I am trying to learn hooking and want to hook only an .exe's send/recv function.
I'm building the project as a .dll and then injecting it to the .exe
Edit: solved
There are 3 ways of hooking an API call as far as I know:
Inject a DLL in the application that will rewrite the Import Address Table containing the address of the API call, so that the application calls your function instead;
Write a dummy DLL with same name of the DLL with the API call you want to hook and place it in the applications's root directory, so it will load your APIs instead of the system's;
Detour the API call by rewriting it's code with a JMP yourfunc or something with similar effect.
Method 1 is pretty popular one, it's even described in the Wikipedia page about Hooking and in various examples if you Google it, like this one, or this one.
Method 2 is a bit tricky, you have to build a DLL with the same name and exports as the one you're mimicking, and bypass all the functions you're not interested in hooking and write custom code for the one you are. I find this method very clean because you don't have to modify memory, you don't have to explicitly inject this DLL using an external program, Windows just does it for you, and with a plus, it generally fly under the radar of anti-debug and anti-hack detection. Here is an example of how to do that (32-bit).
Method 3 is Microsoft's favorite. It has a particularly good advantage: You can hook any and every function, method, or virtual calls. It doesn't depend on the function being called externally to hook it, so it's very popular to hook DirectX methods for instance. This is the method used by FRAPS, Discord Overlay, Overwolf Overlay and pretty much every other software that either places an overlay in games or records gameplay. You don't need to use Microsoft Detours specifically, there's the generic alternative aswell.
Related
I have an application developed in VB 6.0. I don't have access to its code. This application also exposes its functionality through certain API provided in its dlls. Is there a way for me to check what methods of the API the consumers of this application's API are calling across anywhere the API is deployed. I want a C# program to just sit in that target environment and intercept the calls made to that API and report it back to my service via a service. I wont be modifying the API or the code calling the API. Is this possible in C# or would I need to go with C++?
Update
Lets say for sake of simplicity, that its a simple VB application developed in VB 6 called SimpleAPP, and it has a button that displays records in a grid. It does this by calling a component CMPA.dll with a public method GetRecords(string ID) which returns an Array of records. I have another few applications called CustomerApp.exe and AnotherCustomerApp.exe which also have a reference to CMPA.dll and they both calls this same method to get the records. Now, I want to develop a program called Interceptor.exe that will actually sit in the environment where CustomerApp and AnotherCustomerApp is deployed and will log internally which of these two applications called that CMPA dll's public method GetRecords and also log what parameter it sent in and what results were retrieved.
I had to google to find the library that was on the tip of my tongue.
That googling turned up some interesting articles: a new to me 1999 Microsoft Research article called “Intercepting and Instrumenting COM Applications” and an Microsoft Systems Journal article from january 1999 that I do remember, “Building a Lightweight COM Interception Framework”.
The library you want is probably Microsoft Detours. I have only used it from C++, not from C#, and I have only used it for intercepting calls to Windows API functions, not COM methods, so I can’t guarantee that it’s well suited. But it's not exactly rocket science to interface these two languages, if needed.
If Detours doesn’t turn out to fill your needs, then look at the articles cited. Quite possibly they resulted in some framework you can use. And otherwise they have the information you need to build your own. You might then also check out if ParkPlace ever made what you want. There was once great interest in “cross concern“ functionality, and ParcPlace did some of the most interesting research, as I recall.
I am new to .Net and hitting the brick wall trying to resolve this....
Having done enough googling for the past few days I've come across nothing but some vague (at lease for me) C# related info
Basically, I am trying to set up a few global hooks to carry out certain automation process. Since the development environment is VS2008 C++ windows forms, I started by compiling a native Dll to be injected by the calling prog. The strategy being for the callback proc in native dll calling a function in .Net program (or maybe a wrapper managed dll), passing the filtered raw data (keyboard/mouse/WM_create/etc) messages for further processing.
Question: How do I pass on the handle of such function(s) to my injected dll?
Is the managed wrapper dll path an easier choice or simply have the managed & native functions residing side by side in the main application?
I'll have to do a lot of Marshalling which is yet another dark side of the matter. Is there a link to precise documentation/examples of marshalling functions?
I thank you for your help in advance.
Mark
Have a look at 'Marshal.GetFunctionPointerForDelegate'
I'd like to keep track of the ActiveX controls created by some process. To simplify the problem, I'd first like to monitor the current process only. I want to do this so that I can check whether any ActiveX control supports IOleWindow and if so, whether a given HWND belongs to that ActiveX control (so that I can map HWNDs to ActiveX controls).
Does anybody have experience with this? My first idea was to use API hooking to monitor CoCreateInstance invocations, but I read that this doesn't work in all cases. Some Google research revealed http://www.pocketsoap.com/sf/activation.html which talks about installing a custom class factory - how would this work?
You may find you can find out what you need to know using the UI Automation and Active Accessibility APIs:
http://msdn.microsoft.com/en-us/library/dd317978(VS.85).aspx
If you are sure you need to do this, be aware of the following. CoCreateInstance is essentially a convenience function, which wraps CoGetClassObject and IClassObject::CreateInstance.
If you are going to use that technique you will therefore have to hook CoGetClassObject too, as the process may use it directly.
And of course there is no law saying any library or DLL cannot provide it's own convenience functions which bypass the COM registry altogether. The registry itself is a convenience - if you know where the DLL is you can use LoadLibrary, GetProcAddress to find DllGetClassObject and retrieve the class object without involving the COM libraries, and indeed without the DLL being registered at all.
I ended up hooking CoCreateInstance and CoGetClassObject to track all COM objects being created.
I'm trying to understand event hooks in C++. I know what an event is, I've used them a lot in Java, C# and Javascript.
What I'm having trouble with is finding the documentation, and tutorials on stuff like global hooks, dll injection, global hooks without a DLL.
Lets say that I wanted to iterate through the browser tabis in FireFox .. would I need to hope that FireFox has an API for C++? Or lets say I wanted to do something when a user opens a new tab would I need to use a hook that FireFox would provide in their API?
The above is just an example so people know what I'm trying to learn/understand. Am I thinking on the right ines?
I seen a post on a forum and for the past 2 hours I've took an interest. I always say that a tricky challange, or a new challange, makes a stronger programmer.
Any resources, or any help, would be very much appreciated.
C++ itself does not have events or hooks, but a lot of C++ libraries and frameworks implement them. For an example of generic events library, see Boost.Signals.
Some of the implementations allow their events to be seen by other applications, but the API is application-specific (e.g. for Firefox, see XPCOM).
Windows has a mechanizm of hooks that allows to monitor various events in its windowing system. However, it is an OS feature, not related to C++. As it's a system mechanizm, all Windows applications are affected even if they don't do anything for it. The documentation for Windows hooks can be found here. Also, since you mentioned "global hooks without a DLL", see SetWinEventHook, which is a higher-level API than Windows hooks linked above and can be used with hook functions both implemented in DLLs or EXEs.
Look up MSDN for SetWindowsHookEx. It should be your entrance in Windows hooks. If you ar etargetting a parituclar window for mthe system then a less intrusive option is SetWindowLongPtr. For the first API you are going to need some Dll injection - which gets automatically for you by the system. Just follow these steps:
Create a Dll that exports a HOOKPROC function (actual type dependent upon the hook tpe - read in the docs)
Load that Dll in your application and retrieve a pointer to the HOOKPROC function. LoadLibrary / GetProcAddress APIs may be used for this.
From your application, make a call to SetWindowsHookEx feeding in the appropriate parameters - this will inject the dll in the target process. So, the dll is now loaded into both your app's process and in the target process. So you will need a mechanism to IPC between the two processes probably. Lots of ways here - sockets, pipes, shared segment in DLL, filesystem, windows messages, COM servers + events, etc etc.
The former API, while less powerful, does not require DLL injection.
Choose wisely & good luck!
I dont think firefox would be having a C++ aPI to find the open tabs....
If you want to find out open tabs or whenever a new tab is open , you can basically hook the firefox window and get all events happening on that window to your hook procedure.
If you open spy++ in VC++ and track firefox window , you can see a new MozillaContentWindowClass gets created every time whenever a new tab is opened. So you can basically iterate through window handles and get information about open tabs.
You can use SetWindowLongPtr to set the subclass procedure for that window.
What is API interception
When is it used
How to implement it in C++
API interception is intercepting calls to a given DLL and re-directing them through your code.
It is generally used to override some functionality provided by a DLL. An example is for adding a logo to a DirectX based game.
How to implement it? Thats a complicated one and it depends on what sort of DLL you are trying to intercept. You may want do look around here and the net about "DLL Injection" or "API hooking".
e.g 'Safe' DLL Injection
or http://www.codeproject.com/KB/system/hooksys.aspx