CreateFile API Hook [modified]

Hey guys, I'm having some issues with an import function hook. Basically when I inject my DLL into the address space of a certain process, and a hook is performed on CreateFile, the process ends up crashing. I am using Daniel Cavalcanti's DLL injection and API Hooking source found on: http://www.planet-source-code.com/vb...=7528&lngWId=3 I think many are familiar with this. The DLL injector works fine. Its properly attached to the process. However, when the program runs, it hooks onto CreateFile, and as you can see in the source below, it writes to a file the value of lpFileName then returns the handle of CreateFile. The filename is written to the text file and is correct, however I get an unhandled exception error after it is returned. You can also see that in Daniel Cavalcanti's API hooking source, he has a parameter for the HookImportedFunction where you have to supply the ordinal of the function. I didnt know what the ordinal of CreateFileA is so I removed that. I know these may be some stupid questions, but I've googled for hours to find some answers or a solution to my problem. 1) Is CreateFileA an import or export function of the Kernel32.dll Module? If its exported then I may have to change the code around a bit. 2) What is it that I could be doing wrong thats causing my program to crash? 3) What would be the ordinal of CreateFileA in Kernel32.dll? I included the source of my DLL for your perusal and hopefully someone can help me out because I have no idea how to fix this. Thanks in advance, Robbie #include <windows.h> #include <Dbghelp.h> #include <fstream> HANDLE hCreateFile(LPCTSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE); HANDLE htstCreateFile(LPCTSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE); PVOID HookImportedFunction(const char *Dll, const char *FuncName, void *Function); DWORD HookGeneralFunction(const char *Dll, const char *FuncName, void *Function, unsigned char *backup); void NumOut(char *format, ...); DWORD createFileAddr=0; BYTE backup[6]; ofstream fout("C:\\dll.txt"); BOOL APIENTRY DllMain( HMODULE hModule, DWORD fwReason, LPVOID lpReserved) { switch (fwReason) { case DLL_PROCESS_ATTACH: { DisableThreadLibraryCalls(hModule); //keeps it from being re-called fout << "In DLL process Attach" << endl; //HookImportedFunction("Kernel32.dll", "Creat

Hi guys, I posted before but looks like that post is long gone. I also didnt describe the problem very well so here i will go at another attempt. I am using DLL Injection to do a system-wide WriteProcessMemory Hook using Microsoft Detours. My hook works, because I get the desired change in the function but there is one problem that I do not understand why it is occuring. Everytime I initiate the hook, explorer.exe seems to crash. That is the only program that crashes and I do not know why. Would anyone know why it would crash? I want to try a different method. Specifically on hooking the export. Would anyone know how I would do a hook on the WriteProcessMemory Export in kernel32? Any help to my two questions would be appreciated. I'll post some code if you need it. Thanks, Robbie

Hi guys, I was wondering, when I do a system-wide WriteProcessMemory Hook it manages to crash Explorer on windows XP. The Hook works the way it supposed to but when the hook is initiated it crashes explorer. Would anyone know the reason why it does that? I'm using the SetWindowsHookEx to do the hook. It works on all my other export functions, but for some reason explorer crashes when I initiate this particular hook. Any help is appreciated. Thanks, Robbie

Thanks Viorel, I'll use that! How do you know so much? ;)

Hi guys, I was wondering how someone would find the Ordinal of an imported function? I am using an API hook function which is below:

PVOID HookImportedFunction(const char *Dll, const char *FuncName, int Ordinal, void *Function)
{
    DWORD oldProtect;
	void *PrevValue=0;

    DWORD image_base = (DWORD)GetModuleHandle(NULL);
    IMAGE_DOS_HEADER *idh = (IMAGE_DOS_HEADER *)image_base;
    IMAGE_FILE_HEADER *ifh = (IMAGE_FILE_HEADER *)(image_base +
        idh->e_lfanew + sizeof(DWORD));
    IMAGE_OPTIONAL_HEADER *ioh = (IMAGE_OPTIONAL_HEADER *)((DWORD)(ifh) +
        sizeof(IMAGE_FILE_HEADER));
    IMAGE_IMPORT_DESCRIPTOR *iid = (IMAGE_IMPORT_DESCRIPTOR *)(image_base +
        ioh->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

    VirtualProtect((LPVOID)(image_base +
        ioh->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress),
        ioh->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size, PAGE_READWRITE,
        &oldProtect);

    while(iid->Name)
    {
        if(stricmp(Dll, (char *)(image_base + iid->Name)) == 0)
        {
            //trace_printf("Found descriptor: %s\n", dhook->name);
            IMAGE_THUNK_DATA * pThunk = (IMAGE_THUNK_DATA *)
                ((DWORD)iid->OriginalFirstThunk + image_base);
            IMAGE_THUNK_DATA * pThunk2 = (IMAGE_THUNK_DATA *)
                ((DWORD)iid->FirstThunk + image_base);
            while(pThunk->u1.AddressOfData)
            {
                char * name = 0;
                int ordinal;
                // Imported by ordinal only:
                if(pThunk->u1.Ordinal & 0x80000000)
                    ordinal = pThunk->u1.Ordinal & 0xffff;
                else    // Imported by name, with ordinal hint
                {
                    IMAGE_IMPORT_BY_NAME * pname = (IMAGE_IMPORT_BY_NAME *)
                        ((DWORD)pThunk->u1.AddressOfData + image_base);
                    ordinal = pname->Hint;
                    name = (char *)pname->Name;
                }

                if(name != 0 && FuncName && strcmp(name, FuncName) == 0)
                {
                    //trace_printf("Found entry name: %s\n", ehook->name);
					PrevValue = (void*)pThunk2->u1.Function;
#if _MFC_VER == 0x0600
                    pThunk2->u1.Function = (DWORD*)Function;
#else
                    pThunk2->u1.Function = (DWORD)Function;
#endif
                }
                else if(ordinal == Ordinal)
                {
                    //trace_printf("Found entry

Nice, that fixed it. Thanks for input guys!

Not sure what data you would want to send, but you can use pipes to exchange data. Otherwise if its globally stored data in variables you can update the variables then you can have your own user defined windows messages and send messages to and from each tab window as shown below.

#define UWM_TABPAGE1 WM_APP+1

...


SendMessage(tab1_hwnd, UWM_TABPAGE1, NULL, NULL);

Oh its a DLL Injector. It injects a DLL into an Open process. Here is a piece of the code for the DLL Injector. If there are some functions that appear unfamiliar like GetProcessThreads its because they are ones that creator defined.

bool DLLInject(DWORD pid, const char *path)
{
	//this will go through all TIDs of a process
	//and get one we can use
    DWORD tid[20];
	int inbytes = 20;
	GetProcessThreads(pid, &tid[0], &inbytes);

	if(pid == GetCurrentProcessId())
	{
        NumOut("Process will suspend itself and lock");
		return 0;
	}

	DWORD tiduse=0;
	for(int i=0; i 0x400000)
			{
				tiduse = tid[i];
				break; //one thread is good, break the loop
			}
			//NumOut("%d %X", tid[i], ctx.Eip);
		}
	}

	//do we have a good tid?
	if(!tiduse)
	{
		NumOut("No usable tid found");
		return 0;
	}

	//found a good tid already, now patch
	//excelent patching method

	HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	if(!proc)
		proc = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, pid);

	HANDLE thread = OpenThread(THREAD_ALL_ACCESS, FALSE, tiduse);

	bool ret = WriteMemPatch(proc, thread, path);
	CloseHandle(proc);
	CloseHandle(thread);
	return ret;
}

Hey guys, I'm trying to use OpenThread however I get errors that its an undeclared identifier. I have included windows.h. I know OpenThread is defined in winbase.h however when looking within the header file I can see that the only close resembelence to this is OpenThreadToken which is not what I need. I am also using VC++ 6.0 btw. Does that mean I would have to update my header files? If thats the case would anyone know where the most recent version If I dont have to update my files, would anyone know a way to implement a function similar to OpenThread? Thanks, Robbie -- modified at 0:50 Monday 3rd July, 2006

I've skewed the meaning of "lol" so much that I end up including it in almost every post even if I have a straight face, but if I had to literally have a chuckle at your answer then it would have to be corniest joke I would have ever laughed at ;)

lol I just saw and used that from the MSDN and it worked. Thanks for confirming thats the right one to use!

Hi guys, I am trying to use openprocess however I am running into a few problems. Specifically for the last parameter of the function OpenProcess, I am wondering how would I retreive the process id using hwnd retrieved from FindWindow? I have tried GetProcessId however that doesnt seem to work. I get a compiler error saying that its an undeclared identifier. However I have included windows.h so there should not be any problems. Would anyone know how to get the process id of a window handle? Thanks, Robbie

Yeah I saw that one. I saw all the ones in the code project. I guess the ones I am looking for are using hooks on Windows functions, like hooking OpenProcess, or even Winsock functions like send/recv. Would you know any in that area?

Hey guys, I was wondering if anyone has any good tutorials on Windows Hooks using C++ (non-MFC)? Specifically dealing with remote hooks using DLL injection. I looked on google and the MSDN, but cant find something specific to hooks in purely win32. MSDN has some good tuts but theres a lot of jargon associated with it that I hate reading. If anyone has some I'd love to see it. Thanks, Robbie -- modified at 4:57 Thursday 29th June, 2006

Hey Guys, Using the Win32 API, how do I change the text and color in a button once it is clicked? I have tried looking on MSDN and on google, but the process appears to be more complicated than I believe it seems. I can change the text using SetDlgItemTxt but when using SetTextColor it does not change the color of the text (my guess is that the button is not being redrawn with the new COLORREF parameter). All I picked up from MSDN is that I have to create a new brush, destroy the dialog control, re-create it with the new text in a different color and then destroy the brush. I dont think its that complicated and hopefully someone can steer me on the right path. Thanks, Robbie

SaRath C wrote:

there's might have entries in the DoDataExchange function of deleted resources!

Hey Sarath, Do have any good tuts on how to use it, because msdn doesnt provide a good reference and I tried googling it, and the usage of it is vague. I'm not using MFC, so if there is an alternate way of retreiving the desired output from this function would you know how?

SaRath C wrote:

check for missing resources.

What do you mean? Resources in the preprocesser directives? The debuggers resources? Or somewhere else?

DavidCrow wrote:

Is that F5 or Ctrl+F5?

With F5 I get an access violation. CTRL+F5 produces no run-time error and the program is executed.

DavidCrow wrote:

How can a program run fine but not output the correct results?

It does not fail at run-time, meaning there are no run-time errors, but the results it outputs, say to console, is not whats expected.

Hey guys, When I'm running my debugger, I am getting a strange problem that keeps occuring. If I click run, the debugger follow throughs the whole source code and gives me an access violation of 0xC0000005. If I do a run to cursor, then I am forced by the debugger to provide the location of CRT0.C. The program runs fine without the debugger, just doesnt output the correct results. Would anyone know the reason for that? Thanks Robbie

Hey guys, Thanks for the input. I have a few question though: 1) How would I turn off the pre-compiled headers? Is it just as good as cleaning out the the intermediate and precompiled headers before a build or do I still need to turn them off? 2) I tried including iostream.h and string.h however that doesnt seem to work either. I still receive the same error. 3) As for the unhandled exception, its an access violation with error code: 0xC0000005, but I'm not sure how I would get the call stack. I can see it but windows does not export the log file for it, and I cant copy it from the error report window.