how to hook API calls ?

newbie · Post by **newbie** » Wed Dec 10, 2003 6:13 pm

Hi,

i started in another thread to talk about it but i think it's better to create a new one in the beginner area.

My purpose : to monitor API calls to a particular API, let's say "GetCurrentDirectory". I want to see when the API is called, and by which process/executable.

I tried to do an API hook with "SetWindowsHookEx" but i fail to do it, may be it isn't the good way.

Anyone having a clue or better, a code sample ?

Thanks you if you can help me

regards,

newbie.

Seldon · Post by **Seldon** » Wed Dec 10, 2003 11:16 pm

I think the problem could be the hook must be inside a shared DLL and PB can't do that directly. You should modify the assembly and the .def file.

newbie · Post by **newbie** » Thu Dec 11, 2003 12:50 am

You can hook in injecting remote thread, or injecting DLL (PB can do this), but for doing a wide hook i thought it was the API i tried to use but i didn't find how.

Seldon · Post by **Seldon** » Thu Dec 11, 2003 9:40 am

Some parts of the DLL (or eventually all) should be loaded in shared memory so any process can access, that's how you can do system-wide DLLs (I did one in pure ASM to handle keyboard). On MSDN you can find a good explanation. How do you do that with PB ?

From what I know you should modify the generated asm file (/COMMENTED) and add a section that will be then declared as shared. Then you need to set a switch in Lcclnk (personally I used Link that comes with MASM32 but I think Lcclnk supports that). The problem with PB is that it calls Lcclnk directly and you cant set any switch for it.

Ehi Fred: can you enhance the compiler and let pass to it arguments for the linker ? Something like:

pbcompiler test.pb /LCCLNK:argument_for_lcclnk

Also to be able to pass to compiler additional objects or .RES files would be very welcome. I think it's very easy to do.

Danilo · Post by **Danilo** » Thu Dec 11, 2003 9:59 am

Seldon wrote:Ehi Fred: can you enhance the compiler and let pass to it
arguments for the linker ? Something like:

pbcompiler test.pb /LCCLNK:argument_for_lcclnk

Also to be able to pass to compiler additional objects or .RES
files would be very welcome. I think it's very easy to do.

That would be very nice and GPI could stop with his sh*t
to patch the compiler.

@newbie:
SetWindowsHookEx is a function to hook Windows Messages
and stuff, but its not for hooking API calls.

Post by **Fred** » Thu Dec 11, 2003 10:24 am

You can take a look to the following (very very interesting) site: http://help.madshi.net/madCodeHook.htm and you will learn how definitely hook anything on Windows.

About the /LINKER param, it sounds ok. I will add it.

newbie · Post by **newbie** » Thu Dec 11, 2003 1:59 pm

Thanks you very much for your answers and Fred for his link

Max. · Post by **Max.** » Thu Dec 11, 2003 4:43 pm

newbie wrote:Thanks you very much for your answers and Fred for his link

Keep us updated on your progress please.

newbie · Post by **newbie** » Thu Dec 11, 2003 6:08 pm

For now when i load my prog it use 100% of CPU and doesn't hook anything but i'm still investigating

dontmailme · Post by **dontmailme** » Fri Dec 12, 2003 1:24 am

newbie wrote:For now when i load my prog it use 100% of CPU and doesn't hook anything but i'm still investigating

Well, at least it must be doing something 8O

Proteus · Post by **Proteus** » Fri Dec 12, 2003 1:51 pm

It's probably doing nothing and looping...

Putting Delay(1) into the loop should help.

p2hicy · Post by **p2hicy** » Sun Dec 21, 2003 7:58 am

Any (working) results yet ?