Hooking a running process 's Innermost dll's function
-
In a running process say “ProcessOne “ Loaded a module say “DllOne.dll” and calls its exported function say “DllOnesFunction1” In “DllOnesFunction1” Calls Loadlibray and dynamically loads another module say “DllTwo.dll” and calls it function say “DllTwosFunction2” In “DllTwosFunction2” Calls Loadlibray and dynamically loads another module say “DllThree.dll” and calls it function say “DllTthreesFunction3” if so how I can Hook “DllTthreesFunction3” with “MyDllTthreesFunction3” First whether it is possible ? is start from IAT of “ProcessOne “ Then what ? is EAT of “DllTwo.dll” ... If possible please give me what way I may start to find answer or just give brief idea or link to learn about it Expecting a valuable reply, Thanks in advance, Regards, Dileep S
-
In a running process say “ProcessOne “ Loaded a module say “DllOne.dll” and calls its exported function say “DllOnesFunction1” In “DllOnesFunction1” Calls Loadlibray and dynamically loads another module say “DllTwo.dll” and calls it function say “DllTwosFunction2” In “DllTwosFunction2” Calls Loadlibray and dynamically loads another module say “DllThree.dll” and calls it function say “DllTthreesFunction3” if so how I can Hook “DllTthreesFunction3” with “MyDllTthreesFunction3” First whether it is possible ? is start from IAT of “ProcessOne “ Then what ? is EAT of “DllTwo.dll” ... If possible please give me what way I may start to find answer or just give brief idea or link to learn about it Expecting a valuable reply, Thanks in advance, Regards, Dileep S
Gee. I wonder what Uncle Google has to say.... http://www.google.co.uk/#sclient=psy-ab&q=hooking+a+dll+function+EAT&oq=hooking+a+dll+function+EAT&gs_l=hp.3...87293.87984.1.88216.4.4.0.0.0.0.122.384.3j1.4.0....0...1c.1.23.psy-ab..3.22.3390.ZfRfinFp2WM&pbx=1&bav=on.2,or.r_qf.&bvm=bv.50165853,d.ZWU&fp=c0503ee1f53d3498&biw=1607&bih=407[^]
-
In a running process say “ProcessOne “ Loaded a module say “DllOne.dll” and calls its exported function say “DllOnesFunction1” In “DllOnesFunction1” Calls Loadlibray and dynamically loads another module say “DllTwo.dll” and calls it function say “DllTwosFunction2” In “DllTwosFunction2” Calls Loadlibray and dynamically loads another module say “DllThree.dll” and calls it function say “DllTthreesFunction3” if so how I can Hook “DllTthreesFunction3” with “MyDllTthreesFunction3” First whether it is possible ? is start from IAT of “ProcessOne “ Then what ? is EAT of “DllTwo.dll” ... If possible please give me what way I may start to find answer or just give brief idea or link to learn about it Expecting a valuable reply, Thanks in advance, Regards, Dileep S
A module function may be imported by many other modules. I've used 2 different approaches: 1. I hooked the import table of all modules that imported the function of my interest. 2. If there were too many modules that imported the function then I did the following: I've hooked the function of my interest by writing a jump into the first few bytes of the function that jumps to my code. Of course before the hook code jumps back to the original function it must execute the instructions that have been overwritten by teh jump, depending on the first few instructions you may have to copy more than a few bytes. Advantages of #1: You don't have to mess around with the instructions of the hooked function like you have to with #2. Disadvantages of #1: You have to find and hook the import table of all modules that import the specified function. A possible mistake in both cases: The program may unload/reload hooked DLLs and in this case you have to be aware of this and you have to repatch after reload. Almost forgot to mention: approach #1 is often called "API redirection". You can find good stuff by googling this. And another thing I forgot: if it wouldn't be obvious this task is easiest to perform by injecting your own DLL with the hook code into the guest process. Work inside the hookable process and not from outside.
-
In a running process say “ProcessOne “ Loaded a module say “DllOne.dll” and calls its exported function say “DllOnesFunction1” In “DllOnesFunction1” Calls Loadlibray and dynamically loads another module say “DllTwo.dll” and calls it function say “DllTwosFunction2” In “DllTwosFunction2” Calls Loadlibray and dynamically loads another module say “DllThree.dll” and calls it function say “DllTthreesFunction3” if so how I can Hook “DllTthreesFunction3” with “MyDllTthreesFunction3” First whether it is possible ? is start from IAT of “ProcessOne “ Then what ? is EAT of “DllTwo.dll” ... If possible please give me what way I may start to find answer or just give brief idea or link to learn about it Expecting a valuable reply, Thanks in advance, Regards, Dileep S
Is it possible by hooking GetProcAddress() function? Hook GetProcAddress with my myGetProcAddress(). Now myGetProcAddress will be notified on calling GetProcAddress. You can return the address of MyDllThreeFunction on receiving a getprocaddress() for DllThreeFunction.