C++

Forum

 
Starting to Learn API hooking

m0mathur (47)
I am interested in this topic, I understand most applications which have dlls have functions that enable them to work properly, I am very interested In API hooking

I just needed a brief example of a source code, so I can see what a hooking looks like, or something. The examples I see here doesn't explain it all...
knn9 (170)
Here is an example from the book Windows via C/C++. The idea is to find the API entry in the import section and replace the address with your own function. (sorry for the bad formatting)

P.S. you might want to ask on the Windows forum

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
void CAPIHook::ReplaceIATEntryInOneMod(PCSTR pszCalleeModName, PROC pfnCurrent, PROC pfnNew, HMODULE hmodCaller) 
{
	// Get the address of the module's import section
	ULONG ulSize;

	// An exception was triggered by Explorer (when browsing the content of
	// a folder) into imagehlp.dll. It looks like one module was unloaded...
	// Maybe some threading problem: the list of modules from Toolhelp might
	// not be accurate if FreeLibrary is called during the enumeration.
	PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;
	__try {
		pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData(
			hmodCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);
	}
		__except (InvalidReadExceptionFilter(GetExceptionInformation())) {
		// Nothing to do in here, thread continues to run normally
		// with NULL for pImportDesc
	}

	if (pImportDesc == NULL)
		return; // This module has no import section or is no longer loaded

	// Find the import descriptor containing references to callee's functions
	for (; pImportDesc->Name; pImportDesc++) 
	{
		PSTR pszModName = (PSTR) ((PBYTE) hmodCaller + pImportDesc->Name);

		if (lstrcmpiA(pszModName, pszCalleeModName) == 0) 
		{
			// Get caller's import address table (IAT) for the callee's functions
			PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
			((PBYTE) hmodCaller + pImportDesc->FirstThunk);

			// Replace current function address with new function address
			for (; pThunk->u1.Function; pThunk++) 
			{
				// Get the address of the function address
				PROC* ppfn = (PROC*) &pThunk->u1.Function;

				// Is this the function we're looking for?
				BOOL bFound = (*ppfn == pfnCurrent);

				if (bFound) 
				{
					if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew,
						sizeof(pfnNew), NULL) && (ERROR_NOACCESS == GetLastError())) 
					{
						DWORD dwOldProtect;

						if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwOldProtect)) 
						{
							WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew,
								sizeof(pfnNew), NULL);
							VirtualProtect(ppfn, sizeof(pfnNew), dwOldProtect,
									&dwOldProtect);
						}
					}

					return; // We did it, get out
				}
			}
		} // Each import section is parsed until the right entry is found and patched
	}
}
m0mathur (47)
When we imply hook functions, what exactly do we mean, I have these functions, HttpSendRequestW, belonging to say wininet.dll

How do I hook this function for instance?
knn9 (170)
Sorry I can't help with this as I haven't looked into it much. I just posted an example from a book. But I can tell you as much as I know and suggest again that you ask in the Windows forum on this site.

Every EXE and DLL has a section called the import table which lists each function that needs to be imported from another DLL. If you write a program that uses HttpSendRequestW from wininet.dll, then your EXE's import table will have an wininet.dll entry with the symbol HttpSendRequestW under it.

When your EXE is loaded the system looks at its import table and loads each DLL listed there. For each DLL the system looks at ITS import table and repeats the process until all dependencies are loaded.

When your program calls an API function the system looks at the import table in memory to find the right entry and get a pointer to the function in memory. The pointer is a "relative virtual address"(RVA), which is an address relative to the base of the module(ie., where the DLL is mapped in virtual memory --- its HMODULE).

Hooking an API function is a matter of replacing its RVA in the import table in memory with a pointer to a function defined by you. The example I posted above does just this.
Last edited on
Topic archived. No new replies allowed.