API call hook

Posted on 1998-07-30
Last Modified: 2013-11-19
How can I hook call from some EXE to the function exported from one of Windows common DLLs. I have to intercept this call and modify parameters passed to the function. I am looking for solution for both Windows NT and Windows 95.
Question by:galkin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 1319929
There is a way to have your program open up the DLL get the function pointer, then place your own code at the function pointer location (after you have made a copy of the original code that was there). Then your code you replaced will receive calls destined for the DLL, then you can call the original function from your code and "manipulate" it before returning the results.

I have not had time to do this but I plan to, If anyone has done this I would like to get the source.



Author Comment

ID: 1319930
You comment is to general, I need a tip pointing to solution.

Expert Comment

ID: 1319931
that was a tip dumb ass.

key word search - DLL thunking

you won't find source code on the Net to do this if thats what your looking for
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 1319932
If you plan to debug the application by changing the parameter values to the funtion
go to the watch window and change the values of the funtion parameters before
executing it .But you can't change the type of parameters.I think this case works only
if you have debug version of exe only.If you have the source code for exe please customize the DLL's exported from the windows dll.

Author Comment

ID: 1319933
No, there is nothing with debugging. I have EXE calling API function in one of the Windows DLL. I want to hook this call and modify parameters passed onto stack

Expert Comment

ID: 1319934
There is no general-purpose solution to trapping Win32 API calls. If I understand what you're trying to do, you're trying to build something like a DOS TSR, MacOS extension, etc. that patches a piece of the API and adds to/changes its functionality.

There's no way to do that that's simple and general in Win32. If you mention which API you want to patch, I can be more specific. But here's some hints:

There are simple solutions in some cases. Some Win32 API calls are designed so they can be hooked--that is, they call certain functions before and/or after doing their own thing. In many cases the hooks are only application-wide, meaning that you'd have to modify each app (or somehow build a wrapper application). However, there are hooks that are system-wide--any app calling a certain API will trigger any registered hook. For example, if your app catches the CBT hooks (computer-based training), it will get every app's window messages before they get sent to the relevant app. Of course you'll probably also break all MFC apps; if you decide to go this way, try it, see what breaks, and come back with more specific questions. This will work in almost any version of Windows.

The shell extension documentation is probably the first place to look. If you're trying to convince the OS that it should execute your code whenever any app tries to, e.g., open a file, or pull up a context menu for a file, or list a file within a directory, then you want to write a shell extension. This will work in NT 4.0 and up, and Win95 and 98, but I don't think it'll work in NT 3.51 or earlier.

Look in the "Platform, SDK, and DDK Documentation | Platform SDK | User Interface Services | Shell" chapter in VC5's documentation for information on shell extensions and similar things. Also, some APIs can effectively be hooked by replacing device drivers.

If this doesn't work, there is a general-purpose solution (OK, I lied when I said there wasn't one), but it's a big ugly hack. You need to replace the system DLL. Microsoft does this all the time with new releases of IE and Office, but usually nobody else dares. Still, if you can plug in your own User.dll in place of the Win95 User.dll, you can do anything, right? The easiest way to do this is to build a wrapper for the DLL containing the API you want to hook. Wrap every API with a simple stub that calls the original function, except of course for the API you want to hook. Note that this solution is OS- and version-specific. This is why IE4 has different installers for NT and 95 (although the installer shell hides this from you).

Also note that any of these solutions will have to be installed by someone with administrator access on an NT system.


Accepted Solution

kinkajou earned 200 total points
ID: 1319935
So you want to hook a Win API function that is called from an independent .EXE. Make an application that loads the API DLL using Loadlibrary(), get the address of the function you want to wrap using GetProcAddress(), save the address, go to the location of the function and exchange the address of your wrapper function for the API address (easier said than done), and wala, your wrapper function is now taking the place of the API function. Your wrapper function will need to get the params and do what ever you want with the params and then call the API function (unless you're going to emulate the API function). Then the .EXE mentioned earlier can be executed and your change the way the API function works with that .EXE. You'll need to have the hook application replace the API function after you're done unless you just want to leave the functionality or re-boot. Setting the procedure address is the most fun because it requires some creative memory management cludges using DPMI.

Good Luck.

Expert Comment

ID: 7684710
here is the implement of system-wide hook api sdk

 Hook Windows API SDK is SYSTEM-WIDE hooks.
You can read about features of the product, download a limited trial version of Hook Windows API SDK and read the manual online and order the program if you like the program and wish to use it after the evaluation period. The register version is include the full source code.

Who says it is impossible to setup SYSTEM-WIDE hooks for Win9x/Win2000/WinNT/WinXP

The only SYSTEM-WIDE API hook available for Windows Platform

Install your own hooks to monitor program starts or terminates
Install your own hooks to monitor file access
Install your own hooks to ... use your imagination.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Different colored text in ComboBox without Subclassing 8 72
iSeries FTP Exit Program 8 162
Add content to output file 4 71
"Black Box" Testing of Control System Software 2 90
Introduction: Database storage, where is the exe actually on the disc? Playing a game selected randomly (how to generate random numbers).  Error trapping with try..catch to help the code run even if something goes wrong. Continuing from the seve…
In this post we will learn different types of Android Layout and some basics of an Android App.
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question