I have a question. I have a static VxD which hooked the API CreateProcess() . It works fine and the source looks like this:

Begin_control_dispatch MESSAGE
Control_Dispatch Create_Process,myproc End_control_dispatch MESSAGE

But now i want to hook f.e. CreateFileA(). But i dont find any Create_File equate in my inc files. Anybody here who can help me with that?
Posted on 2001-12-20 10:55:23 by belial
Have you lost Kernel32.inc?
Posted on 2001-12-20 14:22:08 by CodeLover
In kernel32.inc is only a definition for the procedure with proto. But the equeate i need is a number, for Create_Process it was 31h or something like this if i remember right.
Posted on 2001-12-20 14:32:49 by belial
Well the thing that u need is a pe editor.]
Go at y0da.cjb.net and download PEditor v1.7.

After that copy kernel32.dll somewhere and edit it with PEditor and after that take a look at exported functions. There will see
also the number of the function that you need.

This helped you ?

bYe !:alright:
Posted on 2001-12-20 14:45:01 by eXterminator
as far i know you canot blindly rely on this number
you get from your kernel coz if you do your prog
may not win32 compatible (microsoft used to change
these values in the past). you have to set up a
flexible way to get those api-bases, only thing you
need for this is the kernel-module-base... and there
are many w32 compatible ways to obtain this value...
Posted on 2001-12-20 17:30:54 by mob
Are u sure that they will change? I ask because the Create_Process equate is in vmm.inc or shell.inc and they cant put vaules in it which differ from windows to windows, cant they?
Posted on 2001-12-21 08:16:35 by belial
i only said that they COULD do this... normal progs
would not have any problems coz the api-bases are
calculated by the loader, if you just grad some base-
value it will work but you can't be sure that your prog
will run clean under the next windows version...
btw i do not have vmm.inc or shell.inc maybe this values
have other meanings?
Posted on 2001-12-21 08:28:35 by mob
I dunno. Fact is that vmm.inc and shell.inc were in my masm package. There are some equates for the APIs the VxD can hook. But there are only a few, thats why i asked my first question.
Posted on 2001-12-21 08:40:02 by belial
ok, the address of CreateFileA is 77E76F87h, the ordinal is
38h (oh i hope you didn't meant the ordinalnumber... )
i'm on a win2k machine right now... oh no now i see, sorry,
you meant the ordinal :) ok... but... i wouldn't rely on ord's,
too... (somewhere i read that microsoft changed them
before and might do this in future win-versions, too...)
Posted on 2001-12-21 08:53:37 by mob
Im not sure wether this equates are the ordinals. Here is a part of the vmm.inc with possible hooks:

DESTROY_VM2 EQU 0029H
VM_SUSPEND2 EQU 002AH
END_MESSAGE_MODE2 EQU 002BH
END_PM_APP2 EQU 002CH
DEVICE_REBOOT_NOTIFY2 EQU 002DH
CRIT_REBOOT_NOTIFY2 EQU 002EH
CLOSE_VM_NOTIFY2 EQU 002FH
GET_CONTENTION_HANDLER EQU 0030H
KERNEL32_INITIALIZED EQU 0031H
KERNEL32_SHUTDOWN EQU 0032H
CREATE_PROCESS EQU 0033H
DESTROY_PROCESS EQU 0034H

This cant be the ordinals i think. And all these APIs (are they all apis?) look a bit "special" .
Posted on 2001-12-22 07:54:46 by belial
why you dont put a hook in IFSMgr, if you're coding a vxd? patching api code is only justificable if you dont want go down writing a vxd...

anyway, you shouldnt use fixed api addresses. scan kernel32 export table ;)

ancev
Posted on 2001-12-22 14:48:39 by ancev
Use IFSMgr if you want to monitor executing applications.. specific functions you are looking for are InstallFileSystemApiHook and RemoveFileSystemApiHook

Good Luck ;)
Posted on 2001-12-22 21:36:11 by Eagle17
I can try it. Perhaps i should tell u my original problem was to install some code which checks the interconnectionstate and makes immediatly after a connection is etablsihed a http request. SO i thought i could solve problem very fine with a VxD. Or does anybody of u know a differnt way?
Posted on 2001-12-23 05:50:12 by belial
No Probem anymore now. I thought to complicate ;)
Posted on 2001-12-23 11:58:19 by belial