How to (gracefully) reroute GDI32.DLL API entry points?

I need to redirect certain GDI32.DLL APIs (e.g. Rectangle) to my
own procedure to spy on the call parameters. These are the hints
I got from 2 EE experts:

(A) Change the import table [Nick Repin]
(B) Stick in a JMP instruction at the
    function entry point [Nick Repin]
(C) "Extended Hooks" [AlexVirochovsky]

I'd like to avoid debug-hook type solutions as the "debugger"/
host  method is inappropriate for my needs. (E.g. IWATCH.EXE by
 some German fellows, previously mentioned in an EE answer.)
Writing to GDI32.DLL seems dirty...

Apparently there's not much documentation on implementing Mr. Virochovsky's Extended Hooks :(

And it appears that inserting a JMP instruction at the original
API entry point is a Very Difficult Thing in Win32. I've played
with a 16-bit program that reroutes TextOut() -- is this
impossible in pure 32-bit programming? Is that why somebody also
mentioned DLL-thunking 'coz one must ultimately resort to Win16
or DPMI tricks?




ShienShinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NickRepinCommented:
Modifying of the import table "on the fly" is the best way for GDI functions, because it's unlikely that they will be used via GetProcAddress(), but via static linking.

In short,
1)you have to enumerate the all modules of your app (dlls). You can skip this step if you want to install the hook on the partucular module, which name is known.
2) Enumerate the import table of each module. Find the entry for the hooked function.
3) Replace address in this entry with your hook.

It's not too complex.
I have the source code for this, but I have to cut it from my existing project.
Sorry, but 70 points is not enough. :(

May be, if nobody give you the answer, I'll try to find the time to do this.
0
ShienShinAuthor Commented:
Adjusted points to 80
0
castorixCommented:
Try HookAPIFunction() from Matt Pietrek.
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

ShienShinAuthor Commented:
Castorix, I couldn't find info on
HookAPIFunction() in typical search
engines, e.g. Yahoo & Alta Vista :(
Is it in a book passage or something.

BTW, now I'm destitute in terms of
points... Please be patient as I will
try to inflate the value of this
question in small increments.



0
ShienShinAuthor Commented:
Oops I forgot something. Nick, you said modify "...(blah-blah-blah) YOUR app..."
but then I need to modify the import
table of any loaded apps, not just mine.
Is such a violation of their private
address space permissible?

0
NickRepinCommented:
Doesn't matter.
Once you injected your dll into the address space of another process, you can do anything.

Add step zero:

0). Load dll into address space of another process, for example, by SetWindowsHookEx.
0
ShienShinAuthor Commented:
Thanks Nick!!! I think I see some kind of big picture emerging now. Boils down to:
PE headers, '.iData' sections, RVAs,
image base, module handles, file mappings, thunks, hook abuse and
Pietrek's articles.

In the mean time I'll try to work out the nitty gritty details...

0
BabyworshipCommented:
hi,shienshin
I'm doing the same as you and would you please tell me why my .exe(standard window application using user32 ,gdi,kernel apis) doesnt have .idata section but imports a lot of functions?

Thank you very much.

















0
BabyworshipCommented:
>>Pietrek's articles.

Where is it? Would you please tell me?

Thank you .
0
ShienShinAuthor Commented:
Nice callsign, Babyworship :)

Goto Microsoft website, search for
"Peering Inside the PE" and Pietrek's
article should be found. I didn't jot
down the URL. Tell me if unsuccessful.

Pietrek says that both Borland & Microsoft tools should generate .EXE files in the PE format, and you should see the .idata section if you use the right file-dumpers.

If you're using other tools, then it might be a different story...
0
NickRepinCommented:
<<Boils down to:
PE headers, '.iData' sections, RVAs,
image base, module handles, file mappings, thunks, hook abuse and
Pietrek's articles. >>

Absolutely correct.

0
NickRepinCommented:
For your points+grade A I can give you the code to find import entry by func/module name.

bool replaceImport(
HINSTANCE hMod, // Module which import table is to be modified

LPCSTR funcDll, // dll used by hMod
LPCSTR funcName, // func name located in funcDll
PVOID newFunc, // new func address
PVOID* oldFunc // old func address
)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NickRepinCommented:
I'd like to post the code by email.
0
BabyworshipCommented:
ShienShin ,thank you very much for your response which make me very happy:)
Thank you again.

NickRepin,
in windows programming section.I have a question regarding inject .dll into another process and intercept the .api.
Please have a look.Thanx!
0
WynCommented:
Hi,ShienShin.

All your need is available at

http://anon.free.anonymizer.com/http://www.geocities.com/SiliconValley/1741/miscprog/mp_main.html

Enjoy it and Good luck.

Wyn


-----------------------------7d03662dc8
Content-Disposition: form-data; name="notify"

on
-----------------------------7d03662dc8
Content-Disposition: form-data; name="Submit"

Submit
-----------------------------7d03662dc8--
0
WynCommented:
Hi,ShienShin.

All your need is available at

http://anon.free.anonymizer.com/http://www.geocities.com/SiliconValley/1741/miscprog/mp_main.html

Enjoy it and Good luck.



0
ShienShinAuthor Commented:
BabyWorship, would you consider using
hooks to inject your DLL into already-
loaded processes? It's like abusing
Windows hooks, which are not meant for
digging into people's code to patch 'em.
BTW, have you tried Borland's tdump
util on your .EXEs?

Nick Repin has his rather assertive
ways when it comes to points :) Would
anybody wanna speak up against me giving
him some points, heheh. Gimme a few
more days to decide, I'll go through
the offered solutions first.

To Nick and Wyn, thank you very much!
0
BabyworshipCommented:
>>BabyWorship, would you consider using
hooks to inject your DLL into already-
loaded processes? It's like abusing
Windows hooks, which are not meant for
digging into people's code to patch >>'em.

what do you mean by abusing hooks?
I want to use hook but dont know what kind hook i should use.I also post another question on this point.
thank you   ShienShin .You are very kind people:)

btw:if you do experiements then you can find many .exe dont have .idata segment.Maybe it's merged into another segment i dont know:)
0
ShienShinAuthor Commented:
This is for pointing out the right track
for me, Nick :)

I've followed Wyn's URL to some GNU/Free stuff thingy site. Found code
to enumerate existing module handles and intercept their API calls. Our little discussion did help me in understanding some theories behind.

Instead of trading this 80 points and Grade A for your DLL-intercepting code,
I wonder if you know what's the module
(and the APIs called) responsible for repainting menu strings, button captions, shortcut labels, etc? This
will cut the time I take in digging out
the truth. Thanks for everything! :)

 




0
WynCommented:
wondering
0
WynCommented:
do you know a way except using window hook to inject dll to a process under win95/98?
0
ShienShinAuthor Commented:
Wyn: I've seen the Inject.DLL library.
I think I know how to inject DLLs
into existing processes via InjectModule(). But then if one uses hooks, Windows
will take care of the attachment and
detachment of his/her DLL that contains
the hook proc.
0
WynCommented:
I dont think Nick is following here
0
NickRepinCommented:
Sorry, ShienShin accepted my answer and had not asked any more questions. That's why I didn't added any more comments here.

Or have you asked that question about other ways for ME, Wyn?
If so, what's your goal? Are you really interesting in that problem or is it just a way to offend me (sorry, it seemed to me at some stage)?
Anyway, you can ask *separate* question personally for me.

0
NickRepinCommented:
Madshi said about all known methods of injecting under 95 in the last comment in

http://www.experts-exchange.com/jsp/qShow.jsp?ta=winprog&qid=10279583 

I can discover yet another new way for additional fee. But it will be expensive enough :)

0
WynCommented:
>>ShienShin accepted my answer and had not asked any more questions.

Ur? Sure he asks another but you dont simply overlook it.Read back.

FYC,I quote here :

Instead of trading this 80 points and Grade A for your DLL-intercepting code,
I wonder if you know what's the module
(and the APIs called) responsible for repainting menu strings, button captions, shortcut labels, etc? This
will cut the time I take in digging out
the truth. Thanks for everything! :)
0
WynCommented:
>>Are you really interesting in that problem or is it just a way to offend me (sorry, it seemed to me at some stage

Okay,i forgive your words above because You overlook ShienShin's last question.

All I'v said is to remind you of ShienShin's last question when he valued but you seems to misunderstand it.
 
0
NickRepinCommented:
*******************
ShienShin, you accepted my comment as answer without leaving any comments.
I thought that the question is close. Now I see that you accepted the comment about 80 points. Does that mean that I should post the code to you? Please contact me at nick@earthspeak.net.
I can place the code here if you wish.
*******************

<<Ur? Sure he asks another but you dont simply overlook it.Read back. >>
I accept such comments only from the AUTHOR of the question. Sorry, it's not your business.

My *comments* (but not *answer*) aboout 80+A means that if ShienShin agree, I'll send the source code to him.

<<I wonder if you know what's the module (and the APIs called) responsible for repainting menu strings, button captions, shortcut labels, etc? This will cut the time I take in digging out the truth. Thanks for everything! >>
At first, I don't see any connection of that note with ShienShin's question.
If you want to receive my answer on that, ask a separate question. I'll not answer on your comments here any more.



0
NickRepinCommented:
Sorry, sorry, sorry.
I'm really missed that ShienShin comment.

<<I wonder if you know what's the module
(and the APIs called) responsible for repainting menu strings, button captions, shortcut labels, etc? This
will cut the time I take in digging out
the truth. Thanks for everything! :) >>

Anyway, I DID NOT ANSWER this question. If ShienShin decided to accept my comment - well, I cannot do anything.
And I not promised to answer to anything except of import table.
0
NickRepinCommented:
ShienShin can refund his points at any time by request to EE customer support.
0
ShienShinAuthor Commented:
Hey hey guys, cut the fuss :)
Nick, what I meant in the comment is that I intend to trade that 80 point
for something related to how the Win95 shell draws menu strings, shortcut captions, button labels, etc.

Your offer of the code snippet is appreciated, but your comments and Wyn's URL has succesfully guided me to figure out how to implement DLL injection and API interception. I suppose guidance isn't worth full 80 points; after all, I didn't take the 80-point code from you.

Hopefully, my over-rewarding would cause your conscience to make you chuck me some information on the text-drawing question I raised... You would, wouldn't you Nick :)

Mark the "some" word though. I'm not asking for an exhaustive answer, OK.





0
NickRepinCommented:
You shouldn't do this in future - to accept the comment <<to cause your conscience to make you chuck me some information>>. What if I have no information you want?

Also, it seems that Wyn spent some time finding the information you want.
Please ask the question at the EE support area to refund your points.

<<how Win95 shell draws menu strings, shortcut captions, button labels, etc>>
Shell (explorer.exe) uses the standard GDI/USER fucntions like DrawText, Rectangle, FillRect, etc etc etc.
If you create the button in your application, Windows paints that button in the button window proc using the same USER/GDI functions.
0
mite51Commented:
ShienShin,

did you ever figure out how to hook the text?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.