Api hooking
Api hooking
Hi, can you please help me a bit? I am trying to hook the file creation and reading APIs for PureAV, to implement a resident scanner and the only way I can do this is with CodeNapper. But when I replace a function in kernel32.dll or any other DLL and call the hooked function from other program, the call isn't redirectioned to my program. So my question is how can I make a global hook, to intercept the the file that is being modified? Any ideas/help greatly appreciated.
None are more hopelessly enslaved than those who falsely believe they are free. (Goethe)
I can't help you either, but I'd also love to know how to hook a file write op.
I've been using www.sandboxie.com for a while and would love to write my
own sandbox-type app. So, consider this post another *bump* if anyone is
able to help.
I've been using www.sandboxie.com for a while and would love to write my
own sandbox-type app. So, consider this post another *bump* if anyone is
able to help.
I'd still love to know how to create a global hook. Here's what works fine for
me so far, but only for my app.
I want to trap the DeleteFile API for all apps.
Original code source -> http://www.purebasic.fr/english/viewtopic.php?t=22678
me so far, but only for my app.
I want to trap the DeleteFile API for all apps.Original code source -> http://www.purebasic.fr/english/viewtopic.php?t=22678
Code: Select all
; Original code by Siegfried Rings and Inf0Byt3.
Global Dim Backup.b(5)
Procedure HookedProcedure(a,b,c,d)
; No code here, so hooked command does nothing.
ProcedureReturn
EndProcedure
Procedure Hook(library$,function$,HookedProcAddr)
dwAddr=GetProcAddress_(GetModuleHandle_(library$),function$)
ReadProcessMemory_(GetCurrentProcess_(),dwAddr,@Backup(0),6,@readbytes)
Dim a.b(6) : a(0)=$E9 : a(5)=$C3 : dwCalc=HookedProcAddr-dwAddr-5
CopyMemory(@dwCalc,@a(1),4)
WriteProcessMemory_(GetCurrentProcess_(),dwAddr,@a(0),6,@written)
EndProcedure
Procedure UnHook(library$,function$)
dwAddr=GetProcAddress_(GetModuleHandle_(library$),function$)
WriteProcessMemory_(GetCurrentProcess_(),dwAddr,@Backup(0),6,@written)
EndProcedure
f$="c:\test.txt"
CreateFile(0,f$) : WriteString(0,"hi") : CloseFile(0) ; Create temp file for test.
Hook("kernel32.dll","DeleteFileA",@HookedProcedure()) ; Disable DeleteFile API.
DeleteFile_(f$) ; Try to delete the temp file, but it will now fail! Good! ;)
Debug FileSize(f$) ; Returns 2 because temp file wasn't deleted (it's 2 bytes).
UnHook("kernel32.dll","DeleteFileA") ; Enable DeleteFile API again.
DeleteFile_(f$) ; Try to delete the temp file, but now it works! :)
Debug FileSize(f$) ; Returns -1 because temp file was deleted.
your going to need a global hook and a .dll I do believe. I remember experimenting with this some back in version 3.94. Don't have any of the code any more I used back then but do a search for global hook in the forum and you'll eventually come across something. And also I seem to remember some hook code to intercept these API functions by hooking the kernel that someone made mention of or posted in the forums.
This whole API hooking stuff is really hard. I never got around to make a Global API hook to work perfectly...
But:
This is as close I got to create a working hook with the help of KarlKox here on the forum that has kindly translated a C++ example. In order to test this, start notepad, compile "dll_hook.pb" to "dll_hook.dll" and execute "injectdll.pb". If everything is ok, you'll see some messages that it succeeded, and if you go in that opened notepad window and select Help->About you will see the hook in action
.
File:1->Hooking.zip
Now the problem is that some processes import their function by Ordinal, not by Name like notepad. An example is explorer.exe. Just try hooking explorer and you'll see that nothing happens. So if we want to make this work flawlessly we gotta find a way to hook by ordinal as well (see the commented code in the "dll_hook.pb" file). If any of you finds a solution to this please share the code.
If you need help with this code i'll be around.
Cheers!
But:
This is as close I got to create a working hook with the help of KarlKox here on the forum that has kindly translated a C++ example. In order to test this, start notepad, compile "dll_hook.pb" to "dll_hook.dll" and execute "injectdll.pb". If everything is ok, you'll see some messages that it succeeded, and if you go in that opened notepad window and select Help->About you will see the hook in action
.File:1->Hooking.zip
Now the problem is that some processes import their function by Ordinal, not by Name like notepad. An example is explorer.exe. Just try hooking explorer and you'll see that nothing happens. So if we want to make this work flawlessly we gotta find a way to hook by ordinal as well (see the commented code in the "dll_hook.pb" file). If any of you finds a solution to this please share the code.
If you need help with this code i'll be around.
Cheers!
None are more hopelessly enslaved than those who falsely believe they are free. (Goethe)
interesting but how to
deactivate the "hook" without closing the application ?
ie...can we set a flag with a button in order to Eject or Inject the new DLL on request ? do you have an example ?
Was interested by remoteAPI, but as the user didn't give any sign of life and we don't get the source code, that would be fine to replace the existing old stuff...I cannot stop the hook with remoteAPI without leaving the hooked application...not cool
very cool ! tested it with other functions (gdi32, ..), and works fine
ie...can we set a flag with a button in order to Eject or Inject the new DLL on request ? do you have an example ?
Was interested by remoteAPI, but as the user didn't give any sign of life and we don't get the source code, that would be fine to replace the existing old stuff...I cannot stop the hook with remoteAPI without leaving the hooked application...not cool
very cool ! tested it with other functions (gdi32, ..), and works fine
-
superadnim
- Enthusiast
- Posts: 480
- Joined: Thu Jul 27, 2006 4:06 am
should I bash the keyboard and give up? 
-
Michael Vogel
- Addict
- Posts: 2821
- Joined: Thu Feb 09, 2006 11:27 pm
- Contact:
Re: Api hooking
Just played around with the RemoteAPI.dll from Purefan - and I was able to do hook a program, so I was able to make a network conversation visible -- And even when I'm not clever enough to do a "unhooking" I am very happy about my success
Because of this great moment, I started thinking, if such a hook method could work with a 16-bit program as well ?! I still have Civilization II on my notebook, but each time I'd like to start it (around 2 times a year), I quit because the CPU load goes up to 100% and the fan makes a horrible noise
I remember, that the program uses the PeekMessage() command instead of the GetMessage(), so the CPU gets a lot of things to do. Does anyone know, if something can be done here?
Thanks,
Michael
Because of this great moment, I started thinking, if such a hook method could work with a 16-bit program as well ?! I still have Civilization II on my notebook, but each time I'd like to start it (around 2 times a year), I quit because the CPU load goes up to 100% and the fan makes a horrible noise
I remember, that the program uses the PeekMessage() command instead of the GetMessage(), so the CPU gets a lot of things to do. Does anyone know, if something can be done here?
Thanks,
Michael
Re: Api hooking
BTW, that code above posted by PB from Siegfried Rings and Inf0Byt3 still works in Windows 7
The advantage of a 64 bit operating system over a 32 bit operating system comes down to only being twice the headache.
-
Michael Vogel
- Addict
- Posts: 2821
- Joined: Thu Feb 09, 2006 11:27 pm
- Contact:
Re: Api hooking
Silly question, is it possible to hook/unhook that simple functions in other programs?
Code: Select all
; This would be to simple, isn't it...?
Procedure Hook(process,library$,function$,HookedProcAddr)
dwAddr=GetProcAddress_(GetModuleHandle_(library$),function$)
Debug dwaddr
ReadProcessMemory_(process,dwAddr,@Backup(0),6,@readbytes)
Dim a.b(6) : a(0)=$E9 : a(5)=$C3 : dwCalc=HookedProcAddr-dwAddr-5
CopyMemory(@dwCalc,@a(1),4)
WriteProcessMemory_(process,dwAddr,@a(0),6,@written)
EndProcedure
Procedure UnHook(process,library$,function$)
dwAddr=GetProcAddress_(GetModuleHandle_(library$),function$)
WriteProcessMemory_(process,dwAddr,@Backup(0),6,@written)
EndProcedureRe: Api hooking
sure, you just gotta find what you want to hook
there are (or were at one point) some examples in the forum, or at least enough hints to help you on your way I think.
there are (or were at one point) some examples in the forum, or at least enough hints to help you on your way I think.
The advantage of a 64 bit operating system over a 32 bit operating system comes down to only being twice the headache.
Re: Api hooking
There are 2 main methodes for hooking API functions: patching the pointer to the functions in the import table or patching the actual code of the funtion to detour it.
I can post a souce code of one of my old projects as soon as i come home. It will show you how to use the code patch methode. This methode works allways no matter if the program calls the function without the import.
It even will show a inline hook. A hook detouring execution in the middle of a procedure.
I can post a souce code of one of my old projects as soon as i come home. It will show you how to use the code patch methode. This methode works allways no matter if the program calls the function without the import.
It even will show a inline hook. A hook detouring execution in the middle of a procedure.