Page 1 of 1
Hook after Function execution
Posted: Fri Nov 08, 2019 8:00 am
by mannujam
Is it possible to hook an API but after its execution. Before it is returning
Re: Hook after Function execution
Posted: Fri Nov 08, 2019 5:53 pm
by iconic
Can you please be more specific? Do you mean somewhere in the middle of execution?
—Iconic
Re: Hook after Function execution
Posted: Wed Nov 13, 2019 3:46 pm
by madshi
I what he's asking is to do processing after the original API was called? If so, yes, that's easily possible. Basically your API hook callback function looks like this:
Code: Select all
int SomeApiCallback(int param)
{
// you can do some processing here
int result = SomeApiOriginalApi(param);
// you can do some more processing here
return result;
}
So when any thread calls the hooked API, it will end up in your "SomeApiCallback()" routine, and the original API will not be called at all. In your hook callback routine you can then do whatever you like. You can call the original API with the original parameters, with modified parameters, or not at all. And you can do processing before and/or after calling the original API. It's completely up to you.
Re: Hook after Function execution
Posted: Wed Nov 13, 2019 4:19 pm
by iconic
Ahh ok, that's probably what he meant then
I read it as
Hook after Function execution
In which case you could use a VEH hook through PAGE_GUARD tripping/resetting and single-step to play with the registers directly (modify eip/rip etc.)
--Iconic
Re: Hook after Function execution
Posted: Thu Nov 14, 2019 5:07 am
by mannujam
Thnaks Guys, will check the info and will respond