home *** CD-ROM | disk | FTP | other *** search
- This example demonstrates use of (Un)LoadModuleTime APIs and use of
- HOOKS_DYNAMIC with EXCLUDED module(s).
- 1) Alternative.dll is loaded into given process (here current process)
- using LoadModuleTime.
- 2) Alternative calls EstablishApiHooks with HOOKS_DYNAMIC with one
- excluded module (Alternative.dll). API MessageBoxA is hooked.
- 3) Alternative.dll is unloaded using UnloadModuleTime.
-
- The same effect could be obtained if Alternative.dll would export
- hooks statically (and didn't ude dynamic hooks) and EstablishApiHooks
- would be called. The disadvantage of the 1st solution is that
- ApiHooks.dll must be present in given process.
- (Even if EstablishApiHooks would be used with module with no hooks,
- module is uploaded and dynamic hooks are applied, but hooks can't
- be established and return value will be ErrorRemoteExec)
-
- If the dynamic hooks would be applied without excluded module
- (Alternative.dll) which hooks and imports given API (MessageBoxA)
- call to MessageBoxA would never end because MessageBoxA in the module
- which hooks it would point to a routine in this module:
- NewMessageBoxA:
- ...CALL [_imp__MessageBoxA]
- but [_imp__MessageBoxA] == NewMessageBoxA
-
-
- How to exclude modules?
- It is allowed in HOOKS_DYNAMIC only and applies to ALL_MODULES hooks.
- UnhookAddresses in the 1st API_HOOK structure (with HOOKS_DYNAMIC)
- must point to null terminated list of image bases.
-
- In C syntax:
- API_HOOK ApiHookChain[x] = {
- {HOOKS_DYNAMIC, NULL, 0, NULL, Excluded, NULL},
- {ModExp, Api, Attributes, ModImp, UnhookApi, NewApi},
- //...
- {HOOKS_END}
- }
-
- Excluded[N+1] = Base0, Base1, ... BaseN, NULL
-
- Then when ApiHooks should apply given hooks to ALL_MODULES it will
- compare actual module base with bases in exclude list. If it is found
- it'll not be hooked.
-
- Using HOOKS_DYNAMIC with excluded modules makes sense when .dll calls
- EstablishApiHooks* with hooks containing ALL_MODULES.
