Thread: API Hook in PE File

  1. #1
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812

    API Hook in PE File

    Can anyone tell me where I can find further information on the followng:

    I want to be able to "hook" a Windows API call from within a third-party exe.

    My reason for doing so is to provide additional functionality to the GetEnvironmentVariable call, without the need for a secondary DLL. The concept being that where the application makes a call to GetEnvironmentVariable, it would go to my own implementation instead.

    I specifically want to modify the binary execuatable, not replace a system DLL with my own.

    I know this can be done, but don't know where to start reading. Anyone any know where I can find out more about this subject?

    Thanks
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com

  2. #2
    Code Ripper
    Join Date
    Jun 2004
    Posts
    30
    Davros,

    you can find this in a virus writer e-zines (29A, etc... )

    that kind of hook is used often to infect files

    jmgk

  3. #3
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812
    >that kind of hook is used often to infect files

    I guess it could. But that's not what I'm looking to do.

    Lots of legitimate products use hooking techniques.


    >you can find this in a virus writer e-zines

    Will see what I can find.

    Thanks for replying.
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com

  4. #4
    Registered User Tonto's Avatar
    Join Date
    Jun 2005
    Location
    New York
    Posts
    1,465
    >> but don't know where to start reading

    You said it yourself, "API Hooking" is a good search term.

    >> I specifically want to modify the binary execuatable

    Do you mean overwriting the code or like IAT hooking?

  5. #5
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    If you're not going to use a DLL, you will have to copy your code into the target's address space manually.

    Three Ways to Inject Your Code into Another Process
    API hooking revealed
    CreateRemoteThread sample

  6. #6
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812
    >Do you mean overwriting the code or like IAT hooking?

    Yes. I think so. I'm reading a load of stuff now, but having difficulty figuring it all out. There are so many different techniques. Specifically, I want to modify the exe file (on disc) so as to override the GetEnvironmentVariable call. I guess somewhere I need to "inject" my own code and modify the exe's IAT to point to my own. Not sure how to do this yet.

    My project would be a tool for software authors--they would use it to add a wrapper to their own applications. This way I can offer a simple API using the existing GetEnvironmentVariable call, without needing them to link with DLLs, ActiveX controls, libs, header files etc.

    I'm not writing a virus here.

    So any help would be appreciated.
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com

  7. #7
    30 Helens Agree neandrake's Avatar
    Join Date
    Jan 2002
    Posts
    640
    Quote Originally Posted by Davros
    I specifically want to modify the binary execuatable, not replace a system DLL with my own.
    If you don't have anything against DLL files, I believe that you can make your own dll file with your own function call in it. Then in the exe file load the library and make your call instead of the original. I think that would be a lot more successfull then trying to put your code in the exe's memory, depending on the size of the function.

    http://www.codeguru.com/Cpp/W-P/syst...icle.php/c5667
    -look at the third injecting technique, that's the one I'm trying to describe.

    edit:
    eh, anonytymouse's second link is the same article
    Environment: OS X, GCC / G++
    Codes: Java, C#, C/C++
    AOL IM: neandrake, Email: neandrake (at) gmail (dot) com

  8. #8
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812
    >If you don't have anything against DLL files

    The problem is that if I need to provide people with a DLL, then they may as well link to it from their application. The whole point of this exercise was to avoid DLLs.

    Thanks to neandrake & anonytymouse so far. Got a feeling this is not going to be an easy task.
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com

  9. #9
    30 Helens Agree neandrake's Avatar
    Join Date
    Jan 2002
    Posts
    640
    Davros - I am interested in your progress. If you wouldn't mind, could you post your findings, or how you are going to go about doing this? I imagine it will be difficult, because your code has to fit in the free memory of the program you are changing, and I'm wondering how you might go about memory problems.
    Environment: OS X, GCC / G++
    Codes: Java, C#, C/C++
    AOL IM: neandrake, Email: neandrake (at) gmail (dot) com

  10. #10
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812
    >Davros - I am interested in your progress.

    There's a lot of info out there about hooking functions at runtime. A typical application of this is monitoring & debugging. There's not a great deal out there on overwriting the PE file though, which is what I wanted to do. Also, I'm a little out of my depth here as I don't have much ASM experience.

    I think it will be a lot of effort for me to get a PE scheme working. My current thinking is to go with a DLL based API (which developers link against) rather than a "post production" PE overwrite design.
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. File Writing Problem
    By polskash in forum C Programming
    Replies: 3
    Last Post: 02-13-2009, 10:47 AM
  2. sequential file program
    By needhelpbad in forum C Programming
    Replies: 80
    Last Post: 06-08-2008, 01:04 PM
  3. To find the memory leaks without using any tools
    By asadullah in forum C Programming
    Replies: 2
    Last Post: 05-12-2008, 07:54 AM
  4. System
    By drdroid in forum C++ Programming
    Replies: 3
    Last Post: 06-28-2002, 10:12 PM
  5. Hmm....help me take a look at this: File Encryptor
    By heljy in forum C Programming
    Replies: 3
    Last Post: 03-23-2002, 10:57 AM