API call hook

Posted on 1998-07-30
Last Modified: 2013-11-19
How can I hook call from some EXE to the function exported from one of Windows common DLLs. I have to intercept this call and modify parameters passed to the function. I am looking for solution for both Windows NT and Windows 95.
Question by:galkin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 1319929
There is a way to have your program open up the DLL get the function pointer, then place your own code at the function pointer location (after you have made a copy of the original code that was there). Then your code you replaced will receive calls destined for the DLL, then you can call the original function from your code and "manipulate" it before returning the results.

I have not had time to do this but I plan to, If anyone has done this I would like to get the source.



Author Comment

ID: 1319930
You comment is to general, I need a tip pointing to solution.

Expert Comment

ID: 1319931
that was a tip dumb ass.

key word search - DLL thunking

you won't find source code on the Net to do this if thats what your looking for
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.


Expert Comment

ID: 1319932
If you plan to debug the application by changing the parameter values to the funtion
go to the watch window and change the values of the funtion parameters before
executing it .But you can't change the type of parameters.I think this case works only
if you have debug version of exe only.If you have the source code for exe please customize the DLL's exported from the windows dll.

Author Comment

ID: 1319933
No, there is nothing with debugging. I have EXE calling API function in one of the Windows DLL. I want to hook this call and modify parameters passed onto stack

Expert Comment

ID: 1319934
There is no general-purpose solution to trapping Win32 API calls. If I understand what you're trying to do, you're trying to build something like a DOS TSR, MacOS extension, etc. that patches a piece of the API and adds to/changes its functionality.

There's no way to do that that's simple and general in Win32. If you mention which API you want to patch, I can be more specific. But here's some hints:

There are simple solutions in some cases. Some Win32 API calls are designed so they can be hooked--that is, they call certain functions before and/or after doing their own thing. In many cases the hooks are only application-wide, meaning that you'd have to modify each app (or somehow build a wrapper application). However, there are hooks that are system-wide--any app calling a certain API will trigger any registered hook. For example, if your app catches the CBT hooks (computer-based training), it will get every app's window messages before they get sent to the relevant app. Of course you'll probably also break all MFC apps; if you decide to go this way, try it, see what breaks, and come back with more specific questions. This will work in almost any version of Windows.

The shell extension documentation is probably the first place to look. If you're trying to convince the OS that it should execute your code whenever any app tries to, e.g., open a file, or pull up a context menu for a file, or list a file within a directory, then you want to write a shell extension. This will work in NT 4.0 and up, and Win95 and 98, but I don't think it'll work in NT 3.51 or earlier.

Look in the "Platform, SDK, and DDK Documentation | Platform SDK | User Interface Services | Shell" chapter in VC5's documentation for information on shell extensions and similar things. Also, some APIs can effectively be hooked by replacing device drivers.

If this doesn't work, there is a general-purpose solution (OK, I lied when I said there wasn't one), but it's a big ugly hack. You need to replace the system DLL. Microsoft does this all the time with new releases of IE and Office, but usually nobody else dares. Still, if you can plug in your own User.dll in place of the Win95 User.dll, you can do anything, right? The easiest way to do this is to build a wrapper for the DLL containing the API you want to hook. Wrap every API with a simple stub that calls the original function, except of course for the API you want to hook. Note that this solution is OS- and version-specific. This is why IE4 has different installers for NT and 95 (although the installer shell hides this from you).

Also note that any of these solutions will have to be installed by someone with administrator access on an NT system.


Accepted Solution

kinkajou earned 200 total points
ID: 1319935
So you want to hook a Win API function that is called from an independent .EXE. Make an application that loads the API DLL using Loadlibrary(), get the address of the function you want to wrap using GetProcAddress(), save the address, go to the location of the function and exchange the address of your wrapper function for the API address (easier said than done), and wala, your wrapper function is now taking the place of the API function. Your wrapper function will need to get the params and do what ever you want with the params and then call the API function (unless you're going to emulate the API function). Then the .EXE mentioned earlier can be executed and your change the way the API function works with that .EXE. You'll need to have the hook application replace the API function after you're done unless you just want to leave the functionality or re-boot. Setting the procedure address is the most fun because it requires some creative memory management cludges using DPMI.

Good Luck.

Expert Comment

ID: 7684710
here is the implement of system-wide hook api sdk

 Hook Windows API SDK is SYSTEM-WIDE hooks.
You can read about features of the product, download a limited trial version of Hook Windows API SDK and read the manual online and order the program if you like the program and wish to use it after the evaluation period. The register version is include the full source code.

Who says it is impossible to setup SYSTEM-WIDE hooks for Win9x/Win2000/WinNT/WinXP

The only SYSTEM-WIDE API hook available for Windows Platform

Install your own hooks to monitor program starts or terminates
Install your own hooks to monitor file access
Install your own hooks to ... use your imagination.

Featured Post

Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I'll describe -- and show pictures of -- some of the significant additions that have been made available to programmers in the MFC Feature Pack for Visual C++ 2008.  These same feature are in the MFC libraries that come with Visual …
Introduction: Ownerdraw of the grid button.  A singleton class implentation and usage. Continuing from the fifth article about sudoku.   Open the project in visual studio. Go to the class view – CGridButton should be visible as a class.  R…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question