Main Menu

Related links


Visitors since 18st Feb 2009:
free counters
Free Visitor Maps at VisitorMap.org

Hook Library

I know, there are lots of hook libraries out there, but I wasn't able to found any which either isn't GPL, blowed with lots of extra functionality I don't need or is optimized for .NET. Therefore I programmed my own.

 

What can you do with this library:

- Hook any windows API function

- Hook system wide (all processes)

- New processes get automatically hooked (if started within an already hooked process)

- Unhook all processes without restarting

 

Hook DLL

To hook a function you just need to create a dll. This dll has to export an array with the functions to be hooked:

typedef int (WINAPI *MessageBoxDecl)(HWND, LPCWSTR, LPCWSTR, UINT);
MessageBoxDecl OriginalMessageBox;
 
__declspec(dllexport) TOverrideFunction OverridenFunctions[]=
{
  {L"User32.dll","MessageBoxW",(FARPROC)MyMessageBoxW,(FARPROC*)&OriginalMessageBox},
  {NULL,NULL,NULL,NULL}    // NULL to signalize that no more functions have to be hooked
};
 

 

A DLL with the previously exported OverridenFunctions variable would mean that, once called from the HookLibrary for a given process, this process would call our version of MessageBoxW (called MyMessageBoxW) instead of the original MessageBoxW. A pointer to the original function would be stored in OriginalMessageBox. So we could write our overriden version of MessageBoxW as follows:

int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
{
   return OriginalMessageBox(hWnd, lpText, L"Hello!", uType);
}

And this would cause all MessageBoxes displayed by the hooked application to have the title "Hello!" instead of the original one.

 

Injecting the DLL in another Application

Assuming you have named the previous DLL testdll.dll. You can hook all calls to MessageBoxW system-wide by just doing :

InjectDLLGlobal("testDll.dll");

 

Or you can hook these functions in just one process:

InjectDLL(pid,L"TestDll.dll")

 

Either one or the other way you can undo the hook by writing :

GlobalUnhook();

 

If you want to just unhook a previously hooked function, you can store the handle returned by InjectDLL or InjectDLLGlobal and use it to call EjectDll:

OVERRIDEINFO h=InjectDLL(pid,L"TestDll.dll");
MessageBoxW(0,L"Unhook?",L"TEST",0);
EjectDLL(h);

 

To get the pid of a given process name you can use the function GetProcessListByName :

std::vector<PROCESSENTRY32> ids = GetProcessListByName(L"cmd.exe");
for(UINT x = 0; x < ids.size(); ++x)
{
   ULONG id = ids[x].th32ProcessID;
   OVERRIDEINFO h=InjectDLL(id,L"TestDll.dll");
   MessageBoxW(0,L"TEST",L"TEST",0);
   EjectDLL(h);   
   break;
}

Inheritance

When an application is hooked, the function CreateProcess is automatically hooked. If a hooked application starts another application, the hooked functions are inherited by the started application. This is also true for system-wide hooks. By calling EjectDll only the originally hooked process will be unhooked, so if you need to unhook also new created processes use the function GlobalUnhook.

 

Download here.
 

Add your comment

Your name:
Subject:
Comment:
yvComment v.1.20.0