The document describes a method for intercepting API calls in Windows by using a proxy DLL. It provides code examples to create a sample DLL that exports a function, a client that calls this function, and a proxy DLL that can intercept and modify the behavior of the exported function.
The document describes a method for intercepting API calls in Windows by using a proxy DLL. It provides code examples to create a sample DLL that exports a function, a client that calls this function, and a proxy DLL that can intercept and modify the behavior of the exported function.
The document describes a method for intercepting API calls in Windows by using a proxy DLL. It provides code examples to create a sample DLL that exports a function, a client that calls this function, and a proxy DLL that can intercept and modify the behavior of the exported function.
The document describes a method for intercepting API calls in Windows by using a proxy DLL. It provides code examples to create a sample DLL that exports a function, a client that calls this function, and a proxy DLL that can intercept and modify the behavior of the exported function.
Disclaimer ......................................................................................................................3 About this guide.............................................................................................................3 Pre-exquisite ..................................................................................................................3 Intercepting API calls ....................................................................................................3 Method I – Proxy DLL ..............................................................................................3 Step 1 Create a Win32 DLL (MyDLL.dll) that exports a function. ......................4 Step 2 Create a client or any windows application. ...............................................6 Step 3 Create the Proxy DLL.................................................................................6
2 Copyright: http://kk-wuti.blogspot.com
Disclaimer THIS INFORMATION IS PROVIDED BY ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS INFORMATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
About this guide
There are tones of information available regarding windows hooking. As such, this guide will not go into details of what is Windows Hooking or what it can do for you. This guide will instead directly jump into the many ways of Windows Hooking and for each method; a working source codes example with a step by step guide is given. While the author will paint a picture on where and how a particular method could be used, it is entirely up to the reader to assess and make his or her own judgment on how a particular method presented here could best be used with regard to the actual needs.
Pre-exquisite Familiar with Ms Visual C++ 6.0 tools
Intercepting API calls
Method I – Proxy DLL
This is an easy method where the proxy DLL will directly replace an existing DLL that contains the function or functions you want to be intercepted.
Assuming you want to intercept an API in a DLL called MyDLL.
To demonstrate, follow the steps described below.
3 Copyright: http://kk-wuti.blogspot.com
Step 1 Create a Win32 DLL (MyDLL.dll) that exports a function.
CODE:
4 Copyright: http://kk-wuti.blogspot.com
Header file definition
// The following ifdef block is the standard way of creating macros which make exporting // from a DLL simpler. All files within this DLL are compiled with the MYDLL_EXPORTS // symbol defined on the command line. this symbol should not be defined on any project // that uses this DLL. This way any other project whose source files include this file see // MYDLL_API functions as being imported from a DLL, wheras this DLL sees symbols // defined with this macro as being exported.
{ switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
That’s it. You have a DLL, exporting a function called MyDLL_func(). Since this function is exported by MyDLL, any other application that import this DLL into its process space will be able to invoke the function MyDLL_func().
5 Copyright: http://kk-wuti.blogspot.com
Step 2 Create a client or any windows application.
To invoke the exported DLL function, follow the steps describe below.
• Include the header file created from Step 1. Use the correct path where you have created the header file in Step 1. • Construct the exported class object and invoke the exported function as show below.
CODE:
//Include the path to where MyDLL header file is located
#include "..\\MyDLL\MyDll.h"
//construct the exported class’s object
CMyDLL dll;
//invoke the exported function.
dll.MyDLL_func();
Step 3 Create the Proxy DLL
This is the actual part of the API intercepting.
This DLL will be renamed to MyDLL.dll and MyDLL.dll will in turn be renamed to another name that you like, for instance Realmydll.dll.
1. To create the proxy DLL, first create a normal DLL, no function export is needed here.
Header files definition:
CODE:
// The following ifdef block is the standard way of creating macros which make exporting // from a DLL simpler. All files within this DLL are compiled with the MYDLL_EXPORTS // symbol defined on the command line. this symbol should not be defined on any project // that uses this DLL. This way any other project whose source files include this file see // MYDLL_API functions as being imported from a DLL, wheras this DLL sees symbols // defined with this macro as being exported.
• Declare a WINAPI function pointer of the function you want to intercept.
• Implement the intercepting or hooked function. This function will get called instead when the client invoke MyDLL_func as shown in step 2 earlier. • Update the DllMain function
CODE:
//Declare the function pointer
static void (WINAPI *RealMyDLL_func)();
//Implement the intercepting function
extern "C" void WINAPI HookedMyDLL_func(
) { //Do whatever you wanrt here //You can call the real MyDLL_func here if you want
//You can call the real MyDLL_func here if you want
2. Use the “dumpbin” utility provided by Ms VC++ and run it on MyDLL.dll to get all the exported symbols. We would need this information later. You should be getting something similar like this: -
7 Copyright: http://kk-wuti.blogspot.com
Caution: Since we are using C++, there is C++ name decoration (symbols such as “?”, “$” etc included in the name) in the names of the functions and members exported from the C++ class. You can find more information on C++ Name Decoration from the Internet. Another way of creating export functions is to use definition file. In this case, no name decoration is applied and the names of the exported functions are exactly the same as the name of the functions specified in the definition file.
3. Use #pragma comment(…) to tell the compiler that you are forwarding functions call from your DLL. For example: -
??0CMyDLL@@QAE@XZ is the name of the exported function/member from
the original dll (MyDLL.dll).
So this statement means reference to “??0CMyDLL@@QAE@XZ” is now
forwarded to “??0CMyDLL@@QAE@XZ” in Realmydll. Note the prefix of “Realmydll.”
8 Copyright: http://kk-wuti.blogspot.com
You need to repeat doing the above for all the exported functions shown in the “dumpbin /export” inside MyDLL.dll, except for the function or functions you want to intercept, since you want to handle this yourself inside your proxy DLL.
A good way is to create a new header file (ex. Mydll_fwd.h) in your Proxy DLL project and add the above into it.
4. Update the DllMain function in your proxy DLL project.
CODE: BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { HMODULE hRealDLL; switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { hRealDLL = LoadLibrary( "RealmyDLL" ); if( !hRealDLL ) { return FALSE; } // Store the real function address for hooked function to call. *(void **)&RealMyDLL_func = (void *)GetProcAddress( hRealDLL, "MyDLL_func" ); }
case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH:
FreeLibrary( hRealDLL );
case DLL_PROCESS_DETACH: break; } return TRUE; }
5. To test, rebuild all your 3 projects and copy the DLL files to the same destination directory. Rename MyDLL.dll to Realmydll.dll and ProxyDll.dll to MyDll.dll. Run
9 Copyright: http://kk-wuti.blogspot.com
your test application. The hooked function inside the Proxy DLL (which you have renamed to MyDLL.dll) should get invoked instead of the function in Realmydll.dll.
