API call hook

Posted on 1998-07-30
Last Modified: 2013-11-19
How can I hook call from some EXE to the function exported from one of Windows common DLLs. I have to intercept this call and modify parameters passed to the function. I am looking for solution for both Windows NT and Windows 95.
Question by:galkin

Expert Comment

ID: 1319929
There is a way to have your program open up the DLL get the function pointer, then place your own code at the function pointer location (after you have made a copy of the original code that was there). Then your code you replaced will receive calls destined for the DLL, then you can call the original function from your code and "manipulate" it before returning the results.

I have not had time to do this but I plan to, If anyone has done this I would like to get the source.



Author Comment

ID: 1319930
You comment is to general, I need a tip pointing to solution.

Expert Comment

ID: 1319931
that was a tip dumb ass.

key word search - DLL thunking

you won't find source code on the Net to do this if thats what your looking for

Expert Comment

ID: 1319932
If you plan to debug the application by changing the parameter values to the funtion
go to the watch window and change the values of the funtion parameters before
executing it .But you can't change the type of parameters.I think this case works only
if you have debug version of exe only.If you have the source code for exe please customize the DLL's exported from the windows dll.
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails


Author Comment

ID: 1319933
No, there is nothing with debugging. I have EXE calling API function in one of the Windows DLL. I want to hook this call and modify parameters passed onto stack

Expert Comment

ID: 1319934
There is no general-purpose solution to trapping Win32 API calls. If I understand what you're trying to do, you're trying to build something like a DOS TSR, MacOS extension, etc. that patches a piece of the API and adds to/changes its functionality.

There's no way to do that that's simple and general in Win32. If you mention which API you want to patch, I can be more specific. But here's some hints:

There are simple solutions in some cases. Some Win32 API calls are designed so they can be hooked--that is, they call certain functions before and/or after doing their own thing. In many cases the hooks are only application-wide, meaning that you'd have to modify each app (or somehow build a wrapper application). However, there are hooks that are system-wide--any app calling a certain API will trigger any registered hook. For example, if your app catches the CBT hooks (computer-based training), it will get every app's window messages before they get sent to the relevant app. Of course you'll probably also break all MFC apps; if you decide to go this way, try it, see what breaks, and come back with more specific questions. This will work in almost any version of Windows.

The shell extension documentation is probably the first place to look. If you're trying to convince the OS that it should execute your code whenever any app tries to, e.g., open a file, or pull up a context menu for a file, or list a file within a directory, then you want to write a shell extension. This will work in NT 4.0 and up, and Win95 and 98, but I don't think it'll work in NT 3.51 or earlier.

Look in the "Platform, SDK, and DDK Documentation | Platform SDK | User Interface Services | Shell" chapter in VC5's documentation for information on shell extensions and similar things. Also, some APIs can effectively be hooked by replacing device drivers.

If this doesn't work, there is a general-purpose solution (OK, I lied when I said there wasn't one), but it's a big ugly hack. You need to replace the system DLL. Microsoft does this all the time with new releases of IE and Office, but usually nobody else dares. Still, if you can plug in your own User.dll in place of the Win95 User.dll, you can do anything, right? The easiest way to do this is to build a wrapper for the DLL containing the API you want to hook. Wrap every API with a simple stub that calls the original function, except of course for the API you want to hook. Note that this solution is OS- and version-specific. This is why IE4 has different installers for NT and 95 (although the installer shell hides this from you).

Also note that any of these solutions will have to be installed by someone with administrator access on an NT system.


Accepted Solution

kinkajou earned 200 total points
ID: 1319935
So you want to hook a Win API function that is called from an independent .EXE. Make an application that loads the API DLL using Loadlibrary(), get the address of the function you want to wrap using GetProcAddress(), save the address, go to the location of the function and exchange the address of your wrapper function for the API address (easier said than done), and wala, your wrapper function is now taking the place of the API function. Your wrapper function will need to get the params and do what ever you want with the params and then call the API function (unless you're going to emulate the API function). Then the .EXE mentioned earlier can be executed and your change the way the API function works with that .EXE. You'll need to have the hook application replace the API function after you're done unless you just want to leave the functionality or re-boot. Setting the procedure address is the most fun because it requires some creative memory management cludges using DPMI.

Good Luck.

Expert Comment

ID: 7684710
here is the implement of system-wide hook api sdk

 Hook Windows API SDK is SYSTEM-WIDE hooks.
You can read about features of the product, download a limited trial version of Hook Windows API SDK and read the manual online and order the program if you like the program and wish to use it after the evaluation period. The register version is include the full source code.

Who says it is impossible to setup SYSTEM-WIDE hooks for Win9x/Win2000/WinNT/WinXP

The only SYSTEM-WIDE API hook available for Windows Platform

Install your own hooks to monitor program starts or terminates
Install your own hooks to monitor file access
Install your own hooks to ... use your imagination.

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Handling string inputs in C/Linux 23 167
Detect CR LF to each line 12 137
mapAB Challlenge 35 85
Problem to open Excel file 15 40
Introduction: Ownerdraw of the grid button.  A singleton class implentation and usage. Continuing from the fifth article about sudoku.   Open the project in visual studio. Go to the class view – CGridButton should be visible as a class.  R…
Introduction: The undo support, implementing a stack. Continuing from the eigth article about sudoku.   We need a mechanism to keep track of the digits entered so as to implement an undo mechanism.  This should be a ‘Last In First Out’ collec…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now