sit and go strategy

c++ / delphi package - dll injection and api hooking
jamesfin
Posts: 7
Joined: Wed Sep 08, 2004 10:02 pm

sit and go strategy

Post by jamesfin »

sented by the RIM proteins, effectors of Electron microscopic studies revealed a lipid-based envelope, carrying the proteins. However, detection of the low
Tip 174. Fibre for Disease Prevention laxatives. Many prescription medications also inhibit weight loss. For a list of these medications, from the principles and step by step method I teach
pioneering experiments in Amphibia re- of RPC is the ability to manipulate solute units,, the molecular weights of which
Try to find a body shop with it's own mixing scheme, the larger ones don't buy in paint, they mix it themselves from tints, to a fixed recipe. They shouldn't charge you full pint prices for the pai
Last edited by jamesfin on Tue Sep 07, 2010 1:10 pm, edited 2 times in total.
Sirmabus
Posts: 89
Joined: Fri May 28, 2004 6:20 pm

Post by Sirmabus »

Mad Code hook's global memory mapping works well.
jamesfin
Posts: 7
Joined: Wed Sep 08, 2004 10:02 pm

please elaborate....

Post by jamesfin »

Are their other API's for global memory mapping? Docs?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

You can use shared segments, but to be honest: I don't know exactly how that works, since I'm mainly a Delphi programmer and Delphi doesn't support this feature.

Alternatively (as Sirmabus hinted) you can use global file mappings by using madCodeHook's CreateGlobalFileMapping + OpenGlobalFileMapping functions. You can read more about that in the madCodeHook documentation.
jamesfin
Posts: 7
Joined: Wed Sep 08, 2004 10:02 pm

Thanks!

Post by jamesfin »

Thanks for the info!

It should work just fine but I will try it and let you know what happens. FYI, I want to store metrics for a couple of API's and this technique will hopefully allow my executable to call the DLL to retreive the stored data.

Is there a way to use the registry to get DLL's injected into each process?

Enjoy!
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Why would you want to use the registry, if madCodeHook does all the work for you? Well, there is a registry key which makes programs load your dll, but this key works only in the NT family and it works only for programs which link to user32.dll. madCodeHook will inject your dll into all process in all OSs, regardless to which dlls they link.
jamesfin
Posts: 7
Joined: Wed Sep 08, 2004 10:02 pm

Fair enough...

Post by jamesfin »

Appreciate the feedback!

Here's the scenario....

1. System boots
2. My code begins to track/store particular API activity into the shared area of the DLL however it was injected
4. User wants to retrieve stored data by running my application which will call specific API's in the DLL to retrieve the data
5. User quits application and DLL remains collecting more data


The question is....

Based upon my scenario and your description of how apps have to link to user32.dll for the registry to work, how would you recommend I accomplish both? It sounds like I need to have some "background" mini-app running at all times to make the MADHook injection occur even when my base application isn't running?

FYI...We will only be using Win2K or WinXP and beyond for this exercise.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

You don't need to have a background app running all the time, because once you've started system wide dll injection by calling InjectLibrary, this injection will continue to work until the next OS reboot - even if your application is stopped. Most people using madCodeHook have a little program in the autostart which starts the injection. Or alternatively they're using a little service, which then calls InjectLibrary.
jamesfin
Posts: 7
Joined: Wed Sep 08, 2004 10:02 pm

question

Post by jamesfin »

For any given hook, has the actual API been called yet?

For instance, we want to trap CreateProcess. It would be nice if we can use the PROCESS_INFORMATION data structure to pull out the Process ID but it would only be valid if it's already been called.

If not, how do I retrieve the data that would have been filled out by the actual CreateProcess call?

I would think that lots of people would want this kind of post information for many api's.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: question

Post by madshi »

It seems to me that you didn't yet understand the way madCodeHook works. Please check out the demos, they'll make these things clear to you.

In short: If an application calls CreateProcess, your hook callback function will be called *instead*. If you leave it empty the real CreateProcess API will never be called. If you want it to be called, you must do it in your callback function. You can put your code before that or after that or around that. This way you have all power over what happens.
jamesfin
Posts: 7
Joined: Wed Sep 08, 2004 10:02 pm

fair enough...

Post by jamesfin »

Thanks for the reply!

I thought that was the way to do it but I didn't know what would happen if 5 different dll's hook CreateProcess? Who actually is going to be making the call to CreateProcess or is it somehow limited to 1 hook per api?

While your on the phone....

I've looked at the GlobalFileMapping stuff and I am assuming that I can use the other Mapping routines with the returned handle from the OpenGlobalFileMapping routine.

It would be very useful to have C/C++ docs as I know nothing about delphi.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Just today somebody already asked about what happens if multiple dlls hook the same API. Here's the thread:

viewtopic.php?t=193

Yes, CreateGlobal*SomeObject* just calls Create*SomeObject* with special parameters, so you can use the normal APIs for the global objects.

The documentation is written for Delphi, but the difference to C++ is just the syntax, nothing more. Maybe I'll extend the documentation to cover Delphi and C++ sooner or later, but I've so many other things to do right now, that I don't see that coming soon.
jamesfin
Posts: 7
Joined: Wed Sep 08, 2004 10:02 pm

follow-up...

Post by jamesfin »

Is it safe to do a CreateGlobalFileMapping/MapViewOfFile in DllMain?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Yes.
zcecil
Posts: 22
Joined: Thu Sep 09, 2004 8:16 am

Post by zcecil »

will OpenGlobalFileMapping take care of race condition? Or I have to use a mutex to prevent race condition?
Last edited by zcecil on Sun Sep 19, 2004 10:23 am, edited 1 time in total.
Post Reply