Page 1 of 2
Api hooking
Posted: Tue Jun 27, 2006 10:08 am
by Inf0Byt3
Hi, can you please help me a bit? I am trying to hook the file creation and reading APIs for PureAV, to implement a resident scanner and the only way I can do this is with CodeNapper. But when I replace a function in kernel32.dll or any other DLL and call the hooked function from other program, the call isn't redirectioned to my program. So my question is how can I make a global hook, to intercept the the file that is being modified? Any ideas/help greatly appreciated.
Posted: Thu Jun 29, 2006 12:00 am
by Inf0Byt3
*bump*
Nobody can give me a little help about this ?
Posted: Wed Jul 23, 2008 2:54 pm
by PB
I can't help you either, but I'd also love to know how to hook a file write op.
I've been using
www.sandboxie.com for a while and would love to write my
own sandbox-type app. So, consider this post another *bump* if anyone is
able to help.
Posted: Sun Aug 10, 2008 4:47 am
by PB
I'd still love to know how to create a global hook. Here's what works fine for
me so far, but only for my app.
I want to trap the DeleteFile API for all apps.
Original code source ->
http://www.purebasic.fr/english/viewtopic.php?t=22678
Code: Select all
; Original code by Siegfried Rings and Inf0Byt3.
Global Dim Backup.b(5)
Procedure HookedProcedure(a,b,c,d)
; No code here, so hooked command does nothing.
ProcedureReturn
EndProcedure
Procedure Hook(library$,function$,HookedProcAddr)
dwAddr=GetProcAddress_(GetModuleHandle_(library$),function$)
ReadProcessMemory_(GetCurrentProcess_(),dwAddr,@Backup(0),6,@readbytes)
Dim a.b(6) : a(0)=$E9 : a(5)=$C3 : dwCalc=HookedProcAddr-dwAddr-5
CopyMemory(@dwCalc,@a(1),4)
WriteProcessMemory_(GetCurrentProcess_(),dwAddr,@a(0),6,@written)
EndProcedure
Procedure UnHook(library$,function$)
dwAddr=GetProcAddress_(GetModuleHandle_(library$),function$)
WriteProcessMemory_(GetCurrentProcess_(),dwAddr,@Backup(0),6,@written)
EndProcedure
f$="c:\test.txt"
CreateFile(0,f$) : WriteString(0,"hi") : CloseFile(0) ; Create temp file for test.
Hook("kernel32.dll","DeleteFileA",@HookedProcedure()) ; Disable DeleteFile API.
DeleteFile_(f$) ; Try to delete the temp file, but it will now fail! Good! ;)
Debug FileSize(f$) ; Returns 2 because temp file wasn't deleted (it's 2 bytes).
UnHook("kernel32.dll","DeleteFileA") ; Enable DeleteFile API again.
DeleteFile_(f$) ; Try to delete the temp file, but now it works! :)
Debug FileSize(f$) ; Returns -1 because temp file was deleted.
Posted: Mon Aug 11, 2008 5:14 pm
by SFSxOI
your going to need a global hook and a .dll I do believe. I remember experimenting with this some back in version 3.94. Don't have any of the code any more I used back then but do a search for global hook in the forum and you'll eventually come across something. And also I seem to remember some hook code to intercept these API functions by hooking the kernel that someone made mention of or posted in the forums.
Posted: Tue Aug 12, 2008 6:11 am
by JCV
how to effectively hook the CreateFile when using webgadget?
I want to capture the temporary files being created every time webpage loads.
I experience stack error.
Posted: Tue Aug 12, 2008 9:52 am
by Inf0Byt3
This whole API hooking stuff is really hard. I never got around to make a Global API hook to work perfectly...
But:
This is as close I got to create a working hook with the help of KarlKox here on the forum that has kindly translated a C++ example. In order to test this, start notepad, compile "dll_hook.pb" to "dll_hook.dll" and execute "injectdll.pb". If everything is ok, you'll see some messages that it succeeded, and if you go in that opened notepad window and select Help->About you will see the hook in action
.
File:1->
Hooking.zip
Now the problem is that some processes import their function by Ordinal, not by Name like notepad. An example is explorer.exe. Just try hooking explorer and you'll see that nothing happens. So if we want to make this work flawlessly we gotta find a way to hook by ordinal as well (see the commented code in the "dll_hook.pb" file). If any of you finds a solution to this please share the code.
If you need help with this code i'll be around.
Cheers!
interesting but how to
Posted: Mon Aug 18, 2008 12:45 pm
by glops
deactivate the "hook" without closing the application ?
ie...can we set a flag with a button in order to Eject or Inject the new DLL on request ? do you have an example ?
Was interested by remoteAPI, but as the user didn't give any sign of life and we don't get the source code, that would be fine to replace the existing old stuff...I cannot stop the hook with remoteAPI without leaving the hooked application...not cool
very cool ! tested it with other functions (gdi32, ..), and works fine
Posted: Mon Aug 18, 2008 7:02 pm
by superadnim
there is an api detour example in the FASM examples section (over the official website) wouldn't that help?
Posted: Tue Oct 07, 2008 11:03 am
by shu7734
Why My Debug Window showed
-1
-1
Re: Api hooking
Posted: Sun Nov 08, 2009 6:19 pm
by Michael Vogel
Just played around with the RemoteAPI.dll from Purefan - and I was able to do hook a program, so I was able to make a network conversation visible -- And even when I'm not clever enough to do a "unhooking" I am very happy about my success
Because of this great moment, I started thinking, if such a hook method could work with a 16-bit program as well ?! I still have Civilization II on my notebook, but each time I'd like to start it (around 2 times a year), I quit because the CPU load goes up to 100% and the fan makes a horrible noise
I remember, that the program uses the PeekMessage() command instead of the GetMessage(), so the CPU gets a lot of things to do. Does anyone know, if something can be done here?
Thanks,
Michael
Re: Api hooking
Posted: Sun Nov 08, 2009 11:50 pm
by SFSxOI
BTW, that code above posted by PB from Siegfried Rings and Inf0Byt3 still works in Windows 7
Re: Api hooking
Posted: Mon Nov 09, 2009 11:11 pm
by Michael Vogel
Silly question, is it possible to hook/unhook that simple functions in other programs?
Code: Select all
; This would be to simple, isn't it...?
Procedure Hook(process,library$,function$,HookedProcAddr)
dwAddr=GetProcAddress_(GetModuleHandle_(library$),function$)
Debug dwaddr
ReadProcessMemory_(process,dwAddr,@Backup(0),6,@readbytes)
Dim a.b(6) : a(0)=$E9 : a(5)=$C3 : dwCalc=HookedProcAddr-dwAddr-5
CopyMemory(@dwCalc,@a(1),4)
WriteProcessMemory_(process,dwAddr,@a(0),6,@written)
EndProcedure
Procedure UnHook(process,library$,function$)
dwAddr=GetProcAddress_(GetModuleHandle_(library$),function$)
WriteProcessMemory_(process,dwAddr,@Backup(0),6,@written)
EndProcedure
Re: Api hooking
Posted: Mon Nov 09, 2009 11:12 pm
by SFSxOI
sure, you just gotta find what you want to hook
there are (or were at one point) some examples in the forum, or at least enough hints to help you on your way I think.
Re: Api hooking
Posted: Tue Nov 10, 2009 12:12 am
by Thorium
There are 2 main methodes for hooking API functions: patching the pointer to the functions in the import table or patching the actual code of the funtion to detour it.
I can post a souce code of one of my old projects as soon as i come home. It will show you how to use the code patch methode. This methode works allways no matter if the program calls the function without the import.
It even will show a inline hook. A hook detouring execution in the middle of a procedure.