Description:

This is a small library written in asm that allows user to hook any imported function including API calls. In current version it allows up to 4 hooks to be applied to the hook chain of each imported function, and can be used with functions with up to 5 arguments, though these limitations are purely made to conserve memory, and they can easily be removed.
It was written in one long night of coding, to help me with a project I was working on, so it's probabbly buggy and un-optimized, but it did it's job quite well so I decided to publish it to the community, in case someone would find it useful. Personally, I do not have any use for it anymore, but I will update it to fix bugs or add features if requested (my email is at the bottom). The module was not packed, nor edited in any way after assembling, so you can open it in olly to see the source code. Please read the "How to use" part before asking anything, it will save me a lots of RTFM replies :P


Legal:

The library was written to help debugging programs that you created (and/or) legally own, and to help you get better insights in win32 programming. It is not my responsibility if it is used for any other (illegal) pourposes.


How To Use:

(1) Of course, you need the target executable. It probabbly will NOT work with packed exe's because of IAT mangling, don't complain, I can't help you with that.

(2) You need your injected dll that contains hook procedures.

Note:
In the following text I assume that all three modules (exe, and both dlls) are in the same folder.

(3) Load dImpHook.dll (from your injected dll)

[c/c++ code]
hdImpHook = LoadLibrary("dImpHook.dll");

(4) You need to obtain (GetProcAddress) a pointer to function "HookImport":

BOOL __stdcall HookImport (DWORD dwFunction, DWORD dwHook)

IMPORTANT! If you use C/C++ it is important to typedef the prototype function to __stdcall, because it cleans up the stack after itself, and making it __cdecl WILL crash your program.

[c/c++ code]
typedef DWORD(__stdcall *SomeName)(DWORD, DWORD);
//...
SomeName HookImport = (SomeName)GetProcAddress(hdImpHook, "HookImport");

(5) Making your hook: For example, you wish to hook MessageBoxA function. it's prototype is:

DWORD MessageBoxA (HWND hWnd, char* pszText, char* pszTitle, UINT Style).

When declaring your hook procedure you should declare the same prototype, adding one reference level (pointer) to every argument, so you get:

DWORD MessageBoxA (HWND* phWnd, char** ppszText, char** ppszTitle, UINT* pStyle).

The reason for additional pointers should be obvious, but if it's not:

When you pass a value to any function, it can not change the original value , because it only keeps local copy of it on the stack, making any changes to passed value also local. when u pass a pointer, you can not change the passed pointer either, but you can change the value it points to.

If you still do not understand, stop reading, this library is not for you (sorry).

(6) You hook any imported procedure by calling HookImport providing the pointer to function you wish to hook and a pointer to your hook procedure.

The return value is 1 if function succeeds, or 0 otherwise. There are 3 reasons for which hooking could fail:

1. The procedure you wish to hook is not imported in targed executable
2. You have reached maximum ammount of hooks allowed in hook chain for one function
3. LocalAlloc() failed, meaning you do not have enough free memory on heap
(if this happens shoot yourself in the leg :P)


Contact me:

If you find any bugs, or would like me to add some new features, or need help in any way to make it work, feel free to contact me:

dedalus.ba/at/gmail.com

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课