|
I try to hook on a specific process with HookOneProcess2
but i get a VirtualProtect Error and the hooked process closes.
Is there any way to bypass this error?
here is what hookapi.log writes:
<br />
X:\HookApi 1.62\HookAPI.exe:hook exe:main.exe<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID m_dwProcessCount=35...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID m_dwProcessCount=35...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID m_dwProcessCount=35...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID m_dwProcessCount=35...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID m_dwProcessCount=36...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID...<br />
X:\HookApi 1.62\HookAPI.exe:GetProcessID m_dwProcessCount=38...<br />
X:\HookApi 1.62\HookAPI.exe:found mod_base_name main.exe<br />
X:\HookApi 1.62\HookAPI.exe:hook....<br />
G:\M\main.exe:debug: Hook one api ok:hmod=71ab0000, socket-71ab3b91(e8,7a,8b,ff), start_pos:0<br />
G:\M\main.exe:debug: Hook one api ok:hmod=71ab0000, accept-71ac1028(e8,e3,8b,ff), start_pos:0<br />
G:\M\main.exe:debug: Hook one api ok:hmod=71ab0000, connect-71ab406a(e8,a1,8b,ff), start_pos:0<br />
G:\M\main.exe:debug: Hook one api ok:hmod=71ab0000, recv-71ab615a(e8,b1,8b,ff), start_pos:0<br />
G:\M\main.exe:debug: Hook one api ok:hmod=71ab0000, send-71ab428a(e8,81,8b,ff), start_pos:0<br />
G:\M\main.exe:debug: Hook one api ok:hmod=7c800000, CreateProcessA-7c802367(e8,a4,8b,ff), start_pos:0<br />
G:\M\main.exe:debug: Hook one api ok:hmod=7c800000, CreateProcessW-7c802332(e8,d9,8b,ff), start_pos:0<br />
G:\M\main.exe:Error VirtualProtect:Access is denied.<br />
<br />
G:\M\main.exe:RemoveProtection failed! socket<br />
G:\M\main.exe:Error VirtualProtect:Access is denied.<br />
<br />
G:\M\main.exe:UnhookAPIFunction ‹U‹μ RemoveProtection failed!<br />
G:\M\main.exe:Error VirtualProtect:Access is denied.<br />
<br />
G:\M\main.exe:UnhookAPIFunction ‹U‹μ RemoveProtection failed!<br />
G:\M\main.exe:Error VirtualProtect:Access is denied.<br />
<br />
G:\M\main.exe:UnhookAPIFunction ‹U‹μ RemoveProtection failed!<br />
G:\M\main.exe:Error VirtualProtect:Access is denied.<br />
<br />
G:\M\main.exe:UnhookAPIFunction ‹U‹μ RemoveProtection failed!<br />
G:\M\main.exe:Error VirtualProtect:Access is denied.<br />
<br />
G:\M\main.exe:UnhookAPIFunction ‹U‹μ RemoveProtection failed!<br />
G:\M\main.exe:Error VirtualProtect:Access is denied.<br />
<br />
G:\M\main.exe:UnhookAPIFunction ‹U‹μ RemoveProtection failed!<br />
G:\M\main.exe:Error VirtualProtect:Access is denied.<br />
<br />
G:\M\main.exe:UnhookAPIFunction ‹U‹μ RemoveProtection failed!<br />
X:\HookApi 1.62\HookAPI.exe:EjectLib:OpenProcess 2816 failed!<br />
Thanks,
G X
|
|
|
|
|
Try to not hook CreateProcessA/W and test it again?
|
|
|
|
|
sir,
i have alrady read your artical,that is nice.
but i got error whenewer i run my program.
i have made dll that includes install,remove hook function.
by that i install WM_SHELL hook.with that i had hooked any
window created on system with by checking nCode parameter of
hook procedure with HSHELL_WINDOWCREATED key value.
that works but whenever any window is create the error message
is generated like this,
Microsoft visual c++ Debug library
debug error!
program:E:\WINNT\explorer.exe
DAMAGE:after normal vlock (#41)at 0x03421e60
press retry to debug the application
(button-->)abort Retry Ignore
i cant understood from where this error is comming from?
|
|
|
|
|
sir,
i have alrady read your artical,that is nice.
but i got error whenewer i run my program.
i have made dll that includes install,remove hook function.
by that i install WM_SHELL hook.with that i had hooked any
window created on system with by checking nCode parameter of
hook procedure with HSHELL_WINDOWCREATED key value.
that works but whenever any window is create the error message
is generated like this,
Microsoft visual c++ Debug library
debug error!
program:E:\WINNT\explorer.exe
DAMAGE:after normal vlock (#41)at 0x03421e60
press retry to debug the application
(button-->)abort Retry Ignore
i cant understood from where this error is comming from?
|
|
|
|
|
1. Did you updated the bug?:
There is a bug on NT/2000/XP system, in file injlib.cpp, changed it like this:
#ifdef WINNT
static PTHREAD_START_ROUTINE g_pfnRemote =NULL;
int WINAPI InjectLib(DWORD process_id, char *lib_name)
{
PTHREAD_START_ROUTINE pfnRemote =(PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
if(pfnRemote ==NULL)
{
if(g_pfnRemote ==NULL)
return -1;
else pfnRemote =g_pfnRemote;
}
else g_pfnRemote =pfnRemote;
2. And, myxxx function must be defined WINAPI type, or somewhere are not correct in your mydll.cpp?
|
|
|
|
|
If there is exception on win9x, you should compiled the HookAPI9x.dll with disable optimizations.
And do not use it on critical application, because it can only be used for single thread.
|
|
|
|
|
After compiling the DLL project that makes the HookAPINT.dll
(and even without making any changes) the EXE project will not run correctly.
MsgBox shows up with "HookAllProcess==NULL" message.
How can this be fixed?
Thanks,
G X
|
|
|
|
|
Did you compiled it by VC++6.0? I did not add a project of VC++7.0
I try to download it from here and compiled it, but I found there is no any error message.
|
|
|
|
|
no i used vc++ 7.0
i will try compiling with vc++ 6.0
thanks,
G X
|
|
|
|
|
|
That's easy. Coz the code sucks, and if you actually get everything to build it will cause Windows XP SP2 to blue screen, which is no small feat given that XP is fairly robust these days. I am using Visual Studio .NET 2003.
Here's what I did, in case you are interested. I might suggest that that you do not repeat my efforts since as I said earlier, it crashed my system - hard. This software should come with a large !!!WARNING!!!
I open the project:DLL\HookAPI and basically had to add in the .CPP files and .DEF file that was missing from the build, else the build basically failed. Once this was done, I did a "dumpbin.exe /exports" to make sure that I was exporting the necessary functions, namely:
HookOneProcess
UnhookOneProcess
HookOneProcess2
UnhookOneProcess2
HookAllProcess
UnhookAllProcess
I then built the EXE\HookAPI application and then the mydll.dll that performed socket interception (or tried to should I say). I launched the HookAPI function under the debugger and BAM! System crash.
Hence to say, the whole thing was summarily deleted from my system. Also, I checked the registry in case it had left some APPINIT settings. In fact, I eradicated every trace of this software.
I hate to write such a scathing review of something else's efforts. I really do. But in this case I felt justified in warning others that this stuff can crash your system, and secondly, I hate code that blue screens my system.
Since the documentation was written in chinese there is the chance that I may of misinterpreted the build sequence. But that still does not matter - it shouldn't blue screen.
Oh yes, there is one other thing: The Author says that someone else stole his software, but in fact, he basically leveraged the work of another individual, which he freely admits in the article, so how he can make that claim is beyond me. I took the effort to track down the other person's work and it was not too disimilar to the work presented in this article.
Good luck.
-yafan.
|
|
|
|
|
Oh Jesus!
Thanks for warning!
Luca
|
|
|
|
|
That's easy. If you actually get everything to build it will cause Windows XP SP2 to blue screen, which is no small feat given that XP is fairly robust these days. I am using Visual Studio .NET 2003.
Here's what I did, in case you are interested. I might suggest that that you do not repeat my efforts since as I said earlier, it crashed my system - hard. This software should come with a large !!!WARNING!!!
I open the project:DLL\HookAPI and basically had to add in the .CPP files and .DEF file that was missing from the build, else the build basically failed. Once this was done, I did a "dumpbin.exe /exports" to make sure that I was exporting the necessary functions, namely:
HookOneProcess
UnhookOneProcess
HookOneProcess2
UnhookOneProcess2
HookAllProcess
UnhookAllProcess
I then built the EXE\HookAPI application and then the mydll.dll that performed socket interception (or tried to should I say). I launched the HookAPI function under the debugger and BAM! System crash.
Hence to say, the whole thing was summarily deleted from my system. Also, I checked the registry in case it had left some APPINIT settings. In fact, I eradicated every trace of this software.
I hate to write such a scathing review of something else's efforts. I really do. But in this case I felt justified in warning others that this stuff can crash your system, and secondly, I hate code that blue screens my system.
Since the documentation was written in chinese there is the chance that I may of misinterpreted the build sequence. But that still does not matter - it shouldn't blue screen.
Oh yes, there is one other thing: The Author says that someone else stole his software, but in fact, he basically leveraged the work of another individual, which he freely admits in the article, so how he can make that claim is beyond me. I took the effort to track down the other person's work and it was not too disimilar to the work presented in this article.
Good luck.
-yafan.
|
|
|
|
|
Any software on Windows is based on Win32 SDK, OK? If you can not run it success, you should make a help. To be NOT pompous so you can learn more things.
There is a bug on NT/2000/XP system, in file injlib.cpp, changed it like this:
#ifdef WINNT
static PTHREAD_START_ROUTINE g_pfnRemote =NULL;
int WINAPI InjectLib(DWORD process_id, char *lib_name)
{
PTHREAD_START_ROUTINE pfnRemote =(PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
if(pfnRemote ==NULL)
{
if(g_pfnRemote ==NULL)
return -1;
else pfnRemote =g_pfnRemote;
}
else g_pfnRemote =pfnRemote;
Because some time GetProAddress will return failed, but the first time always success.
|
|
|
|
|
I modified it following that,but found that it failed the only the first time,Is there a better way to repair that?Thanks!!!
|
|
|
|
|
Hi all,
I am trying to use HookFile Sample and added CopyFile A/W to array... but still i can do copy paste of any file via menu...
So my ques is which API(s) i need to hook to prevent Copy?
I am doing Select any file (1.txt) and then Edit->Copy in Windows Explorer
and also right click one.
What i am doing in mycopyfile is simply return 0 for failure.
Any suggestion for Preventing Any file being copy....paste
Thanks.
Jetli
conclusion means Coming to wrong Decision with confidence
|
|
|
|
|
Did you try CopyFileEx? However I doubt that Windows is using that to copy the file either. It may be SHFileOperation.
John
|
|
|
|
|
Hook GetProcAddress to check which APIs been called.
|
|
|
|
|
I made a program with vb.net that can edit/drop/create packets for a socket in another process(a game), but i used the proxy method(no api hooking).
Now i want to do the same thing but with hooking the winsock api. is it possible to use your dll in a vb project? (Import the dll and handle the data from mySend and myRecv with vb)
Can you please give me an example?
Thanks,
G X
|
|
|
|
|
Of course it can be used in VB project. You should write a mydll.dll with VB, you can refer to the two Delphi sample in the codes.
|
|
|
|
|
I made a Visual Basic Windows Control Library project and started building it up according to the Delphi and C++ hook socket examples, but what am i supposed to do for the Calling Conventions?
How can the code
int WINAPI mysocket(int af, int type, int protocol)
or
function mysocket(af:integer; stype:integer; protocol:integer):integer;stdcall;
be converted to VB?
also what about
MYAPIINFO *GetMyAPIInfo()<br />
{<br />
return &myapi_info[0];<br />
}
How can VB pass a pointer?
Thanks,
G X
|
|
|
|
|
Public Declare Function Accept Lib "wsock32.dll" _
Alias "accept" (ByVal s As Long, nameaddr As Any, addrlen As Long) As Long
Public Declare Function Bind Lib "wsock32.dll" _
Alias "bind" (ByVal s As Long, nameaddr As Any, ByVal namelen As Long) As Long
Public Declare Function Connect Lib "wsock32.dll" _
Alias "connect" (ByVal s As Long, nameaddr As Any, ByVal namelen As Long) As Long
Public Declare Function recv Lib "wsock32.dll" _
(ByVal s As Long, Buf As Any, ByVal buflen As Long, ByVal Flags As Long) As Long
Public Declare Function recvfrom Lib "wsock32.dll" _
(ByVal s As Long, Buf As Any, ByVal buflen As Long, ByVal Flags As Long, addrfrom As Any, fromlen As Long) As Long
Public Declare Function send Lib "wsock32.dll" _
(ByVal s As Long, Buf As Any, ByVal buflen As Long, ByVal Flags As Long) As Long
Public Declare Function sendto_ Lib "wsock32.dll" _
(ByVal s As Long, Buf As Any, ByVal buflen As Long, ByVal Flags As Long, addrto As Any, ByVal tolen As Long) As Long
Public Declare Function Socket Lib "wsock32.dll" _
Alias "socket" (ByVal af As Long, ByVal sockettype As Long, ByVal Protocol As Long) As Long
-
get address of a var by AddressOf
-
myapi_info array include:
{
char *module_name; // size 4
char *api_name; // size 4
int param_count; // size 4
char *my_api_name; // ..
int start_pos; // is 0 commonly
char *friend_my_api_name; // is NULL/0 commonly
}
in the last array buf, must set module_name=NULL.
|
|
|
|
|
The size of your download says 1244Kb, yet I only got 320Kb when it was completed. Then when I tried unzipping it, a message popped up saying it couldn't be unzipped.
To top it off, when I tried logging on to your homepage, a message appeared saying the homepage was empty.
Are you for real???
William
Fortes in fide et opere!
|
|
|
|
|
I upload for 3 times but every time only success 320KB.
You can download it from http://www.programsalon.com/dl.asp?id=2420 or http://www.pudn.com/dl.asp?id=2420
Hi!
|
|
|
|
|
Can you upload this to some other FTP? Or report it somewhere - Im very interested in this code - but I cannot download it
|
|
|
|
|