Solved

How to use Windows' undocumented API?

Posted on 1998-06-13
15
542 Views
Last Modified: 2013-12-03
Hi,

I've learnt an undocumented API, AllocCStoDSAlias,from an article which
is used to spawn a CS to DS segment value, so as I can use it to write to
the code memory.

I know its declaration and usage, but I just can't make it linked successfully
in VC++5, for I don't know where this undocumented API comes from which
DLL/EXE, so how can I link it to my code?

Or perhaps how can I use thoese undocumented APIs? What lib should I link
to? Or are they coming from a KERNEL/GDI/USER?

Thanks
Chengyan
checcy@public.hr.hl.cn
0
Comment
Question by:chengyan
  • 8
  • 3
  • 2
  • +1
15 Comments
 
LVL 7

Accepted Solution

by:
galkin earned 200 total points
ID: 1407683
You first need to locate DLL or EXE that exports this function. If you you don't know it the only one way is to exemine each system DLL and EXE for exporting function with any tool as dumpbin, quick viewer or Dependency Walker. If this is undocumented API it is unlikely to be included into lib file and its decaration is unlikely to be found in h file. so you probably need to dinamically resolve its address with GetProcAddress and use it then via pointer. if yo know its declaration and name you can perform appropriate cast to pointer returned by GetProcAddress.
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407684
This function is available only to a 16 bit program.  (and is documented for a 16 bit program).  It cannot be used from a 32 bit program.  It makes no sense in a 32 bit environment.  VC 5 only produces 32 bit code, so there is no reason for you to be using it.
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407685
You can use VirtualProtect() to perform the same sort of function in the 32 bit world.
0
 

Author Comment

by:chengyan
ID: 1407686
Thanks for your kind answer. However, I tried  to use VirtualProtect API, but it always returns zero(that is, failed). What kind of memory address does it work on? Any sample code?

Thanks
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407687
You know you accepted Galkin's answer not mine.

This is not going to be too similar to the sample code you have.  This is an area where the 16 bit and 32 bit design is very different.  for one thing the 16 bit code probably alloacted memory using GlobalAlloc.  In 32 bits the memory has to be allocated using VirtualAlloc().  
0
 
LVL 7

Expert Comment

by:galkin
ID: 1407688
nietod, I can post dummy question so you can post empty answer. I will accept it and give you points. It's Ok?
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407689
Tha's alright.  I just wanted chengyan to be more careful in the future.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:chengyan
ID: 1407690
Hi,   galkin and nietod,

I must admit this  was  the first time I used this site to post questions, and I was not  very familiar with the  credit points stuff.  In fact I indeed wanted to give both of your my points,  but I don't know how to do this, when I hit the "submit' button, it said all points went to galkin, is there a way to accept answers from up to one persons?

Though your answers were very informative till this moment, I must say that they don't help much with my problem. Maybe I posted my question too briefly. In fact, what  I want to do is to capture a Windows95 api call in my program. I've seen a utitlity on a site, which seemed very useful to me, but unfortunately it's for Mac!  So  I decide to make one for win95. After some tiresome  investigation, I found out that the only way to achieve the function of that utility is to replace a win95 system API with one of my own. So I think maybe I can get that API's entry address, and replace it with one which points to my own function, and in my own function, I could  do some stuff before pass back the control to the original win95 system api.

I must admit I've never program this low level  under win95, so I think i need help on how to do this. For instance, many applications will call MessageBox api of win95, now how can I replace this api with one of my own functions, which could do some stuff before calling the real messagebox api, so that whenever an application  calls MessageBox, it should first call my own hook function.

I know this is  possible under win31, though I am not very sure of how to do it, but I don't know whether this is possible under win95? Because the api function I wish to replace is pure 32bit api, am I able to do this?

Now I have only 10 points left after accepting galkin's answer, I don't know how to give you these points once you answer me.

Any of you could help me about this?

Thanks,
Chengyan
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407691
>>So I think maybe I can get that API's entry address, and replace it with
>> one which points to my own function, and in my own function, I could  
>> do some stuff before pass back the control to the original win95
>> system api.

You can't "patch" code in windows like that.  It a protected mode environment and will not allow you to alter code pages.  Especially OS code.  There are extremely cumbersome ways of achieving this however.  But before we discuss that, what is the end goal you want to reach.  There is probably a better way.
0
 

Author Comment

by:chengyan
ID: 1407692
Well, thanks again for your comments, nietod.

In fact, the real APIs that I wished to rewrite are GetOpenFileName and GetSaveFileName. I wish to replace the default Open/Save dialog boxes with ones of my own, which will add more features. I know both two functions are located in COMDLG32.DLL, and I even tried to rewrite a new DLL replacing the win95's original one, but with no luck. I recompiled my new DLL via including the commdlg.h, and exporting all functions in it and these functions will just call the orginal apis in COMDLG32.DLL. So I renamed the win95's COMDLG32.DLL to another name, and named my DLL as  COMDLG32.DLL. And my test result is that the applications(such as Notepad, Wordpad,etc.) could load my new DLL all right, but when it comes to call the functions in it, the win95 just stop responding. So I think there might also be some misbehavior with parameters passing. But I am not sure. Or maybe there're any undocumented APIs hidden in COMDLG32.DLL which I don't know how to export?

I compiled the DLL using Delphi and also VC5, but none of the output of the both compilers just worked as win95's original COMDLG32.DLL does. What is COMDLG32.DLL made in? VC or Assembler?

If I can't replace the win95's api, why some of cracking tools can? They can monitor win95's api calls, and certainly have no difficulty to write to the code memory. How do they make it?

Any bettwer way out?
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407693
I doubt that has to do with "undocumented APIs hidden in COMDLG32.DLL which" You just need to make sure that you export every function that the original ComDlg32.dll exported AND you must make sure the exports are in the right order.  Some applications/DLLs might import by ordinal rather than by name, so if you change the order of the exports, you will cause problems.

As to "misbehavior with parameters passing" you must make sure that the functions that you aren't implimenting specially, are declared with the same parameters as the originals and just call the originals with the same parameters.

>> If I can't replace the win95's api, why some of cracking tools can? They can monitor win95's api calls, and certainly have no difficulty to write to the code memory. How do they make it?

I beleive there are some debugging API's that can give you access to the OS's code pages.  But those are not intended for use in a regular application.  They would allow your application to crash other programs and the system.
0
 

Expert Comment

by:gnif
ID: 8206986
Your idea is possible, there is a way to change the dll's proc address once the dll is loaded. I write my software in Delphi so my source isn't valid for you (I also no longer have the source), but it IS possible.
0
 
LVL 22

Expert Comment

by:nietod
ID: 8209617
This question is 5 years old.  I don't think chengyan has been waiting all this time for an answer.
0
 

Expert Comment

by:gnif
ID: 8213917
Yes, but the information should be complete and correct so others can see it. I came across this page via google.
0
 
LVL 22

Expert Comment

by:nietod
ID: 8214334
Well, how do you do it then?   The solution would have nothing to do with language (delphi vs C++) It is purely a windows OS issue.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

zlib is a free compression library (a DLL) on which the popular gzip utility is built.  In this article, we'll see how to use the zlib functions to compress and decompress data in memory; that is, without needing to use a temporary file.  We'll be c…
As more and more people are shifting to the latest .Net frameworks, the windows presentation framework is gaining importance by the day. Many people are now turning to WPF controls to provide a rich user experience. I have been using WPF controls fo…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Send secure, cloud-based, encrypted alerts and maintain HIPAA compliant messaging. Integrates priority & secure messaging into one application. Ensures IT, emergency respondents and healthcare professionals that their critical messages are never mis…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now