|
Is there a way to intercept calls made by imported DLLs of an APP?
That would be great.
Example:
Test.exe -> Loads -> Test.dll
|.....................|
|.....................|
|.....................V
|............. No intercepted calls
v
intercepted calls
Any help is appreciated =)
|
|
|
|
|
hook LoadLibrary and then hook any dll loaded via LoadLibrary.
|
|
|
|
|
HMODULE WINAPI myLoadLibraryA(LPCSTR lpLibFileName)
{
LoadLibraryA_Type OldFn =
(LoadLibraryA_Type)D3DHook.Functions[my_LoadLibraryA].OrigFn;
strcpy(lib,lpLibFileName);
return OldFn(lpLibFileName);
}
Ok, how should I modify the function above? ![Rose | [Rose]](https://www.codeproject.com/script/Forums/Images/rose.gif)
|
|
|
|
|
Hello !
I was reading this and it seems i have the same problem !
Did you got any answer ?
Thanks !
|
|
|
|
|
OK, I get a pointer to a DD class, but how do I use it to intercept let's say calls to DDS-> Flip()? Or if I have a pointer for DirectInput how do I use it to intercept GetDeviceData()?
Thanx in advance, Sasha. 
|
|
|
|
|
Ah, didn't read very first message in thread, sorry.
|
|
|
|
|
Hi,
does a DLL exist for intercept all the modifications that occur in the system like addition of lines and voices in the register of system? Thank you. 
|
|
|
|
|
Hi,
I'm tring to hook Direct3D samples in Directx8 SDK(billboard.exe). However, ApiHijack does not work. It's strange because it works with DirectX7 for 6 samples.(hooking ddraw.dll)
Using process viewer, I know the TestDll.dll is loaded into the target process. However, it just bypasses MyCreateDirect3d8(intercepted version of Direct3DCreate8).
I found that d3d8.dll is not in Shared memory.(while ddraw.dll is in it). Is this a problem? Here is the code for hooking Direct3DCreate8. Please help me.
// Function pointer types.
typedef IDirect3D8* (WINAPI *Direct3DCreate8_Type)( UINT SDKVersion );
// Function prototypes.
IDirect3D8* WINAPI MyDirect3DCreate8( UINT SDKVersion );
SDLLHook D3D8Hook =
{
"D3D8.DLL",
false, NULL, // Default hook disabled, NULL function pointer.
{
{ "Direct3DCreate8", MyDirect3DCreate8 },
{ NULL, NULL }
}
};
// Hook function.
IDirect3D8* WINAPI MyDirect3DCreate8( UINT SDKVersion )
{
// Let the world know we're working.
MessageBeep( MB_ICONINFORMATION );
Direct3DCreate8_Type OldFn =
(Direct3DCreate8_Type)D3D8Hook.Functions[0].OrigFn;
return OldFn( SDKVersion );
}
|
|
|
|
|
Is it possible to list the text content of some other apps
with your technic?
I determine the handle of the window with a windowFromPoint
ans the try to post LVM_GETITEM| TVM_GETITEM that leads in system fail.
althought GetSize, GetRoot works it seems that trying to fill LVITEM
| TVITEM is a major pb due to boundary adress reason in process... >;
Am i wrong or is there a way to overcome this pity lack off?
thanks
|
|
|
|
|
merci benoit
(&bonne chance pour ton site)
oliv-m
http://zz1.freesurf.fr
|
|
|
|
|
Thanks Wade - APIHijack is a very useful example no doubt! 
However there is a slight flaw in that it doesn't seem to allow me to intercept an API call if it has been called by an importend DLL or a different thread.
I am trying to trap Kernel32's CreateFile - if I write a simple MFC app which calls CreateFile, APIHijack is able to intercept it. However, if I go into modem control panel and click on the diagnostics button (which invariably opens up the modem com port using CreateFile) the call is not intercepted (I believe rundll32.exe is the process I am supposed to be watching out for). It turns out that APIHijack rarely traps CreateFile, I'm not sure whether this is because it can't handle calls made from another thread, or because the calls are made from a DLL which the process is using... whatever the reason, it really does limit the usefullness in this particular scenario 
Any insight you could throw on the subject would be really appreciated.
Matthew
|
|
|
|
|
Hi,
Is it possible to hook GetProcAddress from Kernel32 ???
Let's say that if a programm calls GetProcAddress("somefunction"), I want to return address of my function instead of the original function.
Is that possible?
Thanks
Robert
|
|
|
|
|
Hey,
I haven't tried hooking KERNEL32.DLL, I don't know why it wouldn't be possible. Hooking functions using APIHijack will cause GetProcAddress to return a pointer to your function instead of the original function, however, which is what you want.
-Wade
|
|
|
|
|
I just hooked IsDebuggerPresent() to make it always return 0x00000000, and that's in KERNEL32.DLL, so it looks like APIHijack works for KERNEL32, too!
Great program, by the way!
|
|
|
|
|
is it possible to to hook a system wide event , to show a message box every time if a programm is executed ??? (with this tool???)
|
|
|
|
|
Yes, a DLL written using ApiHijack gets loaded into the address space of every program executed after the Hook is installed, and gets its DllMain function called. You could put a test in DllMain to see if the program is the correct one (see the example code I think) and put up your message box.
-Wade
|
|
|
|
|
Hi, I am trying to hijack the TextOutA without success. According to OutputDebugString, it found the DLL and the function is changed in the IAT table. But MyTextOutA function is never called. Any ideas?
All I did is include your "apihijack.cpp/.h" to my project and changed the hook function name (TextOutA) and dll name (GDI32.DLL) When I ran my app. no beeps.
The main difference between my code and your demo is that I'm not using the Hook stuff. My DLL (a plugin for my app) is already loaded by my application, so I don't see why I need to do the "hook and inject" thingy so that the DLL gets into the process space of my target app.
Bobby
|
|
|
|
|
I have the same problem i tried to hook the CreateProcess API;((
|
|
|
|
|
I am trying to use this code to create an effect
similar to the ICopyHook shell interface, but one
which will also hook files, not just directories.
I have successfully hooked the CopyFileA and
CopyFileW api's. However, when I use 'copy' from
a command line, or from the shell, this api does
not seem to be used. Does anyone know which api
is used in that situation?
ti�
|
|
|
|
|
Does this hook calls internal to the DLL, as well as external calls?
It sounds like the hook is implemented by overwriting object code at the function's location in the DLL - in which case, the answer would be yes.
If so, does the change only appear in one processes' copy of the DLL. Or, since only one copy of the DLL actually exists, does this change affect it in all processes?
Tom�
|
|
|
|
|
It only hooks functions that are exported by the DLL, since without debug information there is no way to know the name, location or parameters for internal functions..
What it changes is the Import Address Table (IAT), not the object code itself.
-Wad�
|
|
|
|
|
Is there a way to extend the RedirectIAT routine to be able
to hook based on an ordinal number (as opposed to an API
name)?
�
|
|
|
|
|
One of the users has done this, so I'm sure it's possible, however I haven't looked into it myself�
|
|
|
|
|
I had to figure this out, too, because the DirectX example
DSSTREAM imports DirectSoundCreate by ordinal.
You need to modify APIHIJACK.CPP and DLLMAIN.CPP
I made the following changes to APIHIJACK.CPP:
if ( !IMAGE_SNAP_BY_ORDINAL( pINT->u1.Ordinal ) ) // import by name
{
...
}
else // added comparison for ordinal
{
SFunctionHook* FHook = DLLHook->Functions;
while ( FHook->Name )
{
if ( (DWORD)FHook->Name == pINT->u1.Ordinal )
{
// Save the old function in the SFunctionHook structure and get the new one.
FHook->OrigFn = pIteratingIAT->u1.Function;
HookFn = FHook->HookFn;
break;
}
FHook++;
}
// If the default function is enabled, store the ordinal for the user.
if ( DLLHook->UseDefault )
pStubs->pszNameOrOrdinal = pINT->u1.Ordinal;
}
and, using DirectSoundCreate() as an example, change DLLMAIN.CPP:
SDLLHook DSHook =
{
"DSOUND.DLL",
false, NULL, // Default hook disabled, NULL function pointer.
{
{ (char*)(0x80000001), MyDirectSoundCreate }, // DirectSoundCreate is ordinal 1
{ NULL, NULL }
}
};
Note that the ordinal 1 should be given as 0x80000001 and not as 0x1.
Hope this helps. -Daniel
|
|
|
|
|
The program works fine, but I have another
problem: I need to store strings as part
of my hook procedure of one of my hooked
api's. However, this does not seem to work.
Is there a limitation of variables in the
global shared area that does not permit
strings, i.e. something like
char buf[100];
?
�
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
