I readed some tuts about this interesting topic but i havent understand very much.
I dont neeed any source for now i just want to understand the
process of how this can be doned. (and yes i searched forum for previos topic about this and readed that threads too)

Here is what think i understand, ok there is local and global hooking local is pretty much easy, u just have to patch IAT to points on my code which resides in dll,

now about global, i am not interested in ring0 methods becouse i
need win32 compatible method, and that can be doned ofcourse only from ring3, also i am not interested in changing physicly dlls on hdd its kinda virii way, i want to working just in memory.
Ofcourse if this is not possible to do pure in ring3 i guess i will
have to learn that nasty ring0 stuff.

ok there are few methods, but i dont understand good nether of them,
ok i understand proxy dll method but it sucks and i am not interested in it
now to hook api we need to insert our code in other processes, this is
doned eg. using system wide hook via SetWindowsHookEx()... ok thats clear
but then what?
Should i put some initialisation code in dll init function (which is
called whenever dll is loaded to memory or in process) like get
image base of program that loaded me, then get its IAT and then
alter IAT to points on code in dll or what?
is this possible and is it effective?

What about patching export table of dll-s instead of patching every single IAT of processes?? I guess this would involve work from ring0 but i am not sure..

What is meant by injecting dll at right time ( i saw that in some tuts) system hook dll is loaded when ever some process is created... then what is right time for loading?

I know about "tramboline" method, changing first 5 bytes of api function in shared memory in which resides shared dlls like kernel32.dll,
ok that memory is kinda protected for writing-reading right?
ok let say we deprotect it (i saw its possible) so does that mean
that its deprotected only in our process or in all processes in system becouse its shared memory region so every process share it, so when its changed in one of those processes then it affects all other processes
I think this method was used in hideproc utility by vecna found on icezilion site
i know for main problem of this method is that it can miss to hook some call when replacing original bytes at api address... is there any solution for this?

And yes i know abut elicz but i dont want library for this, i simply
want to learn about this... firstly in theory and then praticlly (coding).
I want to use api hooking for security programs, for example i want to get notice whenever some program wants to delete some file, or when connection is attempted by connect() api, (like firewall).

Please when responding quote part of my text above ur answer so i can know on which part of my question response applies and thus to not create mess in thread :D
Posted on 2002-10-06 17:01:55 by Mikky
Ofcourse if this is not possible to do pure in ring3 i guess i will have to learn that nasty ring0 stuff.
If you want to hook only APIs from kernel32.dll, user32.dll, gdi32.dll and only under NT clone,
you can completelly forget about ring3, because all this calls go through one very narrow bottle neck of INT 2Eh. Trapping it is clean, nice solution. You hook all running and not yet running processes system-wide.


Mikky, forgive me for not answering all your questions.
I'm sorry, but too many questions... too much typing. We all are too busy, you know.
But let me say you the truth. If you want to learn about this... firstly in theory and then praticlly,
you should grab all info about it first, read carefully many times (most questions you ask was answered),
and then take very close look at EliCZ ApiHooks, It offers best methods. Yes, i know you don't want to use dll from it, and i don't talk about it. There is source code of ApiHook v2.2, you can fetch it from EliCZ site.
You have to look inside and learn. It takes much time to understand all this stuff, because it's highly optimized, and has much undocumented stuff. I think it's best method (learning i mean).
So, be patient.

BTW:
ApiHooks 6.0 will be released at the beginning of next year.
There will be 2 distributions:
- standard (fully functional) for noncommercial use and development
- professional (~ $250) for commercial use and development with many pluses like (the world's best) apispy, quick samples (edit and go), docs in PPT, support, etc
Posted on 2002-10-07 04:03:18 by Four-F
This bit is off the top of my head, but i am sure it is fairly accurate:
- in both NT and 9x systems, the core system dlls are loaded once, and shared across all processes
- when you hook a kernel/windows api thru patching the windows dll in Win9x, the hook affects all currently running processes, and any subsequent processes that get started
- when you implement the same hook in NT based systems, the patched dll gets copied to the process space of the process that did the patching, which means the hook only affects that process. This means to affect all processes, then you have to patch the IAT of all processes. You also need a means of patching the IAT for any processes that are started subsequently.

Another source to check for info is the work of Matt Pietrick, he did a lot of this sort of thing back in the mid 90's, you can find his old work in back issues of MSJ magazine available to read on the MS website. Also check out his book 'Windows 95 System Programming Secrets', although it may be hard to find as it is out of print. If you have trouble finding his work, PM me and i will dig up some links for you. Also, the book 'Undocumented Windows NT' may be helpful, but i do not know who the author is.
Posted on 2002-10-08 06:13:34 by sluggy
4-F: its ok i am not in hurry with this, i didnt expected to get answers for all my questions right away, i am still researching so i would probably found some answers by my self
also can you please send me source of apihooks v2.2 becouse i was unable to find it on elicz site i guess he put it off, google search also didnt gave me positive results

sluggy: i have that famous book from matt in pdf format, i dont remember where did i get it but if someone needs it i can retrive that link, also is 'Undocumented Windows NT' also aviable in pdf or any other e-format?
also be free to put here links on matt's work about this topic, i saw on his site that some articles by him are not aviable anymore
on ms site


- when you implement the same hook in NT based systems, the patched dll gets copied to the process space of the process that did the patching, which means the hook only affects that process. This means to affect all processes, then you have to patch the IAT of all processes. You also need a means of patching the IAT for any processes that are started subsequently.


hmm.. so is this copy-on-write stuff i've readed about?
so is this protection of system code on NT happens only when we patch say kernel from ring3 or its also applies for patching that protected memory from ring0 ?
Posted on 2002-10-08 08:00:15 by Mikky
...can you please send me source of apihooks v2.2 becouse i was unable to find it on elicz site i guess he put it off...


Hmm... You are right. It was removed.
Mail me (four-f@mail.ru) or provide me with your e-mail.
Posted on 2002-10-08 09:19:52 by Four-F
Also, the book 'Undocumented Windows NT' may be helpful, but i do not know who the author is.


hmm, sluggy there seemed to be an online version of 'Undocumented Windows NT' at
http://www.windowsitlibrary.com/Documents/Book.cfm?DocumentID=356
Posted on 2002-10-08 10:13:38 by roticv
is 'Undocumented Windows NT' also aviable in pdf or any other e-format?
Yes, i have it split into about a dozen small pdfs. PM me with your email address, and i will quickly check that i am not breaking copyright laws by passing it on ;)

also be free to put here links on matt's work about this topic, i saw on his site that some articles by him are not aviable anymore on ms site
I will search out some of his articles. Even though his book is way out of print, he still seems annoyed that there were illegally copied versions of it floating around. I mean, where else are people going to get his work from?



so is this protection of system code on NT happens only when we patch say kernel from ring3 or its also applies for patching that protected memory from ring0 ?
Sorry, i cannot answer that at all because i don't know, although the answer is probably hidden deep with one of those two books i mentioned.
Posted on 2002-10-08 20:25:54 by sluggy
four-f would you mail me the apihook v2.2 source? thanks
Posted on 2002-10-09 01:16:09 by baumann
hmm.. so is this copy-on-write stuff i've readed about?
Yes.
is this protection of system code on NT happens only when we patch say kernel from ring3
Yes.
or its also applies for patching that protected memory from ring0 ?
I don't know. :(
Posted on 2002-10-09 06:33:21 by Four-F
Mikky, have you recieved any mail from me?
It always returns with:

------------------------------------------------------------------------------
A message that you sent could not be delivered to all of its recipients.
The following address(es) failed:

yourmail@***.***:
------------------------------------------------------------------------------
Posted on 2002-10-10 02:32:25 by Four-F
hi,
i didnt recived mail and i dont know why sending failed (gmx is pretty reliable mail provider i think) , i tryed now to send mail on that account and it worked
please retry
Posted on 2002-10-10 07:57:38 by Mikky
Still unsuccessful :confused:

"sorry, your envelope sender has been denied"
Posted on 2002-10-10 08:35:01 by Four-F
Mikky,
my email to you was also rejected, the reason is "User unknown or not available".

Try another email address, even if it is a friends one (there is nothing worse than sending files, and having those files bounce back to you).
Posted on 2002-10-10 22:33:09 by sluggy
oh man.... i really dont know whata hell is going on
i use that mail account for file attachments becouse my original account at hotpop.com cannot recive mails bigger than 200-300kb

now i signed up for brand new yahoo account so i guess there should be no problems anymore
once again sorry for bothering you guys

mikky_asm@yahoo.com
Posted on 2002-10-11 07:50:46 by Mikky
will u send me ?
Posted on 2002-10-12 03:58:05 by baumann