We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


How to use Windows' undocumented API?

chengyan asked
Medium Priority
Last Modified: 2013-12-03

I've learnt an undocumented API, AllocCStoDSAlias,from an article which
is used to spawn a CS to DS segment value, so as I can use it to write to
the code memory.

I know its declaration and usage, but I just can't make it linked successfully
in VC++5, for I don't know where this undocumented API comes from which
DLL/EXE, so how can I link it to my code?

Or perhaps how can I use thoese undocumented APIs? What lib should I link
to? Or are they coming from a KERNEL/GDI/USER?

Watch Question

Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

This function is available only to a 16 bit program.  (and is documented for a 16 bit program).  It cannot be used from a 32 bit program.  It makes no sense in a 32 bit environment.  VC 5 only produces 32 bit code, so there is no reason for you to be using it.

You can use VirtualProtect() to perform the same sort of function in the 32 bit world.


Thanks for your kind answer. However, I tried  to use VirtualProtect API, but it always returns zero(that is, failed). What kind of memory address does it work on? Any sample code?


You know you accepted Galkin's answer not mine.

This is not going to be too similar to the sample code you have.  This is an area where the 16 bit and 32 bit design is very different.  for one thing the 16 bit code probably alloacted memory using GlobalAlloc.  In 32 bits the memory has to be allocated using VirtualAlloc().  

nietod, I can post dummy question so you can post empty answer. I will accept it and give you points. It's Ok?

Tha's alright.  I just wanted chengyan to be more careful in the future.


Hi,   galkin and nietod,

I must admit this  was  the first time I used this site to post questions, and I was not  very familiar with the  credit points stuff.  In fact I indeed wanted to give both of your my points,  but I don't know how to do this, when I hit the "submit' button, it said all points went to galkin, is there a way to accept answers from up to one persons?

Though your answers were very informative till this moment, I must say that they don't help much with my problem. Maybe I posted my question too briefly. In fact, what  I want to do is to capture a Windows95 api call in my program. I've seen a utitlity on a site, which seemed very useful to me, but unfortunately it's for Mac!  So  I decide to make one for win95. After some tiresome  investigation, I found out that the only way to achieve the function of that utility is to replace a win95 system API with one of my own. So I think maybe I can get that API's entry address, and replace it with one which points to my own function, and in my own function, I could  do some stuff before pass back the control to the original win95 system api.

I must admit I've never program this low level  under win95, so I think i need help on how to do this. For instance, many applications will call MessageBox api of win95, now how can I replace this api with one of my own functions, which could do some stuff before calling the real messagebox api, so that whenever an application  calls MessageBox, it should first call my own hook function.

I know this is  possible under win31, though I am not very sure of how to do it, but I don't know whether this is possible under win95? Because the api function I wish to replace is pure 32bit api, am I able to do this?

Now I have only 10 points left after accepting galkin's answer, I don't know how to give you these points once you answer me.

Any of you could help me about this?


>>So I think maybe I can get that API's entry address, and replace it with
>> one which points to my own function, and in my own function, I could  
>> do some stuff before pass back the control to the original win95
>> system api.

You can't "patch" code in windows like that.  It a protected mode environment and will not allow you to alter code pages.  Especially OS code.  There are extremely cumbersome ways of achieving this however.  But before we discuss that, what is the end goal you want to reach.  There is probably a better way.


Well, thanks again for your comments, nietod.

In fact, the real APIs that I wished to rewrite are GetOpenFileName and GetSaveFileName. I wish to replace the default Open/Save dialog boxes with ones of my own, which will add more features. I know both two functions are located in COMDLG32.DLL, and I even tried to rewrite a new DLL replacing the win95's original one, but with no luck. I recompiled my new DLL via including the commdlg.h, and exporting all functions in it and these functions will just call the orginal apis in COMDLG32.DLL. So I renamed the win95's COMDLG32.DLL to another name, and named my DLL as  COMDLG32.DLL. And my test result is that the applications(such as Notepad, Wordpad,etc.) could load my new DLL all right, but when it comes to call the functions in it, the win95 just stop responding. So I think there might also be some misbehavior with parameters passing. But I am not sure. Or maybe there're any undocumented APIs hidden in COMDLG32.DLL which I don't know how to export?

I compiled the DLL using Delphi and also VC5, but none of the output of the both compilers just worked as win95's original COMDLG32.DLL does. What is COMDLG32.DLL made in? VC or Assembler?

If I can't replace the win95's api, why some of cracking tools can? They can monitor win95's api calls, and certainly have no difficulty to write to the code memory. How do they make it?

Any bettwer way out?

I doubt that has to do with "undocumented APIs hidden in COMDLG32.DLL which" You just need to make sure that you export every function that the original ComDlg32.dll exported AND you must make sure the exports are in the right order.  Some applications/DLLs might import by ordinal rather than by name, so if you change the order of the exports, you will cause problems.

As to "misbehavior with parameters passing" you must make sure that the functions that you aren't implimenting specially, are declared with the same parameters as the originals and just call the originals with the same parameters.

>> If I can't replace the win95's api, why some of cracking tools can? They can monitor win95's api calls, and certainly have no difficulty to write to the code memory. How do they make it?

I beleive there are some debugging API's that can give you access to the OS's code pages.  But those are not intended for use in a regular application.  They would allow your application to crash other programs and the system.

Your idea is possible, there is a way to change the dll's proc address once the dll is loaded. I write my software in Delphi so my source isn't valid for you (I also no longer have the source), but it IS possible.

This question is 5 years old.  I don't think chengyan has been waiting all this time for an answer.

Yes, but the information should be complete and correct so others can see it. I came across this page via google.

Well, how do you do it then?   The solution would have nothing to do with language (delphi vs C++) It is purely a windows OS issue.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.