Discussion:
Intercept a function call in a DLL
(too old to reply)
Falaen
2005-11-22 08:00:15 UTC
Permalink
Hi all,

I have a application which is running on Windows 2000/2003 as a window
service. This application load a third party dll library. What I want
to do is to extend the capability of some functions in this third part
dll library, but I donot have the source code.

So I am thinking to intercept the those target function calls in the
dll library made by my application, and replace the target function by
my function.

If I need to write such intercpetion program, could any tell me where
should I begin? What is the best way to achieve this without affecting
other programs on the same machine? Is there any existing same code, or
SDK can help to speed up the coding?

Thanks

Falaen
James Brown
2005-11-22 08:57:39 UTC
Permalink
"Detours" binary interception package:

http://research.microsoft.com/sn/detours


James
--
www.catch22.net
Free win32 software, sourcecode and tutorials
Post by Falaen
Hi all,
I have a application which is running on Windows 2000/2003 as a window
service. This application load a third party dll library. What I want
to do is to extend the capability of some functions in this third part
dll library, but I donot have the source code.
So I am thinking to intercept the those target function calls in the
dll library made by my application, and replace the target function by
my function.
If I need to write such intercpetion program, could any tell me where
should I begin? What is the best way to achieve this without affecting
other programs on the same machine? Is there any existing same code, or
SDK can help to speed up the coding?
Thanks
Falaen
Falaen
2005-11-23 05:50:53 UTC
Permalink
Thanks for the information.

Another question is when I intercept the function call, how can I
obtain the original function call input parameters? I actually want to
[intercept the function call] -> [modify the original input parameter
value] -> [return to original function to continue execution]

any idea how to achieve that?

Falaen
James Brown
2005-11-23 08:11:30 UTC
Permalink
The Detours library does all this for you.

When you hook a function with Detours you write what
is called a "detour function" - another name for a "hook".
you perform your additional processing in this detour, and then make
a call to a "trampoline" which transfers control to the original function
you hooked.

e.g. pretend you had hooked the "Sleep" API call inside kernel32.dll

first you write your trampoline for the Sleep API:

DETOUR_TRAMPOLINE (
VOID WINAPI SleepTrampoline(DWORD),
Sleep
);

then your write the detour (hook) function:

VOID WINAPI SleepDetour(DWORD dw)
{
// modify input parameters here

// call original Sleep API
SleepTrampoline(dw);

// modify output parameters here
// return back to caller
}


To actually install the detour (i.e. hook the function), do this:

DetourFunctionWIthTrampoline( SleepTrampoline, SleepDetour );

(all this is from the Detours manual).


You can also hook functions dynamically i.e via function pointers
instead of "static" trampolines. Detours also allows instrumentation of
static binaries (i.e. hooking DLLs/EXEs)

You can read all about this by downloading the Detours package.

James
--
www.catch22.net
Free win32 software, sourcecode and tutorials
Post by Falaen
Thanks for the information.
Another question is when I intercept the function call, how can I
obtain the original function call input parameters? I actually want to
[intercept the function call] -> [modify the original input parameter
value] -> [return to original function to continue execution]
any idea how to achieve that?
Falaen
Loading...