Hook on an API Call

[packetVB]

Lyric8,

You need to read up on the PE file structure, your looking for Imports.

[Merrion]

Some handsome, suave, intelligent and above all modest person has written an article on the PE structure you can read here

[packetVB]

Merrion,

I assume you mean you wrote it.
Excellent work.


packetvb

[Lyric8]

If anyone else is interested I found anothe article that is also good..

http://jfmasmtuts.blowsearch.ws/Ch2/pefile.htm

[Lyric8]

Well now I better understand PE file structure and how the .dll and .exe interact. I guess I am just not making the connection on the whole thing. However I did just find a great example of API Spying that has source code. Only problem is that it was coded ages ago and I can't even get the project to work now. If your interested in this or can go through C++ pretty well, then have a look:

http://www.wheaty.net/APISPY32.zip

Only problem is that it was coded long ago when there was only a few API .dll's. I just need to expand it to include the USER32.dll and monitor the API call DrawTextA. If anyone can help I could really use it...I am past deadline and getting desperate for anything. Thanks a lot!

[moeur]

This is interesting stuff (to me anyway)

So, from reading the two documents, it looks like you have to locate the API function you want to monitor in the executable's Import Addrres table. Get the pointer to the function and replace it with yours.

Unfortunately, you still have to write a C++ dll to insert your own routine since you need to be in the address space of the EXE.

The procedure is similar to the previous post you mentioned on Hooking external apps (sometimes incorrectly refferred to as Subclassing), but instead of hooking into the message pump, you're hooking into the jump table. Subclassing hooks the Window Procedure.

I suppose now you've realized that calling API functions does not involve Win dows messages but instead relies on a jump table.

You could write a few "simple" C++ functions to set the hooks and then call your VB App. This would involve sending messages back to you VB App.

One C++ function to create would be
HookAPI (APIfn as String, VBhWnd as Long)

...

[packetVB]

moeur,

Your pretty much correct.
you could hook an api and maybe replace the pointer with a pointer to a function in a vb exe. But you would have to know the number of parameters and thier types.
So a single function like this just wouldnt work for all api's.
HookAPI (APIfn as Long, OutOwnfn as Long,VBhWnd as Long)
Without knowing the parameters and type the stack would get currupt and you would most definetly crash both applications.

packetvb

[Lyric8]

Since I am just monitoring a single API call on this particular application then if I do the method that was mentioned by moeur by replacing the function pointer in the IAT with my function, then I point back to my vb application using CALLBACK and the stack contents I do infact know. I looked up my api call on msdn:

int DrawText(
HDC hDC, // handle to DC
LPCTSTR lpString, // text to draw
int nCount, // text length
LPRECT lpRect, // formatting dimensions
UINT uFormat // text-drawing options
);

Since I am just trying to get the string I can pop the first 3 parameters and store/use them. The first is the return address, second is the handle to DC, 3rd is the string i want. I then read out the ANSI string pointer in memory and save it in my program. Now I push the items back on the stack in reverse order so the return address is last and then i sort of get lost (as though I can actually do most of what I said before). Do I callnexthook in the vb app or somehow point the next Proc to the actual location of the API call that i replaced in the IAT. The stack would be correct and the function would never even know it was intercepted. Ok...fire away!