Page 1 of 1
how to hook API calls ?
Posted: Wed Dec 10, 2003 6:13 pm
by newbie
Hi,
i started in another thread to talk about it but i think it's better to create a new one in the beginner area.
My purpose : to monitor API calls to a particular API, let's say "GetCurrentDirectory". I want to see when the API is called, and by which process/executable.
I tried to do an API hook with "SetWindowsHookEx" but i fail to do it, may be it isn't the good way.
Anyone having a clue or better, a code sample ?
Thanks you if you can help me
regards,
newbie.
Posted: Wed Dec 10, 2003 11:16 pm
by Seldon
I think the problem could be the hook must be inside a shared DLL and PB can't do that directly. You should modify the assembly and the .def file.
Posted: Thu Dec 11, 2003 12:50 am
by newbie
You can hook in injecting remote thread, or injecting DLL (PB can do this), but for doing a wide hook i thought it was the API i tried to use but i didn't find how.
Posted: Thu Dec 11, 2003 9:40 am
by Seldon
Some parts of the DLL (or eventually all) should be loaded in shared memory so any process can access, that's how you can do system-wide DLLs (I did one in pure ASM to handle keyboard). On MSDN you can find a good explanation. How do you do that with PB ?
From what I know you should modify the generated asm file (/COMMENTED) and add a section that will be then declared as shared. Then you need to set a switch in Lcclnk (personally I used Link that comes with MASM32 but I think Lcclnk supports that). The problem with PB is that it calls Lcclnk directly and you cant set any switch for it.
Ehi Fred: can you enhance the compiler and let pass to it arguments for the linker ? Something like:
pbcompiler test.pb /LCCLNK:argument_for_lcclnk
Also to be able to pass to compiler additional objects or .RES files would be very welcome. I think it's very easy to do.
Posted: Thu Dec 11, 2003 9:59 am
by Danilo
Seldon wrote:Ehi Fred: can you enhance the compiler and let pass to it
arguments for the linker ? Something like:
pbcompiler test.pb /LCCLNK:argument_for_lcclnk
Also to be able to pass to compiler additional objects or .RES
files would be very welcome. I think it's very easy to do.
That would be very nice and GPI could stop with his sh*t
to patch the compiler.
@
newbie:
SetWindowsHookEx is a function to hook Windows Messages
and stuff, but its not for hooking API calls.
Posted: Thu Dec 11, 2003 10:24 am
by Fred
You can take a look to the following (very very interesting) site:
http://help.madshi.net/madCodeHook.htm and you will learn how definitely hook anything on Windows.
About the /LINKER param, it sounds ok. I will add it.
Posted: Thu Dec 11, 2003 1:59 pm
by newbie
Thanks you very much for your answers and Fred for his link
Posted: Thu Dec 11, 2003 4:43 pm
by Max.
newbie wrote:Thanks you very much for your answers and Fred for his link
Keep us updated on your progress please.
Posted: Thu Dec 11, 2003 6:08 pm
by newbie
For now when i load my prog it use 100% of CPU and doesn't hook anything but i'm still investigating
Posted: Fri Dec 12, 2003 1:24 am
by dontmailme
newbie wrote:For now when i load my prog it use 100% of CPU and doesn't hook anything but i'm still investigating
Well, at least it must be doing something 8O
Posted: Fri Dec 12, 2003 1:51 pm
by Proteus
It's probably doing nothing and looping...
Putting Delay(1) into the loop should help.
Posted: Sun Dec 21, 2003 7:58 am
by p2hicy
Any (working) results yet ?