Thread: API hooking

  1. #1
    Registered User
    Join Date
    Feb 2008
    Posts
    25

    API hooking

    Hi. What I'm trying to achieve here is an API hook in a single application. The application is writing several logfiles which is clogging up my harddrive, so I thought I'd reroute WriteFile to a function that does nothing.

    I was thinking of injecting a DLL and then patch the API-call. However, I'm not sure which technique I should use to reroute an API. I've tried the Microsoft Detour library but I would rather do it myself, thus I can actually learn something on the way.

    What is the easiest way, inside a process, to reroute one or several API's?

  2. #2
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    Look up hooking on CodeProject. There are several tutorials there.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  3. #3
    Registered User
    Join Date
    Feb 2008
    Posts
    25
    Thank you. I've looked through a few examples and my eye has fallen on to IAT Patching, a quite interesting technique.

    I've been writing some code but I have not gotten it to actually work. This is my code so far:

    dll.c
    Code:
    int WINAPI My_MessageBox(HWND, LPCTSTR, LPCTSTR, UINT);
    
    int * addr = (int *)MessageBoxW;
    int * myaddr = (int *)My_MessageBox;
    PDWORD pAddr = NULL;
    
    unsigned __stdcall ThreadProc(void *param)
    {
             // Hook API
             HMODULE hMod = GetModuleHandle(NULL);
             PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hMod;
             PIMAGE_NT_HEADERS pNTHeaders = (PIMAGE_NT_HEADERS)((BYTE *)hMod + pDosHeader->e_lfanew);
             PIMAGE_OPTIONAL_HEADER pOptHeader = (PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader);
             
             PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);
             
             while(pImportDescriptor->FirstThunk)
             {
                   char * dllname = (char *)((BYTE *)hMod + pImportDescriptor->Name);
                   
                   PIMAGE_THUNK_DATA pThunkData = (PIMAGE_THUNK_DATA)((BYTE *)hMod + pImportDescriptor->OriginalFirstThunk);
                   
                   int no = 1;
                   while(pThunkData->u1.Function)
                   {
                         char *funname = (char *)((BYTE *)hMod + (DWORD)pThunkData->u1.AddressOfData + 2);
                         PDWORD lpAddr = (DWORD *)((BYTE *)hMod + (DWORD)pImportDescriptor->FirstThunk) + (no-1);
                         
                         if((*lpAddr) == (DWORD)addr)
                         {
                                      DWORD dwOld;
                                      MEMORY_BASIC_INFORMATION mbi;
                                      VirtualQuery(lpAddr, &mbi, sizeof(mbi));
                                      VirtualProtect(lpAddr, sizeof(DWORD), PAGE_READWRITE, &dwOld);
                                      WriteProcessMemory(GetCurrentProcess(), lpAddr, &myaddr, sizeof(DWORD), NULL);
                                      pAddr = lpAddr;
                                      break;
                         }
                         no++;
                         pThunkData++;
                   }
                   pImportDescriptor++;
             }
             
             return 0;
    }
    
    BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                           DWORD reason        /* Reason this function is being called. */ ,
                           LPVOID reserved     /* Not used. */ )
    {
                           //PDWORD OrigWriteFile;
                           //PDWORD MyWriteFile;
        switch (reason)
        {
          case DLL_PROCESS_ATTACH:
               _beginthreadex(NULL, 0, ThreadProc, NULL, NULL, NULL);
               MessageBox(NULL, "Testing", "Test", MB_OK);
            break;
    
          case DLL_PROCESS_DETACH:
            break;
    
          case DLL_THREAD_ATTACH:
            break;
    
          case DLL_THREAD_DETACH:
            break;
        }
    
        /* Returns TRUE on success, FALSE on failure */
        return TRUE;
    }
    
    int WINAPI My_MessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCation, UINT uType)
    {
        MessageBox(NULL, "Detoured Messagebox call", "Test", MB_OK);
    }
    test.c
    Code:
    #include <windows.h>
    
    int main()
    {
        Sleep(10000);
        MessageBox(NULL, "Hey", "Test", MB_OK);
        Sleep(5000);
        MessageBox(NULL, "Hey", "test2", MB_OK);
        return 0;
    }
    The DLL is injected in to test.exe's memory space and the hook is being runned. Though The MessageBox-calls simply call the original API.

    Have I misunderstood the technique? What would be the problem? SE_DEBUG_PRIVILEGES?

    Thank you

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Strange error while attempting API hooking
    By cefarix in forum Windows Programming
    Replies: 2
    Last Post: 11-10-2006, 01:29 PM
  2. FILES in WinAPI
    By Garfield in forum Windows Programming
    Replies: 46
    Last Post: 10-02-2003, 06:51 PM
  3. API hooking breakthru
    By bonkey in forum Windows Programming
    Replies: 5
    Last Post: 11-26-2002, 08:02 AM
  4. API Hooking?
    By kes103 in forum Windows Programming
    Replies: 16
    Last Post: 11-21-2002, 10:43 AM
  5. pthread api vs win32 thread api
    By Unregistered in forum Windows Programming
    Replies: 1
    Last Post: 11-20-2001, 08:55 AM

Tags for this Thread