Hook after Function execution
Hook after Function execution
Is it possible to hook an API but after its execution. Before it is returning
Re: Hook after Function execution
Can you please be more specific? Do you mean somewhere in the middle of execution?
—Iconic
—Iconic
Re: Hook after Function execution
I what he's asking is to do processing after the original API was called? If so, yes, that's easily possible. Basically your API hook callback function looks like this:
So when any thread calls the hooked API, it will end up in your "SomeApiCallback()" routine, and the original API will not be called at all. In your hook callback routine you can then do whatever you like. You can call the original API with the original parameters, with modified parameters, or not at all. And you can do processing before and/or after calling the original API. It's completely up to you.
Code: Select all
int SomeApiCallback(int param)
{
// you can do some processing here
int result = SomeApiOriginalApi(param);
// you can do some more processing here
return result;
}
Re: Hook after Function execution
Ahh ok, that's probably what he meant then I read it as
--Iconic
In which case you could use a VEH hook through PAGE_GUARD tripping/resetting and single-step to play with the registers directly (modify eip/rip etc.)Hook after Function execution
--Iconic
Re: Hook after Function execution
Thnaks Guys, will check the info and will respond