开发者

Hook CreateFileW

I want to know what are the files opened/access by a process. May i know how to do that? I tried to use Deviare, a free hooking api to help me, but was unable to find any useful information from their AIP lib or forum.

I only know i have to hook on to kernel32.dll and createFileW and i am not sure of how to continue.

Pls help me. Thanks 开发者_如何学Goin advance.


It's right. You have to hook the function CreateFileA/W in kernel32.dll to monitor the acces. Do you want to hook these APIs in your own process or in an other process? If you want to hook functions in your own process you can use

void *DetourFunc(BYTE *src, const BYTE *dst, const int len)
{
    BYTE *jmp = (BYTE*)malloc(5+len);
    DWORD dwback;
    VirtualProtect(src,len,PAGE_READWRITE,&dwback);   
    memcpy(jmp,src,len);
    jmp += len;   
    jmp[0] = 0xE9;
    *(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
    src[0] = 0xE9;
    *(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
    VirtualProtect(src,len,dwback,&dwback);
    return (jmp-len);
} 

for it. These function detours the function src (f.e. MessageBoxA()) to function dst. As len you can use 5. It returns a function pointer to the original function. An example call:

typedef int (WINAPI *__MessageBox)(
  __in_opt  HWND hWnd,
  __in_opt  LPCTSTR lpText,
  __in_opt  LPCTSTR lpCaption,
  __in      UINT uType
);
__MessageBox _MessageBox;

int cMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
//here you can change anything you want
return _MessageBox(hWnd,lpText,lpCaption,uType);
}

int main(void)
{
BYTE *hookfunc = (BYTE*)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA");
_MessageBox = (__MessageBox)DetourFunc(hookfunc,(BYTE*)cMessageBox,5);
return 0;
}

That's an usermode hook. If you want to do this systemwide I would use a device driver. Here is a tutorial about this. http://www.codeproject.com/KB/system/driverdev.aspx

And if you are using VC++ compile in multibyte mode ;). If you want to hook in an other process just google DLL-Injection ;).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜