Is it Possible, to open a DLL file, go to iots export table, get the pointer to a certain APIs address in AddressOfFunctions array (after doing the oridnal stuff) and then, Modify that address in the table, to your ograms address in memory, to intercept that particular API ? i had that idea to write like a security program i could patch kernel32 dll export table and intercept calls to delete files etc asking the user "hey, you wanna do this?" or inform them ofgf aun authorized file modifications
You can but there are a few problems you will encounter: - Your code will work only on win9x: NT/2k won't allow you to modify the dll while it's running - Your program must be running, always. If something nasty like your app crashing, it'll take the whole system down with it - Modification of the export table entry will not affect those programs that run before you patch the export table, ie, they will use the "correct" addresses in kernel32.dll, not the ones you supplied later.
W32_Guy, ooooh oooh oooh that sounds scarey, if you intend to try this then I would be prepared to see you system fail repeatedly, probably requiring a re-install each time....... If you do want to try, the way to do it would be to 1) rename kernel.dll to origkern.dll 2) create your own kernel.dll, implementing all the original functions of kernel.dll, but all they do is call the ones in origkern.dll 3) reboot and pray..... Better to set a ACL on the directory to restrict users.... umbongo This message was edited by umbongo, on 4/26/2001 4:41:26 AM
I am surprised by the answer because kernel32.dll is write protected so you cannot patch this dll while it is loaded in memory and you cannot use VirtualProtect api to change the memory page into PAGE_EXECUTE_READWRITE. May be M Izcelion could give us the right way to do this, even if it only works on win98 or win95 ? I think that you cannot by-pass the write protection.
Yes you can farinas. use CopyFileA to Copy it somewhere else, open it, modify it and then write a wininit.ini to update it. that simple.
farinas: I didn't speak of the case where you modify the kernel32.dll file. That's too risky but can be done. I spoke of the case when you modified kernel32.dll during runtime, in memory. You can modify the export table under win9x: it has already been done by a guy from Israel named fresh about 2 years ago.
Ok Mister Iczelion, this was exactly my question: how to patch the export table during runtime knowing that the memory pages where we need to patch the new bytes are WRITE_PROTECTED. I think that the method proposed by W32_Guy is not the apropriate response because he proposes to modifie the dll file (or a copy of it). So, Mister Iczelion, I will check for Mister Fresh proposal because it seems to be an interesting issue. I think that the only way to do this is to switch into ring0 before patching the bytes. Do you think, Mister Iczelion that there exist another method?
While I confess to being somewhere less than zero interested in patching system DLLs, there are a few basics about why they are hard to modify and this is to protect the operating system from viral type modifications. "fresh" did the mods in win9x which does not have the same protection that later versions have. For anyone who has a genuine use of intercepting system calls, virus detectors like AVP do a lot of low level checking before it allows a file to run so the capacity is there if the correct types of drivers are written. Just one note on this thread, smartarse wisecracks are not appreciated in this forum, many people differ over many things which is normal but they do it in a friendly way, lets keep it that way. Regards, firstname.lastname@example.org
Ok Hutch, I understand your reply but I do not understand the reason why you wrote the last paragraph. W32_Guy seems to have good ideas. In fact, what I understand is that he is making some king of ApiSpy. Of course these kind of programs already exists but if W32_Guy proposes some ideas why not to learn from him?
heeh iczelion, even i didn't remember that proggie, i'm surprised you did =) was that really 2 years ago?? :)