|
before I buy a used $300 book, do you know if that class with willwork to hook another process?
|
|
|
|
|
CAPIHook will work on other processes as easily as your process. There are various techniques used to implement the hooking and it really depends on what your requirements are as to which one are best:
Win9x: Cannot hook calls above 2GB due to OS limitations
AppInit_Dlls: This technique does not work on Win9x. Also will not work on apps which do not link to user32.dll. Mapped into all GUI apps for the lifetime of each app.
SetWindowsHooksEx:
Remote Threads: Does not work on Win9x due to lack of CreateRemoteThread support.
Using a Trojan DLL: Requires that you export all the functions of the dll you are replacing and can cause problems when new versions of the dll being replaced are released.
Injecting a DLL as a Debugger: Requires machine specific assembly language + the only way to release the hook is to terminate the debuggee (unless you are using XP or greater)
Using a Memory Mapped file: Only works on Win9x, plus requires hand crafted X86 assembler.
Using CreateProcess: Can only be used if the application being hooked is a child process, the most complicated mechanism, but the most flexible plus it works on Win9x as well as NT Kernels.
It you can provide further info on what you are trying to do, they I may be able to advise your better.
Also make sure you get the fourth edition of the book as I believe the API hook section is now available in earlier copies.
|
|
|
|
|
I have a process that is spawning a child process with CreateProcess. I want to filter the files that it is opening. (Allow or deny access to files). So I was going to hook all the open file API calls.
The book is not availiable at the link you listed. Like I said it has been out of print for some time. I can't find any resource to find this class.
|
|
|
|
|
If only want to hook the functions called by my own app, I am sure that it works well. But if I want to hook functions imported by the kernel(kernel32.dll/gdi32.dll/user32.dll), which are in the protected memory block above 2G under Win9x, the function shown above will lead to a critical failure.
Any hints about patching the IAT above 2G memory under Win9x?
Thanks.
|
|
|
|
|
Patching the IAT above 2G on Win9x: First off the code explicitely handles the case of disallowing this. I'd suggest you get the latest version from my web site (www.naughter.com).
Also I'd suggest you get a copy of the book "Programming Applications for Microsoft Windows" by Jeffrey Richter for further discussion on this topic.
|
|
|
|
|
Hey, first off, great piece of code you have done! It works really well in almost all cases I personally need.
I am at a wall though, I have my dll injected into every process on Win9x through WinXP, but alas, I can not patch into kernel32.dll to monitor CreateFile() and CloseHandle() for the simple reason of the 2gb barrier.
Is this possible at all? Should I drop this method and find another way? I have Jeffrey Richter's books btw Very good books indeed.
- Jeff
|
|
|
|
|
Actually, I would like to add to my previous problem, I am only supporting Windows 98 and ME. I am not supporting Windows 95. I dont know if this will make it easier for me to find a way to patch kernel32.dll or not.
Thanks for your insight.
|
|
|
|
|
I think you will need to look into some other mechanism as this is a defficiency of any Win9x OS.
|
|
|
|
|
Thank you for your help. Actually, I didn't realize I was missing Edition 4 of Jeffrey Richters Windows book, chapter 22 on CApiHook, will that help me?
|
|
|
|
|
Ya, I think so. The reason I gave up development of HookImportFunctionByName is because the CApiHook code is so much more comprehensive.
|
|
|
|
|
Dear Naughter,
I'm a Chinese student in the Institute of Remote Sensing Applications,Chinese Academy of Sciences.
In recent days,I took much time on programming about Hook.It's not very easy for me until I searched one of your paper,HookImportFunctionByName, on The CODE PROJECT.It works well and you really did a good job.
After downloaded the souch code,I made some tests on it,but have some problems.Would you mind giving me some help?
I made a dialog based MFC EXE project ,adding the HookImportFunction.h and HookImportFunction.cpp to the project, puting two buttons on it,just call them button1 and button2.
For the button1,useing the HookImportFunctionsByName() to try filter some particular function,for example, function1().For the button2,it will call function1(),no matter it was hooked or not.
For this testing program, the user is supposed to press the button2 first, and then press the button1,and then press button2 at last.
If the function1 is hooked, the latter pressing of button2 will not do the same way with the first one.
I first try to filter the Beep function in the KERNEL32.DLL,It did work well. After the calling of HookImportFunctionsByName, the sixth parameter was set to 1,it means that one function had be changed.For the latter push of button2, it just show a dialog with a message of "I'm here!".
But if I changed the params to TextOutA() in the GDI32.DLL, the HookImportFunctionsByName() didn't find the corresponding the thunk area and the sixth parameter was set to 0, the same value with the initial value before calling HookImportFunctionsByName().
And then I tried to test the GetDlgItem() in the USER32.DLL, but it also didn't work.
So, could you please give me some help?
Bye the way, I've visited your homepage and your new house is very beautiful,I hope you'll enjoy more fun there!
Truely sorry for interrupting you and wasting much of your time.
Best regards,
Yuqi Bai
kevinbaisoft@263.net
|
|
|
|
|
You need to use the names of these functions somewhere in your code, so that they get into the import descriptor; to be sure they get in, but don't get optimized out by the compiler you could use something like this;
int k = 0;
if ( k )
{
::TextOutA(whatever parameters will keep the compiler happy);
::GetDlgItem(whatever parameters will keep the compiler happy);
}
|
|
|
|
|
Could u show me how can it work in serial port monitor?
puzzled me for long time
555555~~~~~~~~~~~
yes!
|
|
|
|
|
You would need to hook the calls CreateFile filter on the filename it opens looking for serial port devices. You would also need to hook all the serial port functions you are interesting in. Depending on what you want, you may need to arrange for the dll to be injected into the address spaces of the processes you want to monitor. As I have documented on http://www.naughter.com/hookimportfunction.html, I have not given up supporting this code and point people to the Richter implementation from the book "Programming Applications for Microsoft Windows".
|
|
|
|
|
Dear Yuqi Bai,
I'm also a chinese student.how can i contact you.
I have some question to ask you.
|
|
|
|
|
Thro my web site at www.naughter.com
|
|
|
|
|
Hi,
Can I hook functions like BitBlt and CopyRect using the same code?
Please Help me. Its very urgent.
Thanks,
Daniel
|
|
|
|
|
Yes, just hook the functions using the function as supplied. If you want to hook those calls system wide then you will need to write the hook in a dll and arrange for the dll to be injected into the address space of every exe. Jeffrey Richter's Advanced Windows book covers a number of methods on doing this.
|
|
|
|
|
It works fine for me, if I use the hook in the same program like the function to hook.
But if I like to do a global hook or just hook another proces, I can't make it work.
I created a loder, which returns the handle to the new process and gives this as first parameter to HookImportFunctionByName( .. ) but this won't run.
If someone have any suggestions, please drop me a line.
thx
Naden
|
|
|
|
|
If you want to hook calls system wide then you will need to write the hook in a dll and arrange for the dll to be injected into the address space of every exe. Jeffrey Richter's Advanced Windows book covers a number of methods on doing this.
|
|
|
|
|
Sub-Subject:How can I hook hWnd->MessageBoxA???
Let's take HookImportedFunctionsByName into a test. There're two ways to call MessageBoxA, one is calling MessageBoxA(hWnd,lpText,lpCaption,uType), and the other is calling hWnd->MessageBoxA(lpText,lpCaption,uType), with HookImportedFunctionsByName, we cann't hook the latter,but the former, even we hook LoadLibrary(including LoadLibraryA,LoadLibraryW,LoadLibraryExA,LoadLibraryExW) and GetProcAddress, it doesn't work,yet. Is there any other way to hook hWnd->MessageBoxA, if so, how to do? Thanks for reading, and please reply and mail superrg@163.net if you know...
RG, a Chinese Engineer
|
|
|
|
|
take a closer look at the source and you will see.
It first sets up a windows hook so everytime a program creates a window it can grab the module and modify its import table.
To modify its import table it looks for the function we are hooking
in the module e.g "MessageBoxA" then it modifies the code to jump to our function.
if a function is dynamically loaded with "LoadLibrary" and "GetProcAddress"
then it wont be in the import table. Therefore the functions will not be hooked at all.
Alot of programs , e.g windows regedit n just about every delphi app on the planet use dynamically loaded functions.
This APIHijack library will not work 90% of the time.
Rather than hooking the import table of each module wouldnt it be better to modify the export table of the target dll?
-Rezmond
|
|
|
|
|
I guess it will also work with software using LoadLibrary() and GetProcAddress(), when you use the following workaroung:
At first hook the function you would like to change (i.e. MessageBoxA). Then hook the function GetProcAddress. In your implementation of GetProcAddress you should return the address of your MessageBoxA implementation, if the caller asks for it. For each other request simply return the result of the original implementation of GetProcAddress.
I guess that way it should work (correct me if I am wrong).
Sven
|
|
|
|
|
That's exactly how you would do it. In fact I have using this piece of code on numerous occasions in commercial software to hook functions which do GetProcAddres instead of implicitly linking. Works a treat.
|
|
|
|
|
I want to hook several different functions from different modules, all of which are loaded dynamically using LoadLibrary and GetProcAddress. Obviously using hookImportFunctionByName won't work on those, so I decided to hook LoadLibraryA, LoadLibraryW and GetProcAddress and check, whether a function I want to hook is requested. If it is, I return the address of my function, else I call the original GetProcAddress + others. Now it's in a state, where it only logs what is requested. The problem is, that after 3 or so requests, the program just crashes. I don't use any tricks with assembler, just simple "ret = oGetProcAddress(...); log(ret); return ret;". Where's the problem in such approach?
|
|
|
|