Sign in to follow this  
  • entries
    557
  • comments
    1237
  • views
    420961

Untitled

Sign in to follow this  
Evil Steve

46 views

IT IS DONE.

I've finished my API hooking library. Source code is available Here, and an x86 binary is available Here. The binary includes a command line app which will let you list all DLL imports for a running process, hook a DLL import, and optionally wait for you to press a key before unhooking it.

Notes:

  1. Hooking a process involves loading a DLL, calling a function in it, and unloading the DLL.

  2. The function in the DLL must exactly match the function signature of the function being hooked. If it doesn't, you're likely to get stack corruption, and probably a crash in the hooked process.

  3. There's no checks done for the return values of LoadLibrary() or GetProcAddress(), so if either of these fail inside the host process, you'll get an access violation reading a NULL pointer (So if you do get that, check both of those values).

  4. The new DLL will be loaded and unloaded by the hooking program to check that it can a) load the DLL and b) find the function you say is in there. That makes the hooking a little more safe, at the expense of having the DLL loaded and unloaded. So if you see your DllMain being called from within the hook app, that's why



I'd be happy to answer any questions about it, hear any bug reports, any suggestions for more command line arguments to the test app, and so on.


EDIT: To get a process ID, start task manager, go to the "Processes" tab, then go to View -> Select Columns, and check "PID (Process Identifier)".

EDIT #2: Ok, the x64 version now works great. I'm not using r10 any more, and my bug was caused by me not restoring the return value from the function, so Notepad was getting the return value from FreeLibrary() instead of MyChooseFontW(). That means when you click "Cancel", the struct isn't filled out, but Notepad was effectively being told it was. All works now, and the source code is updated.

EDIT #3: New version uploaded (Links ipdated). This one has a function to undecorate symbol names, which is handy if you list exports from a process and at least some are decorated. It means you get a free prototype to hook. Hooray!
Sign in to follow this  


0 Comments


Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now