Possible to disable a hook made with SetWindowsHookEx run-time?

Question

If an application (mine, or in an external process, for example) called SetWindowsHookEx, would it be possible for me to unhook the hook? Remember that it wasn't me who made the hook first place, so I don't have any kind of variables or pointers to the original hooks.

Answer 1

No, there isn't.

Back in the day (pre-NT era) you might have gotten away with playing some games with an HHOOK you obtained, as the returned HHOOK was a link in the chain of hooks to be called. Even then I'm not sure it was possible.

Today, Windows doesn't delegate the invocation of the next hook in the chain to you (thus the deprecated parameter to CallNextHookEx) and HHOOKs don't let you reach out to hooks you didn't register anymore.

---

More properly, there is no good and supported way to do this.
You could install a rootkit, dig deep into Windows internals and find the hook chain that way; but that's obviously going to ridiculous - and dangerous - lengths.

Hooking (via one of the myriad API hooking solutions out there, Detours seems popular) SetWindowsHookEx and CallNextHookEx can get you most of the way there for applications that conform to pre-NT conventions. The gist is to immediately unhook new hooks after calls to SetWindowsHookEx, unhook any passed hooks (that aren't your own) to CallNextHookEx. To guarantee a "clean" application, you'd also have to simulate a number of events to force any already called hooks to be invoked so they can be unhooked. Also, this regime will fail as soon as you encounter any of the applications written in the last 8+ years that pass NULL to CallNextHookEx.

So even though it is technically possible (maybe) to unhook HHOOKs your app didn't register, you're probably better off trying to accomplish whatever it is you're after a different, less horribly brittle way.

Answer 2

I don't think you can. You need the handle to the hook that was registered with SetWindowsHookEx() so you can unhook it with UnhookWindowsHookEx()

Hmms btw, if you somehow could create your own hook before any other hook is registered (i.e. during application start up), you could in that hook choose to not call CallNextHookEx() and thus prevent subsequent hooks to be called. Might be worth checking out. I suspect that this might not be possible for all types of hooks.

Answer 3

Actually, I think I discovered that yes, it is possible. Hooking CallNextHook will give you the hook id of the hook, which you can use to unhook.