Intercept "TextOut" API
-
Hi all! Look. typedef (WINAPI *TextOutAType)(HDC,int,int,LPCSTR,int); TextOutAType oldTextOutAaddr=0; //here is ourself function BOOL WINAPI MyTextOutA(HDC hdc, int nXStart, int nYStart, LPCSTR string, int cbString) { MessageBox(0,string,"aha",0); return oldTextOutAaddr(hdc,nXStart,nYStart,string,cbString); } BOOL HookApiTextOutA(const HMODULE hModule) { IMAGE_DOS_HEADER *pdos; IMAGE_NT_HEADERS *pnt; IMAGE_DATA_DIRECTORY *pSymbolTable; IMAGE_IMPORT_DESCRIPTOR *pimport; pdos=(IMAGE_DOS_HEADER*)hModule; pnt=(IMAGE_NT_HEADERS*)((DWORD)pdos + pdos->e_lfanew); pSymbolTable=&pnt->OptionalHeader.DataDirectory[1]; pimport=(IMAGE_IMPORT_DESCRIPTOR*)((DWORD)pdos + pSymbolTable->VirtualAddress); while(pimport->FirstThunk){ IMAGE_THUNK_DATA *pold,*pnew; pold = (IMAGE_THUNK_DATA*)((DWORD)pdos + pimport->OriginalFirstThunk); pnew = (IMAGE_THUNK_DATA*)((DWORD)pdos + pimport->FirstThunk); while(pold->u1.Function){ if(IMAGE_ORDINAL_FLAG != (pold->u1.Ordinal & IMAGE_ORDINAL_FLAG)) { IMAGE_IMPORT_BY_NAME *pname; pname = (IMAGE_IMPORT_BY_NAME*)((DWORD)pdos + *((DWORD*)pold)); PROC *ppfn=(PROC*)(pnew->u1.Function); if(strcmp("TextOutA",(char*)pname->Name)==0) { oldTextOutAaddr=(TextOutAType)(ppfn); //here is system API "TextOutA" address DWORD addr=(DWORD)MyTextOutA; DWORD written=0; DWORD oldProtect=NULL; VirtualProtect(&pnew->u1.Function,sizeof(DWORD),PAGE_WRITECOPY,&oldProtect); WriteProcessMemory(GetCurrentProcess(),&pnew->u1.Function, &addr,sizeof(DWORD), &written); } } pold++; pnew++; } pimport++; } return TRUE; } Now,when we use TextOutA,it's using "MyTextOutA" first in fact. TO: Mark Salsbery,this isn't a joke.:) IcyGaze, hope make friend with you~
-
Hi all! Look. typedef (WINAPI *TextOutAType)(HDC,int,int,LPCSTR,int); TextOutAType oldTextOutAaddr=0; //here is ourself function BOOL WINAPI MyTextOutA(HDC hdc, int nXStart, int nYStart, LPCSTR string, int cbString) { MessageBox(0,string,"aha",0); return oldTextOutAaddr(hdc,nXStart,nYStart,string,cbString); } BOOL HookApiTextOutA(const HMODULE hModule) { IMAGE_DOS_HEADER *pdos; IMAGE_NT_HEADERS *pnt; IMAGE_DATA_DIRECTORY *pSymbolTable; IMAGE_IMPORT_DESCRIPTOR *pimport; pdos=(IMAGE_DOS_HEADER*)hModule; pnt=(IMAGE_NT_HEADERS*)((DWORD)pdos + pdos->e_lfanew); pSymbolTable=&pnt->OptionalHeader.DataDirectory[1]; pimport=(IMAGE_IMPORT_DESCRIPTOR*)((DWORD)pdos + pSymbolTable->VirtualAddress); while(pimport->FirstThunk){ IMAGE_THUNK_DATA *pold,*pnew; pold = (IMAGE_THUNK_DATA*)((DWORD)pdos + pimport->OriginalFirstThunk); pnew = (IMAGE_THUNK_DATA*)((DWORD)pdos + pimport->FirstThunk); while(pold->u1.Function){ if(IMAGE_ORDINAL_FLAG != (pold->u1.Ordinal & IMAGE_ORDINAL_FLAG)) { IMAGE_IMPORT_BY_NAME *pname; pname = (IMAGE_IMPORT_BY_NAME*)((DWORD)pdos + *((DWORD*)pold)); PROC *ppfn=(PROC*)(pnew->u1.Function); if(strcmp("TextOutA",(char*)pname->Name)==0) { oldTextOutAaddr=(TextOutAType)(ppfn); //here is system API "TextOutA" address DWORD addr=(DWORD)MyTextOutA; DWORD written=0; DWORD oldProtect=NULL; VirtualProtect(&pnew->u1.Function,sizeof(DWORD),PAGE_WRITECOPY,&oldProtect); WriteProcessMemory(GetCurrentProcess(),&pnew->u1.Function, &addr,sizeof(DWORD), &written); } } pold++; pnew++; } pimport++; } return TRUE; } Now,when we use TextOutA,it's using "MyTextOutA" first in fact. TO: Mark Salsbery,this isn't a joke.:) IcyGaze, hope make friend with you~
It seems you could solve your problem:)
WhiteSky
-
Hi all! Look. typedef (WINAPI *TextOutAType)(HDC,int,int,LPCSTR,int); TextOutAType oldTextOutAaddr=0; //here is ourself function BOOL WINAPI MyTextOutA(HDC hdc, int nXStart, int nYStart, LPCSTR string, int cbString) { MessageBox(0,string,"aha",0); return oldTextOutAaddr(hdc,nXStart,nYStart,string,cbString); } BOOL HookApiTextOutA(const HMODULE hModule) { IMAGE_DOS_HEADER *pdos; IMAGE_NT_HEADERS *pnt; IMAGE_DATA_DIRECTORY *pSymbolTable; IMAGE_IMPORT_DESCRIPTOR *pimport; pdos=(IMAGE_DOS_HEADER*)hModule; pnt=(IMAGE_NT_HEADERS*)((DWORD)pdos + pdos->e_lfanew); pSymbolTable=&pnt->OptionalHeader.DataDirectory[1]; pimport=(IMAGE_IMPORT_DESCRIPTOR*)((DWORD)pdos + pSymbolTable->VirtualAddress); while(pimport->FirstThunk){ IMAGE_THUNK_DATA *pold,*pnew; pold = (IMAGE_THUNK_DATA*)((DWORD)pdos + pimport->OriginalFirstThunk); pnew = (IMAGE_THUNK_DATA*)((DWORD)pdos + pimport->FirstThunk); while(pold->u1.Function){ if(IMAGE_ORDINAL_FLAG != (pold->u1.Ordinal & IMAGE_ORDINAL_FLAG)) { IMAGE_IMPORT_BY_NAME *pname; pname = (IMAGE_IMPORT_BY_NAME*)((DWORD)pdos + *((DWORD*)pold)); PROC *ppfn=(PROC*)(pnew->u1.Function); if(strcmp("TextOutA",(char*)pname->Name)==0) { oldTextOutAaddr=(TextOutAType)(ppfn); //here is system API "TextOutA" address DWORD addr=(DWORD)MyTextOutA; DWORD written=0; DWORD oldProtect=NULL; VirtualProtect(&pnew->u1.Function,sizeof(DWORD),PAGE_WRITECOPY,&oldProtect); WriteProcessMemory(GetCurrentProcess(),&pnew->u1.Function, &addr,sizeof(DWORD), &written); } } pold++; pnew++; } pimport++; } return TRUE; } Now,when we use TextOutA,it's using "MyTextOutA" first in fact. TO: Mark Salsbery,this isn't a joke.:) IcyGaze, hope make friend with you~
Haha! Cool :) So that works for other processes? Great to know there's no inter-process protection. Geez no wonder UNIX guys make fun of Windows! Nice one! :) Mark