Click here to Skip to main content
11,631,212 members (77,159 online)
Click here to Skip to main content
Add your own
alternative version

API hooking revealed

, 2 Dec 2002 CPOL 1.9M 55.4K 1.2K
The article demonstrates how to build a user mode Win32 API spying system
//---------------------------------------------------------------------------
//
// HookTool.cpp
//
// SUBSYSTEM:   Hook system
//				
// MODULE:      Hook tool    
//				
// DESCRIPTION: Defines the entry point for the DLL application.
// 
//             
// AUTHOR:		Ivo Ivanov (ivopi@hotmail.com)
// DATE:		2001 December v1.00
//
//---------------------------------------------------------------------------

#include "..\Common\Common.h"
#include "..\Common\SysUtils.h"
#include "ModuleScope.h"

//---------------------------------------------------------------------------
//
// Shared by all processes variables
//
//---------------------------------------------------------------------------
#pragma data_seg(".HKT")
// The hook handle
HHOOK sg_hGetMsgHook       = NULL;
// Indicates whether the hook has been installed
BOOL  sg_bHookInstalled    = FALSE;
// We get this from the application who calls SetWindowsHookEx()'s wrapper
HWND  sg_hwndServer        = NULL; 
#pragma data_seg()


//---------------------------------------------------------------------------
//
// Global (per process) variables
//
//---------------------------------------------------------------------------
static CModuleScope* g_pModuleScope = NULL;

//---------------------------------------------------------------------------
//
// Forward declarations
//
//---------------------------------------------------------------------------
BOOL WINAPI InstallHook(
	BOOL bActivate, 
	HWND hWndServer
	);

LRESULT CALLBACK GetMsgProc(
	int code,       // hook code
	WPARAM wParam,  // removal option
	LPARAM lParam   // message
	);
//---------------------------------------------------------------------------
// DllMain
//
// Entry point
//---------------------------------------------------------------------------
BOOL APIENTRY DllMain( 
	HANDLE hModule, 
	DWORD  ul_reason_for_call, 
	LPVOID lpReserved
	)
{
	BOOL bResult = TRUE;

	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		{
			// We disable thread notifications
			// Prevent the system from calling DllMain
			// when threads are created or destroyed.
			::DisableThreadLibraryCalls( (HINSTANCE)hModule );

			g_pModuleScope = CModuleScope::GetInstance(
				&sg_hwndServer, 
				&sg_bHookInstalled,
				&sg_hGetMsgHook
				);
			g_pModuleScope->ManageModuleEnlistment();
			break;
		}
	case DLL_PROCESS_DETACH:
		{
			//
			// The DLL is being unmapped from the process's address space.
			//
			g_pModuleScope->ManageModuleDetachment();
			break;
		}
	} // switch

	return TRUE;
}

//---------------------------------------------------------------------------
// InstallHook
//
//---------------------------------------------------------------------------
BOOL WINAPI InstallHook(
	BOOL bActivate, 
	HWND hWndServer
	)
{
	return g_pModuleScope->InstallHookMethod(bActivate, hWndServer);
}

//---------------------------------------------------------------------------
// GetMsgProc
//
// Filter function for the WH_GETMESSAGE - it's just a dummy function
//---------------------------------------------------------------------------
LRESULT CALLBACK GetMsgProc(
	int code,       // hook code
	WPARAM wParam,  // removal option
	LPARAM lParam   // message
	)
{
	//
	// We must pass the all messages on to CallNextHookEx.
	//
	return ::CallNextHookEx(sg_hGetMsgHook, code, wParam, lParam);
}



//----------------------------End of the file -------------------------------

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Ivo Ivanov
Chief Technology Officer Vinsula
Australia Australia
I specialise in Malware Analysis, Application Security, Windows Kernel, x86/x64, and Reverse Engineering.
My blog: http://vinsula.com/security-blog
http://vinsula.com/
http://www.infoprocess.com.au

You may also be interested in...

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.150723.1 | Last Updated 3 Dec 2002
Article Copyright 2002 by Ivo Ivanov
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid