Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Code Project
  1. Home
  2. General Programming
  3. C / C++ / MFC
  4. Problem with DLL injection and API hooking

Problem with DLL injection and API hooking

Scheduled Pinned Locked Moved C / C++ / MFC
helpcsharpjsonannouncement
1 Posts 1 Posters 0 Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V Offline
    V Offline
    vtorri
    wrote on last edited by
    #1

    Hi, My purpose is to help the author of mpatrol to make that program as easy to use than valgrind on Windows. So i tried to look at DLL injection and API hooking. I have written a program (named valgrind :p) and a DLL to test those 2 technics. More precisely, I have:

    • valgrind.exe : the program that will inject the DLL below
    • valgrind.dll : the DLL that will be injected in an executable and that will do API hooking
    • valgrind_test.exe : a executable that calls a function overloaded in valgrind.dll

    I have taken some bits of code here and there in CodeProject. For the DLL injection, I used the VirtualAllocEx() / CreateRemoteThread() technic. For the API hooking, I enumerate all the modules and use ImageDirectoryEntryToData(). Here are the different codes: valgrind.c

    #include <stdio.h>
    #include <string.h>

    #include <windows.h>

    #define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_SUSPEND_RESUME | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)

    typedef HMODULE (*_load_library) (const char *);
    typedef BOOL (*_free_library) (HMODULE);

    typedef struct _Vg Vg;

    struct _Vg
    {
    _load_library ll;
    _free_library fl;

    char *dll_fullname;
    int dll_length;

    struct {
    HANDLE process1;
    HANDLE thread;
    HANDLE process2;
    } child;

    DWORD exit_code; /* actually the base address of the mapped DLL */
    };

    FARPROC
    _vg_symbol_get (const char *module, const char *symbol)
    {
    HMODULE mod;
    FARPROC proc;

    printf (" * loading library %s... ", module);
    mod = LoadLibrary(module);
    if (!mod)
    {
    printf("failed\n", module);
    return NULL;
    }
    printf ("done\n");

    printf (" * retrieving symbol %s... ", symbol);
    proc = GetProcAddress(mod, symbol);
    if (!proc)
    {
    printf("failed\n", symbol);
    goto free_library;
    }

    printf ("done\n");

    FreeLibrary(mod);

    return proc;

    free_library:
    FreeLibrary(mod);

    return NULL;
    }

    Vg *
    vg_new()
    {
    char buf[MAX_PATH];
    Vg *vg;
    HMODULE kernel32;
    DWORD length;

    /* Check if CreateRemoteThread() is available. */
    /* MSDN suggests to check the availability of a */
    /* function instead of checking the Windows version. */

    kernel32 = LoadLibrary("kernel32.dll");
    if (!kernel32)
    {
    printf("no kernel32.dll found\n");
    return 0;

    1 Reply Last reply
    0
    Reply
    • Reply as topic
    Log in to reply
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes

    • Login
    • Don't have an account? Register
    • Login or register to search.
    • First post
      Last post
    0
    • Categories
    • Recent
    • Tags
    • Popular
    • World
    • Users
    • Groups