Solved

How to use Windows' undocumented API?

Posted on 1998-06-13
15
539 Views
Last Modified: 2013-12-03
Hi,

I've learnt an undocumented API, AllocCStoDSAlias,from an article which
is used to spawn a CS to DS segment value, so as I can use it to write to
the code memory.

I know its declaration and usage, but I just can't make it linked successfully
in VC++5, for I don't know where this undocumented API comes from which
DLL/EXE, so how can I link it to my code?

Or perhaps how can I use thoese undocumented APIs? What lib should I link
to? Or are they coming from a KERNEL/GDI/USER?

Thanks
Chengyan
checcy@public.hr.hl.cn
0
Comment
Question by:chengyan
  • 8
  • 3
  • 2
  • +1
15 Comments
 
LVL 7

Accepted Solution

by:
galkin earned 200 total points
ID: 1407683
You first need to locate DLL or EXE that exports this function. If you you don't know it the only one way is to exemine each system DLL and EXE for exporting function with any tool as dumpbin, quick viewer or Dependency Walker. If this is undocumented API it is unlikely to be included into lib file and its decaration is unlikely to be found in h file. so you probably need to dinamically resolve its address with GetProcAddress and use it then via pointer. if yo know its declaration and name you can perform appropriate cast to pointer returned by GetProcAddress.
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407684
This function is available only to a 16 bit program.  (and is documented for a 16 bit program).  It cannot be used from a 32 bit program.  It makes no sense in a 32 bit environment.  VC 5 only produces 32 bit code, so there is no reason for you to be using it.
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407685
You can use VirtualProtect() to perform the same sort of function in the 32 bit world.
0
 

Author Comment

by:chengyan
ID: 1407686
Thanks for your kind answer. However, I tried  to use VirtualProtect API, but it always returns zero(that is, failed). What kind of memory address does it work on? Any sample code?

Thanks
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407687
You know you accepted Galkin's answer not mine.

This is not going to be too similar to the sample code you have.  This is an area where the 16 bit and 32 bit design is very different.  for one thing the 16 bit code probably alloacted memory using GlobalAlloc.  In 32 bits the memory has to be allocated using VirtualAlloc().  
0
 
LVL 7

Expert Comment

by:galkin
ID: 1407688
nietod, I can post dummy question so you can post empty answer. I will accept it and give you points. It's Ok?
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407689
Tha's alright.  I just wanted chengyan to be more careful in the future.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:chengyan
ID: 1407690
Hi,   galkin and nietod,

I must admit this  was  the first time I used this site to post questions, and I was not  very familiar with the  credit points stuff.  In fact I indeed wanted to give both of your my points,  but I don't know how to do this, when I hit the "submit' button, it said all points went to galkin, is there a way to accept answers from up to one persons?

Though your answers were very informative till this moment, I must say that they don't help much with my problem. Maybe I posted my question too briefly. In fact, what  I want to do is to capture a Windows95 api call in my program. I've seen a utitlity on a site, which seemed very useful to me, but unfortunately it's for Mac!  So  I decide to make one for win95. After some tiresome  investigation, I found out that the only way to achieve the function of that utility is to replace a win95 system API with one of my own. So I think maybe I can get that API's entry address, and replace it with one which points to my own function, and in my own function, I could  do some stuff before pass back the control to the original win95 system api.

I must admit I've never program this low level  under win95, so I think i need help on how to do this. For instance, many applications will call MessageBox api of win95, now how can I replace this api with one of my own functions, which could do some stuff before calling the real messagebox api, so that whenever an application  calls MessageBox, it should first call my own hook function.

I know this is  possible under win31, though I am not very sure of how to do it, but I don't know whether this is possible under win95? Because the api function I wish to replace is pure 32bit api, am I able to do this?

Now I have only 10 points left after accepting galkin's answer, I don't know how to give you these points once you answer me.

Any of you could help me about this?

Thanks,
Chengyan
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407691
>>So I think maybe I can get that API's entry address, and replace it with
>> one which points to my own function, and in my own function, I could  
>> do some stuff before pass back the control to the original win95
>> system api.

You can't "patch" code in windows like that.  It a protected mode environment and will not allow you to alter code pages.  Especially OS code.  There are extremely cumbersome ways of achieving this however.  But before we discuss that, what is the end goal you want to reach.  There is probably a better way.
0
 

Author Comment

by:chengyan
ID: 1407692
Well, thanks again for your comments, nietod.

In fact, the real APIs that I wished to rewrite are GetOpenFileName and GetSaveFileName. I wish to replace the default Open/Save dialog boxes with ones of my own, which will add more features. I know both two functions are located in COMDLG32.DLL, and I even tried to rewrite a new DLL replacing the win95's original one, but with no luck. I recompiled my new DLL via including the commdlg.h, and exporting all functions in it and these functions will just call the orginal apis in COMDLG32.DLL. So I renamed the win95's COMDLG32.DLL to another name, and named my DLL as  COMDLG32.DLL. And my test result is that the applications(such as Notepad, Wordpad,etc.) could load my new DLL all right, but when it comes to call the functions in it, the win95 just stop responding. So I think there might also be some misbehavior with parameters passing. But I am not sure. Or maybe there're any undocumented APIs hidden in COMDLG32.DLL which I don't know how to export?

I compiled the DLL using Delphi and also VC5, but none of the output of the both compilers just worked as win95's original COMDLG32.DLL does. What is COMDLG32.DLL made in? VC or Assembler?

If I can't replace the win95's api, why some of cracking tools can? They can monitor win95's api calls, and certainly have no difficulty to write to the code memory. How do they make it?

Any bettwer way out?
0
 
LVL 22

Expert Comment

by:nietod
ID: 1407693
I doubt that has to do with "undocumented APIs hidden in COMDLG32.DLL which" You just need to make sure that you export every function that the original ComDlg32.dll exported AND you must make sure the exports are in the right order.  Some applications/DLLs might import by ordinal rather than by name, so if you change the order of the exports, you will cause problems.

As to "misbehavior with parameters passing" you must make sure that the functions that you aren't implimenting specially, are declared with the same parameters as the originals and just call the originals with the same parameters.

>> If I can't replace the win95's api, why some of cracking tools can? They can monitor win95's api calls, and certainly have no difficulty to write to the code memory. How do they make it?

I beleive there are some debugging API's that can give you access to the OS's code pages.  But those are not intended for use in a regular application.  They would allow your application to crash other programs and the system.
0
 

Expert Comment

by:gnif
ID: 8206986
Your idea is possible, there is a way to change the dll's proc address once the dll is loaded. I write my software in Delphi so my source isn't valid for you (I also no longer have the source), but it IS possible.
0
 
LVL 22

Expert Comment

by:nietod
ID: 8209617
This question is 5 years old.  I don't think chengyan has been waiting all this time for an answer.
0
 

Expert Comment

by:gnif
ID: 8213917
Yes, but the information should be complete and correct so others can see it. I came across this page via google.
0
 
LVL 22

Expert Comment

by:nietod
ID: 8214334
Well, how do you do it then?   The solution would have nothing to do with language (delphi vs C++) It is purely a windows OS issue.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In this article, I will show how to use the Ribbon IDs Tool Window to assign the built-in Office icons to a ribbon button.  This tool will help us to find the OfficeImageId that corresponds to our desired built-in Office icon. The tool is part of…
This article surveys and compares options for encoding and decoding base64 data.  It includes source code in C++ as well as examples of how to use standard Windows API functions for these tasks. We'll look at the algorithms — how encoding and decodi…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now