API Hooking
 

Hi,
I am trying my hand at API hooking. I tried making a User32.dll of myself which redirected the functions to the real user32.dll renamed as myuser.dll. I made a small program to generate the MASM Code for this. But it failed. I will try again using GoASM maybe. In the meantime, is there any other way of hooking API?

Thomas :confused:

Of course. It depends if you want global hook or hook only in your app context. There is plenty of tutorials around. Its somewhat easier to do hooking in WinNt systems. In 9x there is few problems. You can hook a procedure dynamicly and on another application.
Allocate memory in remote process with VirtualAllocEx.
Write your code and data with WriteProcessMemory.
Execute your code that will set up the hook with CreateRemoteThread.
In win9x VirtualAllocEx and CreateRemoteThread procedures dont exist.

Now on hooking. What you need to do is:
1. find start address of your api function
2. gain write access to it (VirtualProtectEx in NT, in 9x there is an undocumented way...)
3. write a jump to your code (jmp MyCode)
Thats it. Then you can restore read bytes of hooked procedure and execute it and return value you wanted...
I hope this helps...

Hi nikola
You suggest very good way for redirecting APIs.But I should say that this algorithm
will not work at any OS.In normal windows OSs,you can use this,but in some cases
(for example if you want to do this for a PDA with windows CE) this will not work.
Because in this sample,main system DLLs will run from PDA ROM directly and
will not load into RAM and this will cause that you can't use WriteProcessMemory
for changing it.

sincerely yours

uh :) well i never even seen something that runs with WinCE or held a PDA so i cant tell :) tnx for the info

Hi,
I found that I can use VirtualProtect in Win9x to change system DLLs

Thomas

Here is article which will help you in solving all your problems :P IS was By Ivo Ivanov


Just read it ..its best tut i found so fare about hooking

http://www.codeproject.com/system/hooksys.asp


Bye NeO