process-wide API hooking

lliang · Post by **lliang** » Fri Mar 24, 2006 10:14 pm

Hi, the company I work for let me evaluate the madCodeHook.dll; so I download the demo code and the non-commercial madCollection. I wrote a very simple code to hook DeleteFile API by following the demo code; my callback function was not executed. But the WinExec used in the demo did work. Below is my code. Did I do something wrong? Can someone shed some light on this? Thanks.

Code: Select all


#include <windows.h>
#include "madCHook.h"
BOOL (WINAPI *DeleteFileNextHook) (LPCTSTR lpFileName);
BOOL WINAPI DeleteFileCallback(LPCTSTR lpFileName)
{
	if (MessageBox(0, lpFileName, "Delete File......", MB_ICONQUESTION | MB_YESNO | MB_TOPMOST) == IDYES)
	{
		return DeleteFileNextHook(lpFileName);
	}
	else
	{
		SetLastError(ERROR_ACCESS_DENIED);
		return false;
	}
}
int WINAPI WinMain(HINSTANCE hInstance,
                   HINSTANCE hPrevInstance,
                   LPSTR     lpCmdLine,
                   int       nCmdShow)
{
	InitializeMadCHook();
	if (HookAPI("kernel32.dll", "DeleteFile", DeleteFileCallback, (PVOID*) &DeleteFileNextHook))
	{
		DeleteFile("C:\\cfdll.dll");
		UnhookAPI((PVOID*) &DeleteFileNextHook);
	}
	FinalizeMadCHook();
	return true;
}

Post by **madshi** » Fri Mar 24, 2006 10:35 pm

There's no "DeleteFile" API. There are "DeleteFileA" and "DeleteFileW" APIs, though.

XanSama · Post by **XanSama** » Sat Mar 25, 2006 7:17 am

DeleteFileA being the one that sometimes gets aliased to DeleteFile.

Post by **iconic** » Sat Mar 25, 2006 10:09 am

DeleteFileA being the one that sometimes gets aliased to DeleteFile.

DeleteFile being the one that always gets aliased to DeleteFileA.

--Iconic

XanSama · Post by **XanSama** » Sat Mar 25, 2006 10:12 am

iconic wrote:
DeleteFileA being the one that sometimes gets aliased to DeleteFile.
DeleteFile being the one that always gets aliased to DeleteFileA.

--Iconic

yes, however you'd like to say it.

Post by **iconic** » Sat Mar 25, 2006 10:23 am

Spreading of misinformation is a disease!!! Just kidding...
Just giving you a hard time XanSama, I knew what you meant of course

--Iconic

lliang · Post by **lliang** » Fri Apr 07, 2006 7:57 pm

Thank you, madshi. It works now after using DeleteFileA.

Would it be better if the HookAPI return a FALSE if the user put a wrong parameter like DeleteFile?

Thank you all for your replies.

Post by **madshi** » Sat Apr 08, 2006 9:26 am

lliang wrote:Would it be better if the HookAPI return a FALSE if the user put a wrong parameter like DeleteFile?

Yes, it would. What did it return?

dcsoft · Post by **dcsoft** » Sat Apr 08, 2006 5:26 pm

madshi wrote:
lliang wrote:Would it be better if the HookAPI return a FALSE if the user put a wrong parameter like DeleteFile?
Yes, it would. What did it return?

But if the DLL you're hooking is not loaded, how does MadCodeHook know which functions it exports, without loading the DLL? I don't see how it could know DeleteFile() is not exported without loading the DLL first, which I thought you said did not happen, as the API is hooked only when the process first loads the DLL.

Unless you read the PE format of the DLL without actually loading it?

Thanks,
David

Post by **madshi** » Sat Apr 08, 2006 6:36 pm

dcsoft wrote:But if the DLL you're hooking is not loaded, how does MadCodeHook know which functions it exports, without loading the DLL? I don't see how it could know DeleteFile() is not exported without loading the DLL first, which I thought you said did not happen, as the API is hooked only when the process first loads the DLL.

In theory you're right. When the DLL is not loaded yet, madCodeHook doesn't know whether the API exists and so returns TRUE.

But we're talking about kernel32.dll here, which is pretty much always loaded.

Samuel · Post by **Samuel** » Wed Aug 15, 2007 5:36 pm

iconic wrote:
DeleteFileA being the one that sometimes gets aliased to DeleteFile.
DeleteFile being the one that always gets aliased to DeleteFileA. :wink:

--Iconic

Not in Unicode builds. I don't know if Delphi supports Unicode but VC does.