|
Yeah...hook LoadLibrary 
|
|
|
|
|
Yeah Right, Any comment about that???
-----------------------------
"I Think this Will Help"
-----------------------------
Alok Gupta
visit me at http://www.thisisalok.tk
|
|
|
|
|
I m hooking Direct3dCreate8() of d3d8.dll. In some cases it is hooked succefully while in other after hooking, hooked function address is somehow replaced with original function address.
<br />
if ( HookFn )<br />
{<br />
if ( IsBadWritePtr( (PVOID)pIteratingIAT->u1.Function, 1 ) )<br />
{<br />
pIteratingIAT->u1.Function = (PDWORD)HookFn;<br />
}<br />
else if ( osvi.dwPlatformId == VER_PLATFORM_WIN32_WINDOWS )<br />
{<br />
if ( pIteratingIAT->u1.Function > (PDWORD)0x80000000 )<br />
pIteratingIAT->u1.Function = (PDWORD)HookFn;<br />
}<br />
}<br />
Here
pIteratingIAT->u1.Function = (PDWORD)HookFn;<br /> is succesfully assigned without any exception. but at the end when i recheck the address by
GetProcAddress( GetModuleHandle("d3d8.dll"), "Direct3dCreate8" );
it gives original Function address. Does any body knows abt it?
|
|
|
|
|
this is because the hooking library is only hooking the IAT and not the dll's EAT.
in plain english this means imported function calls are hooked, but those calls using GetProcAddress are not.
a more complete solution is to modify the loaded dll's Export Address Table function pointer as well.
|
|
|
|
|
Or just hook GetProcAddress as well...
|
|
|
|
|
I want to call a function that is in the exe that does the Hook Installation, when certain functions of the windows registry are called. I don't have problems to do that, except that the callback function can't be called from the dll (Access violation writing location 0x00000000). How could I make that work? In case that I can't do it that way, how can I do that??? Thank you.
|
|
|
|
|
I cannont hijack the function
int WSAAPI connect(...)
can you tell me or send me the source code of the dll modified to hook this funciton
thank you
here is what I wrote:
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shlwapi.h>
#include <ddraw.h>#include "testdll.h"
#include "..\apihijack.h"
#include <winsock2.h>
// Text buffer for sprintf
char Work[256];
HINSTANCE hDLL;
// Function pointer types.
typedef int (WSAAPI *connect_Type)
(
SOCKET s,
const struct sockaddr FAR * name,
int namelen
);
// Function prototypes.
int WSAAPI Myconnect(
SOCKET s,
const struct sockaddr FAR * name,
int namelen
);
// Hook structure.
enum
{
D3DFN_connect=0
};
SDLLHook D3DHook =
{
"Ws2_32.DLL",
false, NULL, // Default hook disabled, NULL function pointer.
{
{ "connect", Myconnect },
{ NULL, NULL }
}
};
// Hook function.
int WSAAPI Myconnect
(
SOCKET s,
const struct sockaddr FAR * name,
int namelen
)
{
MessageBeep( MB_ICONINFORMATION );
MessageBox(NULL,"safdggsd","",MB_OK|MB_APPLMODAL);
connect_Type OldFn =
(connect_Type)D3DHook.Functions[D3DFN_connect].OrigFn;
return OldFn( s, name, namelen );
}
// CBT Hook-style injection.
BOOL APIENTRY DllMain( HINSTANCE hModule, DWORD fdwReason, LPVOID lpReserved )
{
if ( fdwReason == DLL_PROCESS_ATTACH ) // When initializing....
{
hDLL = hModule;
// We don't need thread notifications for what we're doing. Thus, get
// rid of them, thereby eliminating some of the overhead of this DLL
DisableThreadLibraryCalls( hModule );
// Only hook the APIs if this is the Everquest proess.
HookAPICalls( &D3DHook );
}
return TRUE;
}
// This segment must be defined as SHARED in the .DEF
#pragma data_seg (".HookSection")
// Shared instance for all processes.
HHOOK hHook = NULL;
#pragma data_seg ()
TESTDLL_API LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam)
{
return CallNextHookEx( hHook, nCode, wParam, lParam);
}
TESTDLL_API void InstallHook()
{
OutputDebugString( "TESTDLL hook installed.\n" );
hHook = SetWindowsHookEx( WH_CBT, HookProc, hDLL, 0 );
}
TESTDLL_API void RemoveHook()
{
OutputDebugString( "TESTDLL hook removed.\n" );
UnhookWindowsHookEx( hHook );
}
gabby
|
|
|
|
|
Assuming you are using the most common technique of IAT hooking here - since I haven't read this article. You might need to call VirtualProtectEx before your code attempts to write the memory in the target (meaning the remote process/or wherever the IAT(s) you are hooking are)..
Basically what is most likely happening is that in the case which you are attempting the memory protection flags are set to disallow write access (eg: page-gaurd is set, etc.). You should use the VirtualProtect(Ex) immediately
before you perform the write.
Hopefully, that will solve your problem.
Regards,
deejay
|
|
|
|
|
APIHijack is public domain or other license ?
I modified APIHijack to compile gcc.
I will release this source code.
Is there problem ?
Please advice.
|
|
|
|
|
this article is under the "The Code Project Open License (CPOL)".
i think it let's you do with the code basically whatever you want...
read the contract to be sure.
Roey
Don't believe to what you hear on the news...
|
|
|
|
|
Hi all,
There are many programs that use delay loading, like WM player,Msn messenger. Is there anyway to hook functions in DELAY Import Address Table? I have been stuck this problem for many weeks.
Any ideas will be appreciate. 
|
|
|
|
|
Hook the loadlibrary- recognize your desired dll is being loaded , replay the desired func on the loaded dll export table with your own.
|
|
|
|
|
Why not just hook LoadLibraryA and LoadLibraryW, and respin another instance of the hook class, or am I not catching the implication of what you are trying to do?...
The aforementioned technique should enable you to successfully monitor methods in probably 99.99% of all cases - except of course in the very rare case where the caller has either rolled-their-own dll-loader or is loading by issuing calls to NtDll.dll directly...
Regards,
deejay
|
|
|
|
|
i want to hook call for com methods. any idea in this regard?
thanx in advance
imran
|
|
|
|
|
Try our tool, it's support monitor all apis and com interface.
---------------------------
Auto Debug for Windows
http://www.autodebug.com/
|
|
|
|
|
Dear,
I am in a problem while working with Keyboardhook. I want to change the characters of a message which is found after hooking. I dont know where is the option of hookproc()to post a changed message? The PostMessage() function contains parameters, but is there any parameter by which I can send message to the system after changing the hooked message? For example, pressing 'a' on keyboard I want to see 'b' or other character in display. How can it be possible? Pls help me.
Rupom
|
|
|
|
|
Hi All
I need to create a add-in toolbar for Outlook Express in C#
and Itz easy to create a toolbar for Microsoft Outlook or
Internet Explorer But The toolbar for Outlook Express is
giving me a panic.Using a VC++ file is an option and I do have a
code for that But I need to convert it to C# .
|
|
|
|
|
Hi,
You said you have a sample of creating a toolbar for Outlook Express...in VC++. Could you please send it over, as I have a big need of something like that, or at least give me a hint from where to get it. I would be deeply thankful.
Thanks in advance,
Doru K
|
|
|
|
|
do some googling , you found your self filled with tonnes of such type of application & source code
-----------------------------
"I Think this Will Help"
-----------------------------
Alok Gupta
visit me at http://www.thisisalok.tk
|
|
|
|
|
Hi
I wont be of help to you.
But i feel you will help me.
Can you please send me the source code and/or urls that would be helpfull to create the toolbar for the Outlook Express in VC++ as you said you have got some source code regardin' that in VC++.
I need that badly
Thanks.
|
|
|
|
|
How can I cature the text under mouse in RichText or HTML?
|
|
|
|
|
When I close Launcher program hooked process will crash.
because when we destroy dll handle, hooked process can not call hook
functions.
How can we unhook and restore original functions adresses for each
process
( I hooked all process not only notpad.exe because I want to capture
the word under consor for my dictionary program)
Help me,please!
Thank!
minhvc
|
|
|
|
|
We can unHook use HookAPICalls
bool UnHookAPICalls( SDLLHook* Hook )
{
if ( !Hook )
return false;
SFunctionHook* FHook = Hook->Functions;
while ( FHook->Name ){
FHook->HookFn = FHook->OrigFn;
FHook++;
}
return HookAPICalls(Hook, hModule);
}
|
|
|
|
|
From some reason this doesn't work...
Don't believe to what you hear on the news...
|
|
|
|
|
I had some problems with this code, and needed to impletment this unhook feature.
bool ResetIAT( SDLLHook* DLLHook, PIMAGE_IMPORT_DESCRIPTOR pImportDesc, PVOID pBaseLoadAddr )
{
try{
PIMAGE_THUNK_DATA pIAT; // Ptr to import address table
PIMAGE_THUNK_DATA pINT; // Ptr to import names table
PIMAGE_THUNK_DATA pIteratingIAT;
// Figure out which OS platform we're on
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize = sizeof(osvi);
GetVersionEx( &osvi );
// If no import names table, we can't redirect this, so bail
if ( pImportDesc->OriginalFirstThunk == 0 )
return false;
pIAT = MakePtr( PIMAGE_THUNK_DATA, pBaseLoadAddr, pImportDesc->FirstThunk );
pINT = MakePtr( PIMAGE_THUNK_DATA, pBaseLoadAddr, pImportDesc->OriginalFirstThunk );
// Count how many entries there are in this IAT. Array is 0 terminated
pIteratingIAT = pIAT;
unsigned cFuncs = 0;
while ( pIteratingIAT->u1.Function )
{
cFuncs++;
pIteratingIAT++;
}
if ( cFuncs == 0 ) // If no imported functions, we're done!
return false;
// These next few lines ensure that we'll be able to modify the IAT,
// which is often in a read-only section in the EXE.
DWORD flOldProtect, flNewProtect, flDontCare;
MEMORY_BASIC_INFORMATION mbi;
// Get the current protection attributes
VirtualQuery( pIAT, &mbi, sizeof(mbi) );
// remove ReadOnly and ExecuteRead attributes, add on ReadWrite flag
flNewProtect = mbi.Protect;
flNewProtect &= ~(PAGE_READONLY | PAGE_EXECUTE_READ);
flNewProtect |= (PAGE_READWRITE);
if ( !VirtualProtect( pIAT, sizeof(PVOID) * cFuncs,
flNewProtect, &flOldProtect) )
{
return false;
}
// If the Default hook is enabled, build an array of redirection stubs in the processes memory.
DLPD_IAT_STUB * pStubs = 0;
if ( DLLHook->UseDefault )
{
// Allocate memory for the redirection stubs. Make one extra stub at the
// end to be a sentinel
pStubs = new DLPD_IAT_STUB[ cFuncs + 1];
if ( !pStubs )
return false;
}
// Scan through the IAT, completing the stubs and redirecting the IAT
// entries to point to the stubs
pIteratingIAT = pIAT;
while ( pIteratingIAT->u1.Function )
{
void* HookFn = 0; // Set to either the SFunctionHook or pStubs.
if ( !IMAGE_SNAP_BY_ORDINAL( pINT->u1.Ordinal ) ) // import by name
{
PIMAGE_IMPORT_BY_NAME pImportName = MakePtr( PIMAGE_IMPORT_BY_NAME, pBaseLoadAddr, pINT->u1.AddressOfData );
// Iterate through the hook functions, searching for this import.
SFunctionHook* FHook = DLLHook->Functions;
while ( FHook->Name )
{
if ( lstrcmpi( FHook->Name, (char*)pImportName->Name ) == 0 )
{
OutputDebugString( "unhooked function: " );
OutputDebugString( (char*)pImportName->Name );
OutputDebugString( "\n" );
// Save the old function in the SFunctionHook structure and get the new one.
if (FHook->OrigFn != pIteratingIAT->u1.Function){
char szBuf[1025];
sprintf( szBuf, "FHook->OrigFn (0x%p) != (0x%p) pIteratingIAT->u1.Function in %s\n", FHook->OrigFn, pIteratingIAT->u1.Function, FHook->Name);
OutputDebugString(szBuf);
} //else
HookFn = FHook->OrigFn;// wheger
break;
}
FHook++;
}
// If the default function is enabled, store the name for the user.
if ( DLLHook->UseDefault )
pStubs->pszNameOrOrdinal = (DWORD)&pImportName->Name;
}
else
{
// If the default function is enabled, store the ordinal for the user.
if ( DLLHook->UseDefault )
pStubs->pszNameOrOrdinal = pINT->u1.Ordinal;
}
// If the default function is enabled, fill in the fields to the stub code.
if ( DLLHook->UseDefault )
{
pStubs->data_call = (DWORD)(PDWORD)DLLHook->DefaultFn
- (DWORD)(PDWORD)&pStubs->instr_JMP;
pStubs->data_JMP = *(PDWORD)pIteratingIAT - (DWORD)(PDWORD)&pStubs->count;
// If it wasn't manually hooked, use the Stub function.
if ( !HookFn )
HookFn = (void*)pStubs;
}
// Replace the IAT function pointer if we have a hook.
if ( HookFn )
{
// Cheez-o hack to see if what we're importing is code or data.
// If it's code, we shouldn't be able to write to it
if ( IsBadWritePtr( (PVOID)pIteratingIAT->u1.Function, 1 ) )
{
pIteratingIAT->u1.Function = (PDWORD)HookFn;
}
else if ( osvi.dwPlatformId == VER_PLATFORM_WIN32_WINDOWS )
{
// Special hack for Win9X, which builds stubs for imported
// functions in system DLLs (Loaded above 2GB). These stubs are
// writeable, so we have to explicitly check for this case
if ( pIteratingIAT->u1.Function > (PDWORD)0x80000000 )
pIteratingIAT->u1.Function = (PDWORD)HookFn;
}
}
if ( DLLHook->UseDefault )
pStubs++; // Advance to next stub
pIteratingIAT++; // Advance to next IAT entry
pINT++; // Advance to next INT entry
}
if ( DLLHook->UseDefault )
pStubs->pszNameOrOrdinal = 0; // Final stub is a sentinel
// Put the page attributes back the way they were.
VirtualProtect( pIAT, sizeof(PVOID) * cFuncs, flOldProtect, &flDontCare);
} catch(...){
OutputDebugString("Exception caught in ResetIAT\n");
throw;
}
return true;
}
// need to reset the pointers back to their old values
bool UnhookAPICalls( SDLLHook* Hook, HMODULE hModule, int iDepth )
{
try{
iDepth++;
if (iDepth>100){
OutputDebugString("Stuck in infinite recursion");
return false;
}
char *fName = new char[100];
GetModuleFileName(hModule, fName, 100);
SETMODULES::iterator it = setModules.find(fName);
if (it==setModules.end())
return false;
setModules.erase( it);
OutputDebugString("unhooking=");
OutputDebugString(fName);
OutputDebugString("\n");
delete[] fName;
if ( !Hook )
return false;
PIMAGE_NT_HEADERS pExeNTHdr = PEHeaderFromHModule( hModule );
if ( !pExeNTHdr )
return false;
DWORD importRVA = pExeNTHdr->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if ( !importRVA )
return false;
// Convert imports RVA to a usable pointer
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = MakePtr( PIMAGE_IMPORT_DESCRIPTOR,
hModule, importRVA );
// Save off imports address in a global for later use
g_pFirstImportDesc = pImportDesc;
// Iterate through each import descriptor, and redirect if appropriate
while ( pImportDesc->FirstThunk )
{
PSTR pszImportModuleName = MakePtr( PSTR, hModule, pImportDesc->Name);
for (int iNameIndex=0; iNameIndex<max_dll_number; inameindex++)
="" {
="" char="" *dllname="Hook-">Name[iNameIndex];
if (!dllName)
break;
if ( lstrcmpi( pszImportModuleName, dllName ) == 0 )
{
OutputDebugString( "Restoring " );
OutputDebugString( dllName );
OutputDebugString( "...\n" );
ResetIAT( Hook, pImportDesc, (PVOID)hModule );
break;
}
}
UnhookAPICalls(Hook, GetModuleHandle(pszImportModuleName), iDepth);
pImportDesc++; // Advance to next import descriptor
}
} catch(...){
OutputDebugString("Exception caught in UnhookAPICalls\n");
throw;
}
return true;
}
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
