = &localData->GetMessageHook;
            idHook = WH_GETMESSAGE;
            lpfn = GetMsgProc;
            break;
 
        default:
            return false;
    }
 
    HHOOK hook = SetWindowsHookEx(idHook, lpfn, Instance, threadId);
 
    if (hook == nullptr)
        return false;
 
    hookData->Handle = hook;
    hookData->Destination = destination;
 
    return true;
}
 
bool __cdecl RemoveHook(HookType hookType, int threadId)
{
    ThreadData* localData = GetLocalData(threadId, false);
 
    if (localData == nullptr)
        return false;
 
    HookData* hookData;
 
    switch (hookType)
    {
        case CallWindowProcedure:
            hookData = &localData->CallWndProcHook;
            break;
        case CallWindowProcedureReturn:
            hookData = &localData->CallWndProcRetHook;
            break;
        case GetMessage:
            hookData = &localData->GetMessageHook;
            break;
        default:
            return false;
    }
 
    if (hookData->Handle == nullptr)
        return false;
 
    bool result = UnhookWindowsHookEx(hookData->Handle);
 
    hookData->Handle = nullptr;
    hookData->Destination = nullptr;
 
    return result;
}
 
void __cdecl ChangeMessageDetails(UINT message, WPARAM wParam, LPARAM lParam)
{
    ChangedMessage = message;
    ChangedWParam = wParam;
    ChangedLParam = lParam;
    ChangeMessage = true;
}
 
 
LRESULT CALLBACK CallWndProc(int nCode, WPARAM wParam, LPARAM lParam)
{
    int threadId = static_cast<int>(GetCurrentThreadId());
 
    if (ThreadData* localData = GetLocalData(threadId, false); nCode == HC_ACTION)
    {
        HWND destination = localData->CallWndProcHook.Destination;
 
        auto messageParameters = PointTo<CWPSTRUCT>(lParam);
 
        if (destination != nullptr)
        {
            SendMessage(
                destination,
                messageParameters->message,
                messageParameters->wParam,
                messageParameters->lParam);
        }
    }
 
    return CallNextHookEx(nullptr, nCode, wParam, lParam);
}
 
LRESULT CALLBACK CallWndProcRet(int nCode, WPARAM wParam, LPARAM lParam)
{
    int threadId = static_cast<int>(GetCurrentThreadId());   
 
    if (ThreadData* localData = GetLocalData(threadId, false); nCode == HC_ACTION)
    {
        HWND destination = localData->CallWndProcRetHook.Destination;
 
        auto messageParameters = PointTo<CWPRETSTRUCT>(lParam);
 
        if (destination != nullptr)
        {
            SendMessage(
                destination,
                messageParameters->message,
                messageParameters->wParam,
                messageParameters->lParam);
        }
    }
 
    return CallNextHookEx(nullptr, nCode, wParam, lParam);
}
 
LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
    int threadId = static_cast<int>(GetCurrentThreadId());   
 
    if (ThreadData* localData = GetLocalData(threadId, false); code == HC_ACTION)
    {  
        if (HWND destination = localData->GetMessageHook.Destination; destination != nullptr)
        {
            // Unlike some of these other hooks, we are able to modify messages of this hook type
            // before control is returned to the system.
            auto messageParameters = PointTo<MSG>(lParam);
 
            WaitForSingleObject(SharedSectionMutex, INFINITE);
 
            __try
            {
                ChangeMessage = false;
 
                SendMessage(
                    destination,
                    messageParameters->message,
                    messageParameters->wParam,
                    messageParameters->lParam);
 
                if (ChangeMessage)
                {
                    messageParameters->message = ChangedMessage;
                    messageParameters->wParam = ChangedWParam;
                    messageParameters->lParam = ChangedLParam;
                }
            }
            __finally
            {
                ReleaseMutex(SharedSectionMutex);
            }
        }       
    }
 
    return CallNextHookEx(nullptr, code, wParam, lParam);
}

These functions are pretty straightforward and fulfill the expectations we laid out in the previous sections. You can find the complete, up-to-date source code for the BadEcho.Hooks library here.

Let us now leap out of the unmanaged universe and dive into the managed code counterpart to all of this C++ tomfoolery.

Wrapping an External Window and Its Messages

In the previous article of this series, we looked at classes concerned with wrapping a local (in-process) window’s handle and the messages it receives, with the star of the show being the LocalWindowWrapper class.

To intercept messages from out-of-proc windows, we’ll create another derivation of the WindowWrapper base class, which LocalWindowWrapper shares as an ancestor: the GlobalWindowWrapper.

How It Will Work

The GlobalWindowWrapper will be similar to the LocalWindowWrapper type in that it will take a HWND, or IntPtr if you will, to “wrap” as well as offering us the ability to add our custom hooks to the window procedure via the AddHook/RemoveHook methods.

LocalWindowWrapper used subclassing to intercept the window’s messages; however, that option is not available for GlobalWindowWrapper because the windows are in a different process. Instead of subclassing, we will be P/Invoking the various unmanaged function exports we just wrote.

To do that, we need to find the ID of the thread that the external window is running on (easy with the GetWindowThreadProcessId function), but we’ll also need to provide a destination HWND for our native DLL to use to relay an intercepted message back on.

This destination HWND must be an independent window local to our managed code’s process. There’s a good chance that (unless we happen to be a desktop application) we don’t have a spare HWND and an equally good chance that we don’t even want one.

We need a window that is not a window; no, not Schrödinger’s cat, but a message-only window.

Wrapping a Message-Only Window

A message-only window is one with the singular purpose of receiving window messages. It has no physical manifestation; no shape, size, look, or feel. There’s a good chance you have many, many message-only windows spawned on your desktop this very instant, deviously lurking in the shadows.

To create one from a .NET codebase, we’ll once again take advantage of our window wrapping object hierarchy we started in the previous article. Deriving from WindowWrapper, we have a MessageOnlyWindowWrapper type, which provides window procedure hook management for a message-only window.

Initializing a MessageOnlyWindowWrapper will create and manage a message-only window. Details about how message-only windows work and how to make them are outside this article’s scope, so please refer to the source of MessageOnlyWindowWrapper here.

Dead Wrappers

The MessageOnlyWindowWrapper type will conduct all steps required to successfully create a message-only window whose window procedure points to our managed WindowWrapper.WindowProcedure.

So, while that might seem to take care of everything, sorry, it doesn’t. In fact, if we try to use an instance of this type as the destination HWND, we’ll never see any messages appear in our managed window procedure.

Remember, all the windows we’ve been wrapping thus far have been existing windows managed by code independent of ours. This is the first time we’ve actually created our own, and we’re missing a rather essential component to the correct operation of a window, something I touched on briefly in the previous article.

That’s right; we need to man the pump: the window message pump! A window does nothing if its thread’s message queue isn’t being pumped in a loop.

But Doesn’t SendMessage Bypass the Message Queue?

Yes! Using the SendMessage function (as we’re doing here) results in the message being sent to the window procedure, skipping the message queue. However, one needs to pay careful attention to the docs:

If the specified window was created by the calling thread, the window procedure is called immediately as a subroutine. If the specified window was created by a different thread, the system switches to that thread and calls the appropriate window procedure. Messages sent between threads are processed only when the receiving thread executes message retrieval code.

The bolded portion above is the most critical part. However, what exactly is “message retrieval code”? Simply put: a call to the GetMessage function, itself part and parcel of a Win32 message loop. If this does not occur, no cross-thread message, even ones sent by SendMessage, will be processed.

With that clarified, we need an object type that can provide the requisite message retrieval code, and the MessageOnlyExecutor implementation of IThreadExecutor fits the bill quite nicely.

Executors and Happy Wrappers

The MessageOnlyExecutor, which uses a MessageOnlyWindowWrapper instance, is an involved class that will handle dispatching messages while allowing us to execute operations and receive window messages on a dedicated thread.

MessageOnlyExecutor was inspired by WPF’s Dispatcher class and is quite involved — to learn how it works, please consult its source here.

It does many things above and beyond the minimum required for dispatching window messages; you could certainly whip up a stripped-down version. Regardless of what you do, we’ll need it for our hook procedures to talk back to us.

With the final requirement of our native functions satisfied, let’s get to P/Invoking.

P/Invoke Declarations

We spent all that time writing those native DLL exports; it’d be a shame to let them go to waste, so let us toss a P/Invoke function for each one in a new Hooks class.

Hooks.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
/// <summary>
/// Provides interoperability with the Bad Echo Win32 hooks API.
/// </summary>
internal static partial class Hooks
{
    private const string LIBRARY_NAME = "BadEcho.Hooks";
     
    /// <summary>
    /// Installs a new Win32 hook procedure into the specified thread.
    /// </summary>
    /// <param name="hookType">The type of hook procedure to install.</param>
    /// <param name="threadId">
    /// The identifier of the thread with which the hook procedure is to be associated.
    /// </param>
    /// <param name="destination">
    /// A handle to the window that will receive messages sent to the hook procedure.
    /// </param>
    /// <returns>True if successful; otherwise, false.</returns>
    [LibraryImport(LIBRARY_NAME, SetLastError = true)]
    [UnmanagedCallConv(CallConvs = new[] { typeof(CallConvCdecl) })]
    [return: MarshalAs(UnmanagedType.U1)]
    [DefaultDllImportSearchPaths(DllImportSearchPath.SafeDirectories)]
    public static partial bool AddHook(HookType hookType, int threadId, WindowHandle destination);
 
    /// <summary>
    /// Uninstalls a Win32 hook procedure from the specified thread.
    /// </summary>
    /// <param name="hookType">The type of hook procedure to uninstall.</param>
    /// <param name="threadId">
    /// The identifier of the thread to remove the hook procedure from.
    /// </param>
    /// <returns>True if successful; otherwise, false.</returns>
    [LibraryImport(LIBRARY_NAME, SetLastError = true)]
    [UnmanagedCallConv(CallConvs = new[] { typeof(CallConvCdecl) })]
    [return: MarshalAs(UnmanagedType.U1)]
    [DefaultDllImportSearchPaths(DllImportSearchPath.SafeDirectories)]
    public static partial bool RemoveHook(HookType hookType, int threadId);
 
    /// <summary>
    /// Changes the details of a hook message currently being intercepted.
    /// </summary>
    /// <param name="message">The message identifier to use.</param>
    /// <param name="wParam">Additional information about the message to use.</param>
    /// <param name="lParam">Additional information about the message to use.</param>
    [LibraryImport(LIBRARY_NAME)]
    [UnmanagedCallConv(CallConvs = new [] { typeof(CallConvCdecl)})]
    [DefaultDllImportSearchPaths(DllImportSearchPath.SafeDirectories)]
    public static partial void ChangeMessageDetails(uint message, IntPtr wParam, IntPtr lParam);
}

Pretty much carbon copies of the C++ declarations, mixed with a bit of that ol’ type marshalling jazz.

Okay, time for the big boy: the GlobalWindowWrapper.

The Out-Of-Process Window Wrapper

Alright, everything is in place for us to finally create our GlobalWindowWrapper class, which is yet another derivation of WindowWrapper.

GlobalWindowWrapper.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
/// <summary>
/// Provides a wrapper around an <c>HWND</c> of a provided out-of-process window and the messages
/// it receives.
/// </summary>
/// <remarks>
/// <para>
/// Window messages intended for other applications cannot be intercepted via the usual technique
/// of subclassing, as it is not possible to subclass a window created by and running on another
/// process.
/// </para>
/// <para>
/// Instead, several global hook procedures are installed and associated with the thread owning
/// the wrapped window. This provides us with all pertinent window message traffic, even across
/// process boundaries. Registering a callback for a global hook procedure requires more than
/// just a function pointer to a managed delegate, however. Global hooks require the injection
/// of a native, standard Windows DLL containing the hook procedure into a target process.
/// </para>
/// <para>
/// Self-injection of this assembly isn't going to cut it, as a managed DLL simply cannot be
/// loaded in an unmanaged environment, which will fail to load our not-so-standard DLLs due
/// to the lack of a DllMain entry point.
/// </para>
/// <para>
/// Luckily for us, or maybe just me, we have the native BadEcho.Hooks library, written in C++
/// and super injectable! If this DLL can be located for the necessary platform invokes, the
/// necessary hooks are established and instances of said native DLL are loaded into the
/// address space of our target processes.
/// </para>
/// <para>
/// In order for our hooking DLL to be able to communicate back to our managed code, we create
/// a message-only window that is set up to receive messages from unmanaged-land.
/// So...there you go. Spy away!
/// </para>
/// </remarks>
public sealed class GlobalWindowWrapper : WindowWrapper, IDisposable
{
    private readonly MessageOnlyExecutor _hookExecutor = new();
    private readonly int _threadId;
     
    private bool _disposed;
    private bool _windowHooked;
 
    /// <summary>
    /// Initializes a new instance of the <see cref="GlobalWindowWrapper"/> class.
    /// </summary>
    /// <param name="handle">A handle to the window being wrapped.</param>
    public GlobalWindowWrapper(WindowHandle handle)
        : base(handle)
    {
        _threadId = (int) User32.GetWindowThreadProcessId(Handle, IntPtr.Zero);
 
        if (_threadId == 0)
            throw new Win32Exception(Marshal.GetLastWin32Error());
    }
 
    /// <inheritdoc/>
    public void Dispose()
    {
        if (_disposed)
            return;
 
        CloseHook();
 
        _hookExecutor.Dispose();
         
        _disposed = true;
    }
 
    /// <inheritdoc/>
    protected override void OnHookAdded(WindowHookProc addedHook)
    {
        base.OnHookAdded(addedHook);
 
        InitializeHook();
    }
 
    /// <inheritdoc/>
    protected override void OnDestroyingWindow()
    {
        base.OnDestroyingWindow();
 
        CloseHook();
    }
 
    private async void InitializeHook()
    {
        if (_hookExecutor.Window != null)
            return;
          
        await _hookExecutor.RunAsync();
             
        if (_hookExecutor.Window == null)
            throw new InvalidOperationException(Strings.MessageQueueForHookFailed);
 
        _hookExecutor.Window.AddHook(WindowProcedure);
 
        _windowHooked = Hooks.AddHook(HookType.CallWindowProcedure,
                                      _threadId,
                                      _hookExecutor.Window.Handle);
    }
 
    private void CloseHook()
    {
        if (!_windowHooked)
            return;
 
        _windowHooked = !Hooks.RemoveHook(HookType.CallWindowProcedure, _threadId);
 
        if (_windowHooked)
            Logger.Warning(Strings.UnhookWindowFailed.InvariantFormat(_threadId));
    }
}

When the external window is about to receive a message, our hook procedure will send said message to the MessageOnlyWindowWrapper.WindowProcedure being powered by our local MessageOnlyExecutor. Because our GlobalWindowWrapper added a hook to the message-only window, it will be passed along to the GlobalWindowWrapper.WindowProcedure, which will then of course share it with its own registered hooks.

In other words, mission complete! This code will likely have some features and needed contingencies added to it, but it does the job in the tests I’ve run. You can find the up-to-date source for this class among its brethren at the ol’ Bad Echo repository.

In the final article in this series of window message interception using managed code, we’ll be taking a look at how, through another implementation of IMessageSource<T>, we can add support for the WH_GETMESSAGE hook type, which features a different hook procedure signature and supports mutable message details.