I'm using ReadProcessMemory and WriteProcessMemory to alter a running
processes' IAT table, and inject some relevant code. This works fine for my
sample programmes.
I tried it on iexplore, trying to hook various apis. But no success. When I
checked, the import table of iexplore had indeed been altered and the code
injected into the running process. I could only assume the apis I hooked
were never called.
I then ran an apispy programme (APIS32) to monitor iexplore's api use.
(Only looking at apis from Kernel32 and User32). According to APIS32 it uses
a few (4 or 5)apis from Kernel32 and User32 at startup - then nothing more.
(Strange) I used another apispy monitor (Apimonitor) which showed a lot
(1,000s) of Kernel and User api use after startup. (Contradictions?)
Q1 Why the contradictions? The two monitors must work in different ways.
Could anyone explain?
Q2 It does seem the apis I've hooked aren't being called after startup. Any
idea what is happening?
Works ok in my sample progs. Running win98.
processes' IAT table, and inject some relevant code. This works fine for my
sample programmes.
I tried it on iexplore, trying to hook various apis. But no success. When I
checked, the import table of iexplore had indeed been altered and the code
injected into the running process. I could only assume the apis I hooked
were never called.
I then ran an apispy programme (APIS32) to monitor iexplore's api use.
(Only looking at apis from Kernel32 and User32). According to APIS32 it uses
a few (4 or 5)apis from Kernel32 and User32 at startup - then nothing more.
(Strange) I used another apispy monitor (Apimonitor) which showed a lot
(1,000s) of Kernel and User api use after startup. (Contradictions?)
Q1 Why the contradictions? The two monitors must work in different ways.
Could anyone explain?
Q2 It does seem the apis I've hooked aren't being called after startup. Any
idea what is happening?
Works ok in my sample progs. Running win98.
Works ok in my sample progs. Running win98.
Better stick on your sample progs because you move on thin ice with this topic.
Perhaps the one spy is also monitoring the APIs from the IE DLLs ?
There can be alot of reasons why your hook doesnt works.Simple IAT altering is not sufficent for apihook.Use apihooks by EliCZ elicz.cjb.net
>>Q1 Why the contradictions? The two monitors must work in different ways.
There at least two methods that can be used to hook API under user mode just as I know.
First, from IMPORT_DESCRIPTOR, change the patched imported api address through FirstThunk, but we should change all PE module used by current process, otherwise, we only catched the API the main .exe used.
Another way is use getprocaddress, then change the opcodes of the corresponding api directly. It will available for all the API under the same process space.
Maybe there are other methods, but I don't know.
For the current issue, I think there some problems, first a lot of PE have no IAT table, so I think you'd better change it through IMAGE_DIRECTORY_ENTRY_IMPORT. But I found IE do have IAT, have you tested it with NotePad.exe? I work on Win2K.:)
There at least two methods that can be used to hook API under user mode just as I know.
First, from IMPORT_DESCRIPTOR, change the patched imported api address through FirstThunk, but we should change all PE module used by current process, otherwise, we only catched the API the main .exe used.
Another way is use getprocaddress, then change the opcodes of the corresponding api directly. It will available for all the API under the same process space.
Maybe there are other methods, but I don't know.
For the current issue, I think there some problems, first a lot of PE have no IAT table, so I think you'd better change it through IMAGE_DIRECTORY_ENTRY_IMPORT. But I found IE do have IAT, have you tested it with NotePad.exe? I work on Win2K.:)
I could only assume the apis I hooked were never called.
I guess you are right. Or api can be called via LoadLibrary/GetProcAddress.
If you use IAT patching method you'll miss these calls.
Q1 Why the contradictions? The two monitors must work in different ways.
Could anyone explain?
IIRC, APIS32 & Apimonitor have different set of apis to hook by default.
Could anyone explain?
You have manually add api you interested to. The second reason both use different hooking method.
Q2 It does seem the apis I've hooked aren't being called after startup. Any
idea what is happening?
There are bunch of never or very rare called apis in modern programms.
idea what is happening?
And for bloated IE it's not surprise.
Thanks for the replies everyone. After reading them, and looking at some code it does appear that iexplore is mainly (almost exclusively) calling apis via LoadLibrary/GetProcAddress. This explains why IAT patching doesn't work in this case, and the difference between the two api monitors.
Thanks again.
Thanks again.