API hooking revealed

Ivo Ivanov

Rate me:

4.94/5 (322 votes)

2 Dec 2002CPOL38 min read

2.8M

64.1K

1.3K

The article demonstrates how to build a user mode Win32 API spying system

hooksys_code.zip
- Code
  - Common
  - HookSrv
    - ApplicationScope.cpp
    - ApplicationScope.h
    - HookSrv.cpp
    - HookSrv.dsp
    - HookSrv.h
    - HookSrv.rc
    - LimitSingleInstance.cpp
    - LimitSingleInstance.h
    - MainFrm.cpp
    - MainFrm.h
    - res
      - HookSrv.ico
      - HookSrv.rc2
      - trayicon.ico
    - Resource.h
    - StdAfx.cpp
    - StdAfx.h
    - TrayIcon.cpp
    - TrayIcon.h
  - HookSystem.dsw
  - HookTool
    - ApiHook.cpp
    - ApiHook.h
    - HookTool.cpp
    - HookTool.def
    - HookTool.dsp
    - Injector.cpp
    - Injector.h
    - Interlocked.h
    - ModuleScope.cpp
    - ModuleScope.h
    - NtDriverController.cpp
    - NtDriverController.h
    - NtInjectorThread.cpp
    - NtInjectorThread.h
    - NtProcessMonitor.cpp
    - NtProcessMonitor.h
  - NTProcDrv
    - NTProcDrv.c
    - NTProcDrv.dsp
  - TestApp
    - TestApp.cpp
    - TestApp.dsp
hooksys_demo.zip
- Output
  - HookSrv.exe
  - HookTool.dll
  - HookTool.ini
  - NTProcDrv.sys
  - TestApp.exe

//---------------------------------------------------------------------------
//
// NtInjectorThread.h
//
// SUBSYSTEM: 
//				API Hooking system
// MODULE:    
//				Implements a thread that uses an NT device driver
//              for monitoring process creation
//
// DESCRIPTION:
//
// AUTHOR:		Ivo Ivanov (ivopi@hotmail.com)
//                                                                         
//---------------------------------------------------------------------------
#if !defined(_NTINJECTORTHREAD_H_)
#define _NTINJECTORTHREAD_H_

#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000

//---------------------------------------------------------------------------
//
// Includes
//
//---------------------------------------------------------------------------

#include "NtProcessMonitor.h"

//---------------------------------------------------------------------------
//
// Forward declararions
//
//---------------------------------------------------------------------------

class CRemThreadInjector;

//---------------------------------------------------------------------------
//
// class CNtInjectorThread
//
//---------------------------------------------------------------------------
class CNtInjectorThread: public CNtProcessMonitor  
{
public:
	CNtInjectorThread(CRemThreadInjector* pInjector);
	virtual ~CNtInjectorThread();
private:
	virtual void OnCreateProcess(DWORD dwProcessId);
	virtual void OnTerminateProcess(DWORD dwProcessId);
	CRemThreadInjector* m_pInjector;
};

#endif // !defined(_NTINJECTORTHREAD_H_)
//----------------------------End of the file -------------------------------

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By

Ivo Ivanov

United States

I specialize in OS Internals and Reverse Engineering.
Before joining my current employer I used to run a security blog for malware analysis: http://vinsula.com/security-blog

API hooking revealed

License

Comments and Discussions