Hook API SDK
Hook API SDK is a Software Development Kit for easy and quickly develop Windows system wide hooking program. It helps you hooking Windows system functions or functions in 3rd applications, this means you can call your own functions instead of some Windows system APIs or functions of other appliction.
1. Your own
function have the same form as the original function of system API or
3rd application, it is very easy to write your substitute function.
2. Hooking process in real time, that means it will install hook just
when the process has created.
3. Takes very little system resource and nearly no CPU time consumed.
Developer only need write the function related with the functions you want to hook, compiled HookExec.dll, and call install and uninstall function at InstHook.dll, it will implement the hook.
HookExec project contain something as below:
1) HookExec.h, there is only CAPIINFO structure definite in this file:
#ifndef _HookExec_h_
#define _HookExec_h_
typedef struct
{
char *Module_name;
char *Func_name;
char *cFunc_name;
}CAPIINFO;
Module_name is the name of a DLL or other module file name that will be hooked, for example : kernel32.dll
Func_name is the function name and parameters of user’s DLL that will
be hooked, like C style format ,for examples:
connect(SOCKET, struct sockaddr *, INT)
cFunc_name is your own function that called as the related function hooked, for
examples:
cConnect(SOCKET s, struct sockaddr *name, int namelen).
2) Define CAPIINFO c_api_info[] and fill it, must be NULL in the end, It is the hook function information, for examples:
CAPIINFO c_api_info[]
= {
{"WSOCK32.DLL", "socket(INT, INT, INT)", "cSocket"},
{"WSOCK32.DLL", "connect(SOCKET, struct sockaddr *, INT)", "cConnect"},
{"WSOCK32.DLL", "recv(INT,
char *, INT, INT)", "cRecv"},
{"WSOCK32.DLL", "send(INT, char *, INT, INT)", "cSend"},
{NULL,NULL,NULL} }; //must contain this
3) Must be define function GetCAPIINFO:
CAPIINFO *GetCAPIINFO()
{ return &c_api_info[0];
}
4) Coding with user function, for example:
DWORD _cdecl cFuncName(type1 param1, type2, param2, …)
The function must be defined with WINAPI (in
int WINAPI cConnect(SOCKET
s, struct sockaddr *name, int namelen)
{
struct sockaddr_in *paddr =(struct sockaddr_in *)name;
char *ip =inet_ntoa(paddr->sin_addr);
int port =ntohs(paddr->sin_port);
int ret =connect(s,
name, namelen);
int err=WSAGetLastError();
WriteLog("connect: ip=%s, port=%d, ret=%d\n", ip, port, ret); // check filter
WSASetLastError(err);
return ret; }
in the example, we recovery error code, because when we handle with our own procedure, the error code will change, and the original process could be do next according to the error code.even cConnect not call original connect, we must use WSASetLastError or SetLastError to set error code when cConnect return. Other functions should do as the same.
5) HookExec.def contains GetCAPIINFO and users functions exports, for example:
LIBRARY HookExec
EXPORTS
GetCAPIINFO
@1
cRegOpenKeyA
@2
cRegOpenKeyW
@3
cRegQueryValueA
@4
cRegQueryValueW
@5
cRegQueryValueExA
@6
cRegQueryValueExW
@7
InstHook.dll contain these functions (refer to InstHook.h):
Build the Hook,InstHook and HookExec projects, put HookNT.dll (or Hook9x.dll),InstHook.dll,HookExec.dll and your application which use the hook functions (e.g. DemoHook.exe) to the same directory,then run your application, that's done.
http://www.hook-api.com
05/10/2006