Login | Register

APIHijack - A Library for Easy DLL Function Hooking.

Posted by Wade Brainerd on January 31st, 2001
Based on DelayLoadProfileDLL.CPP, by Matt Pietrek for MSJ February 2000. This code is intended to be included in a DLL inserted through a global Windows Hook (CBT hook for example). It will replace functions from other DLLs (e.g. DDRAW.DLL) with functions from your DLL.

Functions are hooked by passing a parameter structure to the HookAPICalls() function as follows: 

// Hook structure.
SDLLHook D3DHook = 
{
 "DDRAW.DLL",
 false, NULL, // Default hook disabled, NULL function pointer.
 {
  { "DirectDrawCreate", MyDirectDrawCreate },
  { NULL, NULL }
 }
};

BOOL APIENTRY DllMain( HINSTANCE hModule, 
                       DWORD fdwReason, 
                       LPVOID lpReserved )
{
 // When initializing....
 if ( fdwReason == DLL_PROCESS_ATTACH )  
 {
  hDLL = hModule;

  // We don't need thread notifications for what we're doing.
  // Thus, get rid of them, thereby eliminating some of the 
  // overhead of this DLL
  DisableThreadLibraryCalls( hModule );

  // Only hook the APIs if this is the Everquest process.
  GetModuleFileName( GetModuleHandle( NULL ), 
                     Work, 
                     sizeof(Work) );
  PathStripPath( Work );

  if ( stricmp( Work, "myhooktarget.exe" ) == 0 )
   HookAPICalls( &D3DHook );
 }

 return TRUE;
}

Now all that remains is to get your DLL loaded into the target process. The MSDN has a few good articles on Windows hooks, which are the preferred way to get an arbitrary DLL loaded into a process:

http://msdn.microsoft.com/library/techart/msdn_hooks32.htm

Also, the article from which this code is based shows another way to do it, which involves loading the process to be hooked as a debug target:

http://msdn.microsoft.com/library/periodic/period00/hood0200.htm

Downloads

Download source code and demo project - 102 Kb

IT Offers

Comments

  • Jordan shoes mentioned Gene to go for the variety, a margin of Nike

    Posted by TaddyGaffic on 04/24/2013 05:03pm

    In focus groups conducted at 80 community-based organizations around the country, Motivational Educational Entertainment of Philadelphia [url=http://markwarren.org.uk/goodbuy.cfm]nike free[/url] identified disturbing trends among youths ages 16 to 20. The "Just Say No" message of abstinence-only campaigns has been lost on this group of young people, who grew up during an era when the hip-hop sensibility of getting cash and clothes did not incorporate values of conscientious sexual behavior or social responsibility. Rappers who mingle [url=http://fossilsdirect.co.uk/glossarey.cfm]nike huarache free[/url] with glamorous-looking half-naked women rarely mention contraception while they're listing the number of compromising sexual situations they've been in lately. There are number of good brands in the market like Adidas, Nike, Reebok, Asics, Brooks, Puma etc. Most of these brands have shoes tailored for professional and amateur tennis players. New advanced technologies have made these shoes more player-friendly. After that, I eventually like to try to get down to the 150-160 range. I not entirely sure if that a healthy number for a gal my height or not, and I haven looked into it. But, I know that when I was 180 I still didn feel that [url=http://markwarren.org.uk/goodbuy.cfm]nike free run uk[/url] fit, so I think an extra 20 or so will help with that.. Lotto sneakers selling price are generally liable along with using the form of sneakers you choose on. Your Lotto sneakers established fact because of their style along with good quality plus the create. That they create sneakers coming from all varieties much like the loafers,Puma II Shoes, new sandals, sneakers along with task tennis shoes or anything else

    Reply

  • problem in hooking ntshrui.dll apis

    Posted by sameen_f on 07/01/2009 06:35am

    hi, i have tried this code it is working fine but when i tired to hook other apis then it showed no output...i need help in how to hook apis from ntshrui.dll....or is there any need for any kind of driver with the given source code...

    Reply

  • APIHijack for IDirect3D8::CreateDevice ????

    Posted by boonchait on 12/04/2004 03:08pm

    How can i set APIHijack for IDirect3D8::CreateDevice.

    Reply

  • can't highjack TextOut well from gdi32.dll

    Posted by Legacy on 02/12/2004 12:00am

    Originally posted by: Benjamin Gao

    when i highjack TextOut function in notepad.exe or wordpad.exe,nothing happened.
    not TextOut you wnat to TextOutA and TextOutW

    Reply

  • how can I hook Com ports in Win2000,WinXP?

    Posted by Legacy on 02/04/2004 12:00am

    Originally posted by: Gokay Gursoy

    Dear Sir/Madam
    How can I hook com ports (Com1/Com2) in Win2000/WinXP?
    I want to see data incoming and data outgoing from my com1
    and com2.I would be very pleased if you send me some delphi
    source about this.
    Best Regards
    Gokay Gursoy

    Reply

  • How do i Hook WM_CHAR in WinXP?

    Posted by Legacy on 01/30/2004 12:00am

    Originally posted by: uqtur

    Hello !
    I write a hook with VC 6.0 in Win2K and it worked .
    but in Win XP It dosn't worked functionally.
    my purpose is display some UNICODE characters in
    correctly with this HOOK.can any one help me?

    thank you .
    ////

    static LRESULT WINAPI MyApp ( int nCode, WPARAM wParam, LPARAM lParam)
    {
    ...

    pwszKLID=malloc(10);
    msg=(LPMSG)lParam;
    //
    switch (msg->message)
    {
    case WM_KEYDOWN:
    My6=msg->wParam;
    GetKeyboardState(st);
    break;
    case WM_CHAR:
    {
    if ((msg->wParam)==63) //can't display correctly ,replace with '?'
    {
    switch (My6)
    {
    case 71://g
    SendMessage(msg->hwnd,WM_CHAR,234,0);
    PostMessage(msg->hwnd,WM_KEYDOWN,8,0);
    break;
    case 73://i
    SendMessage(msg->hwnd,WM_CHAR,188,0);
    PostMessage(msg->hwnd,WM_KEYDOWN,8,0);
    break;
    ....
    }
    }
    break;
    }
    }
    //
    lResult = CallNextHookEx(g_hhook, nCode, wParam, lParam);
    return(lResult);
    }

    ////

    Reply

  • Error when compile

    Posted by Legacy on 01/28/2004 12:00am

    Originally posted by: BigWizard

    Deleting intermediate files and output files for project 'TestDLL - Win32 Debug'.
    --------------------Configuration: TestDLL - Win32 Debug--------------------
    Compiling...
    apihijack.cpp
    c:\temp\3\apihijack.cpp(158) : error C2440: '=' : cannot convert from 'unsigned long' to 'void *'
    Conversion from integral type to pointer type requires reinterpret_cast, C-style cast or function-style cast
    c:\temp\3\apihijack.cpp(196) : error C2440: '=' : cannot convert from 'unsigned long *' to 'unsigned long'
    This conversion requires a reinterpret_cast, a C-style cast or function-style cast
    c:\temp\3\apihijack.cpp(203) : error C2446: '>' : no conversion from 'unsigned long *' to 'unsigned long'
    This conversion requires a reinterpret_cast, a C-style cast or function-style cast
    c:\temp\3\apihijack.cpp(203) : error C2040: '>' : 'unsigned long' differs in levels of indirection from 'unsigned long *'
    c:\temp\3\apihijack.cpp(204) : error C2440: '=' : cannot convert from 'unsigned long *' to 'unsigned long'
    This conversion requires a reinterpret_cast, a C-style cast or function-style cast
    dllmain.cpp
    Error executing cl.exe.

    TestDLL.dll - 5 error(s), 0 warning(s)

    Reply

  • How do i hook a API that exported with ordinal rather than Name,certenly,I know it's protype!

    Posted by Legacy on 01/23/2004 12:00am

    Originally posted by: Hellow 

    How do i hook a API that exported with ordinal rather than Name,certenly,I know it's protype!

    Reply

  • How to hook DLL outside windows \ system32

    Posted by Legacy on 08/30/2003 12:00am

    Originally posted by: Martijn 

    I'm not succeeding in hooking a DLL which contains a path. 

    I need this because my DLL name conflicts with one that 

    exists in windows\system32 directory. i've modified the 

    struct like this:


    SDLLHook MYHook = {

    	"C:\\123\\abc\\abc.dll",

    	false, NULL,

    	{

    		{ "NormalOut", MyNormalOut },

    		{ NULL, NULL }

    	}

    };


    Is there anything else I need to do that I'm missing here?

    Reply

  • How to do dynamic LoadLibrary dlls (works for games)

    Posted by Legacy on 06/11/2003 12:00am

    Originally posted by: twinsen 

    These are the ways to do this type of thing:

    * Replace the DLL

    Problem: DLLs can contain undocumented export entries

    * Replace the process' Import Address Table - The way you did it

    Problem: fails with dynamic LoadLibrary

    * Hook into the remote DLL code

    Problem: don't always know compiler of dll, assumptions may be wrong (stack frame setup code is different)


    I prefer the 3rd method when targeting specific calls since all games I have tested do dynamic LoadLibrary. There is a good tutoiral on how to do this (with source) at http://home.worldonline.dk/viksoe/wepmetering.htm for winsock. I modified theirs to work with the directX DirectDrawCreateEx and got it to work for your bend program and the vietcong demo (a game that can run in window mode and I found to be a good testing ground). The stack frame setup code was damn annoying but eventually I worked it out by guessing numbers :). Eventually I want to intercept most of the useful directx commands and try to do things like rip out textures from memory. If anyone can think of someone who has done stuff like that please tell me.

    Reply

  • Loading, Please Wait ...

Leave a Comment
  • Your email address will not be published. All fields are required.

Go Deeper

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds