Windows API Hooking, Injecting a DLL

[wraithdu]

As I said before, you need to write a DLL to inject into the process to make your data modifications. It sounds like you want to be able to write this code in AutoIt... sorry, not gonna happen.

[Grayhat]

I see... i wasn't thinkin' abt write in autoit ;]

thanks for answers.

c ya

[oceanwaves]

Thanks for your code and design, it's very helpful to me.

But I compiled them to 64bit version and running on the 64bit Windows 7, the ApiHookExample.exe is crash.

I read the code but I think the pointer size is enough for 64bit OS.

[Pipaman]

Hi,

Why don't you use <snip>

It solves all the injection staff since you can hook any Windows API (included in Platform SDK) and receive calls in you own process.

Regards,

-P

Edited January 29, 2013 by Melba23
Advert and link removed

[Melba23]

Pipaman,

Advertising is not permitted here, sorry.

M23

[zaqimon]

Thanks a lot. Really useful. But there seems to be a bug for this method.

It seems if the backup instructions happened to have relative call/jmp opcodes, the application will crash if calling back to those backup instructions. For instance, I hooked user32.dll:DdeGetData(), it crashed as soon as I tried to call the original function. It's working fine If I didn't call the original function.

Is there any idea how to solve this problem?

OK. I use some dirty method in dll to work around this problem. On each call to DdeGetData(), I modify the first 10 byte to the original instructions before calling, and after calling I modify the first 10 byte back to the HOOK instructions. Call VirtualProtect() first before modifying DdeGetData() or applicatoin get crashed. I don't know the performance penalty of this kind of run-time code patching since DdeGetData() may get called frequently.

************

below is the output log while hooking user32.dll:DdeGetData() for reference

-----------------

mnemonic: PUSH

operands: 0xc

instructions: 6a 0c

size: 2

offset: 0

-----------------

mnemonic: PUSH

operands: 0x75e4fc58

instructions: 68 58fce475

size: 5

offset: 2

-----------------

mnemonic: CALL

operands: 0xfffffffffffe6557

instructions: e8 4b65feff

size: 5

offset: 7

-------------

HookAddress: 0x75E4FBCE

HookBak: 0x6A0C6858FCE475E84B65

Bridge: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

BridgePtr: 0x01F50000

Status after get: 0

Process: 10536

-------------------

remote bridge: 0x6A0C6858FCE475E84B65FEFFFF251200F501DAFBE475000000000000000000000000000000000000000000000000000000000000000000000000000000000000

remote hook: 0xFF25D4FBE475D0105202

Edited September 3, 2014 by meltice