I have some questions:

1. When a DLL is loaded, does is the reason PROCESS_ATTACH or THREAD_ATTACH?

2. When a process uses SetWindowsHookEx with a dll how does it get the function pointer to pass to SetWindowHookEx, GetProcAddress? If it does how does it know the new adress when the DLL is remapped?

3. When I hook a dll, and when it maps, does it free the DLL from the current process?

4. Could someone provide an example here of a DLL Injection via Windows Hooks? One that I need not download.

1. When a DLL is loaded, does is the reason PROCESS_ATTACH or THREAD_ATTACH?

PROCESS_ATTACH. And if the current process creates a new thread THREAD_ATTACH is called. Read this (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dllmain.asp) for in-depth information ;)

2. When a process uses SetWindowsHookEx with a dll how does it get the function pointer to pass to SetWindowHookEx, GetProcAddress? If it does how does it know the new adress when the DLL is remapped?

Yes, GetProcAddress(). The hook is instancing the DLL, so the DLL won't be remapped or unloaded. AFAIK are there very rare circumstances when a process/thread/dll get's remapped at all.

3. When I hook a dll, and when it maps, does it free the DLL from the current process?

The DLL must be loaded before the hook is installed. And while loading the DLL is mapped. It is mapped only once, if another process for example loads the DLL, the DLL is only "included" within the new process' address space.

4. Could someone provide an example here of a DLL Injection via Windows Hooks? One that I need not download.

http://www.codeguru.com/cpp/w-p/system/misc/article.php/c5685/