What is the recommended way to hook Win32 APIs for a commmercial application? [closed]
Asked Answered
E

6

9

What is your recommendation for an API hooking library or code to be used in a commercial application?

I have looked at Microsoft Detours which seems to be very good, but definitely is out of budget for the profit I am expecting out of my application.

Is there any library that offers compatibility across WinXP and Vista (and Windows 7 if not too much to ask!)? Is there anyone with past experience in using such a library in a commercial product?

Electricity answered 6/7, 2009 at 17:13 Comment(3)
It might be helpful if you could state what API's you wanted to hook and why.Visitation
Detours is an instrumentation package. Is that what you want to do, instrument your Win32 DLL's?Modillion
First, I am really sorry for not responding in time, was on a long vacation. Back to the topic, I want to hook CreateProcess and file handling functions of Windows. Basically I want my app to gain control before Windows operating system could touch a file (possibly an EXE file).Electricity
A
18

API hooking in Win32 isn't really possible in a system-wide sense. You can approximate it by injecting a DLL into each process and then patching each process from within. You can either use IAT patching (where you patch the calling binary) or a Detours-style patch (where you patch the callee).

Patching the caller (IAT patching) means that you need to enumerate every DLL that is loaded in the process and patch each one separately. You also would need to hook LoadLibrary in order to patch any new DLLs that are loaded on-the-fly.

Patching the callee (Detours) has the advantage that you only need to patch one location to have the hook apply to the entire process.

You have to do the per-process patching even if you're hooking APIs from shared system DLLs; the OS will invoke copy-on-write whereby when you patch the system DLL, the process is given a private copy to be patched.

DLL injecting gets to be a bit nasty, and again there are several techniques: AppInit_DLLs, which only works for processes that load USER32.DLL (and has several new restrictions in Vista and Windows 7), using SetWindowsHookEx, or by using CreateRemoteThread. Integrity levels in Vista and Windows 7 make it more difficult to inject into processes system-wide. Your app will need to run with administrator privileges and a high integrity level to be able to successfully pull it off.

Another technique is to hook the system services in kernel-mode. This requires writing a device driver, but it is basically the technique that Sysinternals Process Monitor uses (or at least did, once). This is a problem on 64-bit Vista and Win7 because of PatchGuard and the driver signing requirements. You can monitor some file system activity by using file system filter drivers.

Aggarwal answered 17/12, 2009 at 6:47 Comment(0)
C
3

You could also try NCodeHook lib (http://newgre.net/ncodehook), it is free and small.

Caution answered 12/11, 2009 at 15:21 Comment(1)
... but not as well documented as it could/should be. Still +1.Lap
A
2

I'd recommend MinHook. It's definitely the best free library you could find, and is not worse than Microsoft Detours.

Allopath answered 1/10, 2013 at 14:45 Comment(1)
I've used minhook on a number of occasions with great success. Definitely recommended.Godmother
T
1

What are you trying to do? is patching the import table sufficient? i've used a variation of http://jpassing.wordpress.com/2008/01/06/using-import-address-table-hooking-for-testing/ for some fun side projects at home.

Toga answered 7/7, 2009 at 3:52 Comment(0)
U
0

You could try EasyHook, it looks to be useful. Can't patch "system wide" though, you would need something like a Proxy DLL for that.

http://www.codeplex.com/easyhook

Unfolded answered 24/9, 2009 at 19:47 Comment(1)
EasyHook has moved to github.com/EasyHook/EasyHookInconvertible
E
0

Have you tried the Deviare API Hook ...

Deviare is licensed under a commercial and open source license (GNU General Public License version 3).

Eunaeunice answered 11/10, 2015 at 14:34 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.