Vous êtes sur la page 1sur 10

Practical Guides on Win32 Hacking and

Windows Hooking – Part I

Originally from:

http://www.kk-wuti.blogspot.com/

http://kk-wuti.blogspot.com/2007/10/windows-
hooking-and-hacking1.html
Copyright: http://kk-wuti.blogspot.com

TABLE OF CONTENTS

Disclaimer ......................................................................................................................3
About this guide.............................................................................................................3
Pre-exquisite ..................................................................................................................3
Intercepting API calls ....................................................................................................3
Method I – Proxy DLL ..............................................................................................3
Step 1 Create a Win32 DLL (MyDLL.dll) that exports a function. ......................4
Step 2 Create a client or any windows application. ...............................................6
Step 3 Create the Proxy DLL.................................................................................6

2
Copyright: http://kk-wuti.blogspot.com

Disclaimer
THIS INFORMATION IS PROVIDED BY ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS INFORMATION, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

About this guide


There are tones of information available regarding windows hooking. As such, this
guide will not go into details of what is Windows Hooking or what it can do for you.
This guide will instead directly jump into the many ways of Windows Hooking and
for each method; a working source codes example with a step by step guide is given.
While the author will paint a picture on where and how a particular method could be
used, it is entirely up to the reader to assess and make his or her own judgment on
how a particular method presented here could best be used with regard to the actual
needs.

Pre-exquisite
Familiar with Ms Visual C++ 6.0 tools

Intercepting API calls

Method I – Proxy DLL

This is an easy method where the proxy DLL will directly replace an existing DLL
that contains the function or functions you want to be intercepted.

Assuming you want to intercept an API in a DLL called MyDLL.

To demonstrate, follow the steps described below.

3
Copyright: http://kk-wuti.blogspot.com

Step 1 Create a Win32 DLL (MyDLL.dll) that exports a function.

CODE:

4
Copyright: http://kk-wuti.blogspot.com

Header file definition

// The following ifdef block is the standard way of creating macros which make exporting
// from a DLL simpler. All files within this DLL are compiled with the MYDLL_EXPORTS
// symbol defined on the command line. this symbol should not be defined on any project
// that uses this DLL. This way any other project whose source files include this file see
// MYDLL_API functions as being imported from a DLL, wheras this DLL sees symbols
// defined with this macro as being exported.

#ifdef MYDLL_EXPORTS
#define MYDLL_API __declspec(dllexport)
#else
#define MYDLL_API __declspec(dllimport)
#endif

// This class is exported from the MyDLL.dll


class MYDLL_API CMyDLL {
public:
CMyDLL(void);
// TODO: add your methods here.
void MyDLL_func(){

MessageBox(0,"Hello from my dll", "Test", MB_OK);

}
};

CPP file

#include "stdafx.h"
#include "MyDLL.h"

BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)


{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

That’s it. You have a DLL, exporting a function called MyDLL_func(). Since this
function is exported by MyDLL, any other application that import this DLL into its
process space will be able to invoke the function MyDLL_func().

5
Copyright: http://kk-wuti.blogspot.com

Step 2 Create a client or any windows application.

To invoke the exported DLL function, follow the steps describe below.

• Include the header file created from Step 1. Use the correct path where you
have created the header file in Step 1.
• Construct the exported class object and invoke the exported function as show
below.

CODE:

//Include the path to where MyDLL header file is located


#include "..\\MyDLL\MyDll.h"

//construct the exported class’s object


CMyDLL dll;

//invoke the exported function.


dll.MyDLL_func();

Step 3 Create the Proxy DLL

This is the actual part of the API intercepting.


This DLL will be renamed to MyDLL.dll and MyDLL.dll will in turn be renamed to
another name that you like, for instance Realmydll.dll.

1. To create the proxy DLL, first create a normal DLL, no function export is needed
here.

Header files definition:

CODE:

// The following ifdef block is the standard way of creating macros which make exporting
// from a DLL simpler. All files within this DLL are compiled with the MYDLL_EXPORTS
// symbol defined on the command line. this symbol should not be defined on any project
// that uses this DLL. This way any other project whose source files include this file see
// MYDLL_API functions as being imported from a DLL, wheras this DLL sees symbols
// defined with this macro as being exported.

#ifdef FAKE_MYDLL_EXPORTS
#define FAKE_MYDLL_API __declspec(dllexport)
#else
#define FAKE_MYDLL_API __declspec(dllimport)
#endif

CPP file

Inside the main CPP file, add the followings: -

6
Copyright: http://kk-wuti.blogspot.com

• Declare a WINAPI function pointer of the function you want to intercept.


• Implement the intercepting or hooked function. This function will get
called instead when the client invoke MyDLL_func as shown in step 2
earlier.
• Update the DllMain function

CODE:

//Declare the function pointer


static void (WINAPI *RealMyDLL_func)();

//Implement the intercepting function


extern "C" void WINAPI HookedMyDLL_func(

)
{
//Do whatever you wanrt here
//You can call the real MyDLL_func here if you want

//Do something extra


TCHAR strTitle[250]={0x00};
GetModuleFileName(0,strTitle,250);
MessageBox(0,strTitle, "Test",MB_OK);

//You can call the real MyDLL_func here if you want

2. Use the “dumpbin” utility provided by Ms VC++ and run it on MyDLL.dll to get
all the exported symbols. We would need this information later. You should be
getting something similar like this: -

7
Copyright: http://kk-wuti.blogspot.com

Caution: Since we are using C++, there is C++ name decoration (symbols such as
“?”, “$” etc included in the name) in the names of the functions and members
exported from the C++ class. You can find more information on C++ Name
Decoration from the Internet. Another way of creating export functions is to use
definition file. In this case, no name decoration is applied and the names of the
exported functions are exactly the same as the name of the functions specified in the
definition file.

3. Use #pragma comment(…) to tell the compiler that you are forwarding functions
call from your DLL. For example: -

#pragma comment(linker,
"/export:??0CMyDLL@@QAE@XZ=Realmydll.??0CMyDLL@@QAE@XZ")

??0CMyDLL@@QAE@XZ is the name of the exported function/member from


the original dll (MyDLL.dll).

So this statement means reference to “??0CMyDLL@@QAE@XZ” is now


forwarded to “??0CMyDLL@@QAE@XZ” in Realmydll. Note the prefix of
“Realmydll.”

8
Copyright: http://kk-wuti.blogspot.com

You need to repeat doing the above for all the exported functions shown in the
“dumpbin /export” inside MyDLL.dll, except for the function or functions you
want to intercept, since you want to handle this yourself inside your proxy DLL.

An example is given as below: -

CODE:

#pragma comment(linker, "/export:??0CMyDLL@@QAE@XZ=Realmydll.??0CMyDLL@@QAE@XZ")


#pragma comment(linker,
"/export:??4CMyDLL@@QAEAAV0@ABV0@@Z=Realmydll.??4CMyDLL@@QAEAAV0@ABV0@@
Z")
#pragma comment(linker,
"/export:??_C@_04JDHC@Test?$AA@=Realmydll.??_C@_04JDHC@Test?$AA@")
#pragma comment(linker,
"/export:??_C@_0BC@HKHC@Hello?5from?5my?5dll?$AA@=Realmydll.??_C@_0BC@HKHC@Hello?
5from?5my?5dll?$AA@")
#pragma comment(linker, "/export:?MyDLL_func@CMyDLL@@QAEXXZ=_HookedMyDLL_func@0")

A good way is to create a new header file (ex. Mydll_fwd.h) in your Proxy DLL
project and add the above into it.

4. Update the DllMain function in your proxy DLL project.

CODE:
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved)
{
HMODULE hRealDLL;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
hRealDLL = LoadLibrary( "RealmyDLL" );
if( !hRealDLL )
{
return FALSE;
}
// Store the real function address for hooked function to call.
*(void **)&RealMyDLL_func = (void *)GetProcAddress( hRealDLL, "MyDLL_func" );
}

case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:

FreeLibrary( hRealDLL );

case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

5. To test, rebuild all your 3 projects and copy the DLL files to the same destination
directory. Rename MyDLL.dll to Realmydll.dll and ProxyDll.dll to MyDll.dll. Run

9
Copyright: http://kk-wuti.blogspot.com

your test application. The hooked function inside the Proxy DLL (which you have
renamed to MyDLL.dll) should get invoked instead of the function in Realmydll.dll.

10