|
Dear Naughter,
I'm a Chinese student in the Institute of Remote Sensing Applications,Chinese Academy of Sciences.
In recent days,I took much time on programming about Hook.It's not very easy for me until I searched one of your paper,HookImportFunctionByName, on The CODE PROJECT.It works well and you really did a good job.
After downloaded the souch code,I made some tests on it,but have some problems.Would you mind giving me some help?
I made a dialog based MFC EXE project ,adding the HookImportFunction.h and HookImportFunction.cpp to the project, puting two buttons on it,just call them button1 and button2.
For the button1,useing the HookImportFunctionsByName() to try filter some particular function,for example, function1().For the button2,it will call function1(),no matter it was hooked or not.
For this testing program, the user is supposed to press the button2 first, and then press the button1,and then press button2 at last.
If the function1 is hooked, the latter pressing of button2 will not do the same way with the first one.
I first try to filter the Beep function in the KERNEL32.DLL,It did work well. After the calling of HookImportFunctionsByName, the sixth parameter was set to 1,it means that one function had be changed.For the latter push of button2, it just show a dialog with a message of "I'm here!".
But if I changed the params to TextOutA() in the GDI32.DLL, the HookImportFunctionsByName() didn't find the corresponding the thunk area and the sixth parameter was set to 0, the same value with the initial value before calling HookImportFunctionsByName().
And then I tried to test the GetDlgItem() in the USER32.DLL, but it also didn't work.
So, could you please give me some help?
Bye the way, I've visited your homepage and your new house is very beautiful,I hope you'll enjoy more fun there!
Truely sorry for interrupting you and wasting much of your time.
Best regards,
Yuqi Bai
kevinbaisoft@263.net
|
|
|
|
|
You need to use the names of these functions somewhere in your code, so that they get into the import descriptor; to be sure they get in, but don't get optimized out by the compiler you could use something like this;
int k = 0;
if ( k )
{
::TextOutA(whatever parameters will keep the compiler happy);
::GetDlgItem(whatever parameters will keep the compiler happy);
}
|
|
|
|
|
Could u show me how can it work in serial port monitor?
puzzled me for long time
555555~~~~~~~~~~~
yes!
|
|
|
|
|
You would need to hook the calls CreateFile filter on the filename it opens looking for serial port devices. You would also need to hook all the serial port functions you are interesting in. Depending on what you want, you may need to arrange for the dll to be injected into the address spaces of the processes you want to monitor. As I have documented on http://www.naughter.com/hookimportfunction.html, I have not given up supporting this code and point people to the Richter implementation from the book "Programming Applications for Microsoft Windows".
|
|
|
|
|
Dear Yuqi Bai,
I'm also a chinese student.how can i contact you.
I have some question to ask you.
|
|
|
|
|
Thro my web site at www.naughter.com
|
|
|
|
|
Hi,
Can I hook functions like BitBlt and CopyRect using the same code?
Please Help me. Its very urgent.
Thanks,
Daniel
|
|
|
|
|
Yes, just hook the functions using the function as supplied. If you want to hook those calls system wide then you will need to write the hook in a dll and arrange for the dll to be injected into the address space of every exe. Jeffrey Richter's Advanced Windows book covers a number of methods on doing this.
|
|
|
|
|
It works fine for me, if I use the hook in the same program like the function to hook.
But if I like to do a global hook or just hook another proces, I can't make it work.
I created a loder, which returns the handle to the new process and gives this as first parameter to HookImportFunctionByName( .. ) but this won't run.
If someone have any suggestions, please drop me a line.
thx
Naden
|
|
|
|
|
If you want to hook calls system wide then you will need to write the hook in a dll and arrange for the dll to be injected into the address space of every exe. Jeffrey Richter's Advanced Windows book covers a number of methods on doing this.
|
|
|
|
|
Sub-Subject:How can I hook hWnd->MessageBoxA???
Let's take HookImportedFunctionsByName into a test. There're two ways to call MessageBoxA, one is calling MessageBoxA(hWnd,lpText,lpCaption,uType), and the other is calling hWnd->MessageBoxA(lpText,lpCaption,uType), with HookImportedFunctionsByName, we cann't hook the latter,but the former, even we hook LoadLibrary(including LoadLibraryA,LoadLibraryW,LoadLibraryExA,LoadLibraryExW) and GetProcAddress, it doesn't work,yet. Is there any other way to hook hWnd->MessageBoxA, if so, how to do? Thanks for reading, and please reply and mail superrg@163.net if you know...
RG, a Chinese Engineer
|
|
|
|
|
take a closer look at the source and you will see.
It first sets up a windows hook so everytime a program creates a window it can grab the module and modify its import table.
To modify its import table it looks for the function we are hooking
in the module e.g "MessageBoxA" then it modifies the code to jump to our function.
if a function is dynamically loaded with "LoadLibrary" and "GetProcAddress"
then it wont be in the import table. Therefore the functions will not be hooked at all.
Alot of programs , e.g windows regedit n just about every delphi app on the planet use dynamically loaded functions.
This APIHijack library will not work 90% of the time.
Rather than hooking the import table of each module wouldnt it be better to modify the export table of the target dll?
-Rezmond
|
|
|
|
|
I guess it will also work with software using LoadLibrary() and GetProcAddress(), when you use the following workaroung:
At first hook the function you would like to change (i.e. MessageBoxA). Then hook the function GetProcAddress. In your implementation of GetProcAddress you should return the address of your MessageBoxA implementation, if the caller asks for it. For each other request simply return the result of the original implementation of GetProcAddress.
I guess that way it should work (correct me if I am wrong).
Sven
|
|
|
|
|
That's exactly how you would do it. In fact I have using this piece of code on numerous occasions in commercial software to hook functions which do GetProcAddres instead of implicitly linking. Works a treat.
|
|
|
|
|
I want to hook several different functions from different modules, all of which are loaded dynamically using LoadLibrary and GetProcAddress. Obviously using hookImportFunctionByName won't work on those, so I decided to hook LoadLibraryA, LoadLibraryW and GetProcAddress and check, whether a function I want to hook is requested. If it is, I return the address of my function, else I call the original GetProcAddress + others. Now it's in a state, where it only logs what is requested. The problem is, that after 3 or so requests, the program just crashes. I don't use any tricks with assembler, just simple "ret = oGetProcAddress(...); log(ret); return ret;". Where's the problem in such approach?
|
|
|
|
|
What a cool func this is!
We'll could do many debugging with this func.
But this is pretty good ITEM for hackers, isn't it?
Haha.
I hope people use this func for right way.
Thank you!!!
From Japanese Edu.
|
|
|
|
|
Almost any code in the hands of hackers can be used for evil purposes. How about DeleteFile("c:\NTLDR") after that files attributes have been changed will render NT unbootable. Once a hacker has control of your machine (thro whatever means), he has his pick of the Win32 API.
|
|
|
|
|
How about a dll to hook application defined system messages (such as WM_WINDOWPOSCHANGING), and relay them to the calling application? Such that I can know when windows sends a window or other message.
)
|
|
|
|
|
You can do this with SetWindowsHookEx which is a completely different mechanism to hooking Win32 calls
|
|
|
|
|
Yes, I can do that in an executable, but I guess I was looking for an example in a dll for a system-wide hook, as I don't have too much experience with dll's
|
|
|
|
|
Not all of reader are experts..
If u want to make your article more efficient to people,
plz add more example...
And always I'm thank to person like u...
Have a nice day
-A Korean Enginee
|
|
|
|
|
|