method of hook dll

HOW WHAT

i want to hook the dll funtion, my mothod is modification the exe Import Table. have other method of hook dll and not need modification the Import Table and Export Table. thanks.

Anton Mikhalyov

HOW WHAT wrote:

have other method of hook dll and not need modification the Import Table and Export Table.

you can change first bytes of function to far jmp that points on your code.

HOW WHAT

how to ? ex.?

Anton Mikhalyov

This example shows the hook of GetModuleHandleW in target process(process where you injected your dll). It works only in 32-bit windows. If you injected your dll into multithreaded process you must synchronize execution of this code with other threads or program sometimes may crash. #define BYTES_COUNT 0x05 BYTE firstBytes[BYTES_COUNT]; void *pfnGetModuleHandle; HANDLE __stdcall Handler(HANDLE hModule); // Only running process hook BOOL HookGetModuleHandle() { HANDLE hKernel32; DWORD dwOldProtect; hKernel32 = LoadLibrary(_T("kernel32.dll")); pfnGetModuleHandle = GetProcAddress((HMODULE)hKernel32, "GetModuleHandleW"); if (hKernel32 == NULL || pfnGetModuleHandle == NULL) { return FALSE; } memcpy(&firstBytes, pfnGetModuleHandle, BYTES_COUNT); if (!VirtualProtect(pfnGetModuleHandle, BYTES_COUNT, PAGE_READWRITE, &dwOldProtect)) { return FALSE; } *((BYTE*)pfnGetModuleHandle) = 0xE9; *((DWORD*)(((BYTE*)pfnGetModuleHandle)+1)) = (DWORD)Handler - (DWORD)pfnGetModuleHandle - BYTES_COUNT; if (!VirtualProtect(pfnGetModuleHandle, BYTES_COUNT, dwOldProtect, NULL)) { return FALSE; } return TRUE; } BOOL UnhookGetModuleHandle() { DWORD dwOldProtect; if (!VirtualProtect(pfnGetModuleHandle, BYTES_COUNT, PAGE_READWRITE, &dwOldProtect)) { return FALSE; } memcpy(pfnGetModuleHandle, &firstBytes, BYTES_COUNT); if (!VirtualProtect(pfnGetModuleHandle, BYTES_COUNT, dwOldProtect, NULL)) { return FALSE; } return TRUE; } HANDLE __stdcall Handler(HANDLE hModule) { HANDLE returned; printf("GetModuleHandleW call detected\n"); UnhookGetModuleHandle(); __asm { push hModule call pfnGetModuleHandle mov returned, eax } HookGetModuleHandle(); }

HOW WHAT

your method and modification the Import Table, which will be highness and safe?

Anton Mikhalyov

My method is better to use, because it never fail, except when application detected and removed hook(very very rarely), but it creates additional problems with synchronization in mt applications and it doesn't work on windows other than 32 bit(without modification). IAT modification is also good method, but this hook wouldn't work if application directly calls functions(call GetProcAddress to retrieve address of function...). Second method fails more offen than first. Also you can create a dll that debugs process in which it injected by inserting int3 instructions into functions you want to hook. If number of functions to hook =< 4 you can use hardware breakpoints, setting hardware breakpoints do not require any code modifications.

HOW WHAT

:) 1.Your method if had some call hooked function may be happen some exception, right? 2.How to do like you say "Also you can create a dll that debugs process in which it injected by inserting int3 instructions into functions you want to hook. If number of functions to hook =< 4 you can use hardware breakpoints, setting hardware breakpoints do not require any code modifications. " Some time ago, I download codeproject about use debug process to inject dll, but in win98 all application will happen crash.

Anton Mikhalyov

HOW WHAT wrote:

1.Your method if had some call hooked function may be happen some exception, right?

Only when application threads are not synchronized and context of current thread(that now hooking function) is switched to other that calls hooked function.

HOW WHAT wrote:

2. How to do like you say

There is an error in code you just downloaded. Armadillo protector uses the same technique and it works best on Windows 9x\Me Give me the URL of this example or send it to my mail - sharebyte gmail com