ApiHooks for Win32 ------------------ version 1.2, released Oct-26-1999 ApiHooks allows hooking of any API in specified process. -------------------------------------------------------- ApiHooks allows inserting YOUR code into the specified process. ApiHooks exports EstablishApiHooks functions for usage in your programs. What is it good for? -------------------- File monitors, Registry monitors, Windows hooks, Antiviruses, Dumpers, Semigeneric and Startup-code unpackers, Patchers, Spies, .... What's new? ----------- + ALL_MODULES allows module nonspecific hooks, all modules of process are hooked + HOOK_HARD re-added, under Windows 9x allows hooking of modules laying in kernel space (shared area), such a hooks are then global + q quiet, option to suppress displaying of message box + EstablishApiHooksW function + Dynamic hooks (hooks on the fly) What's API hook? ---------------- module0 module1 | | CALL module1!API001 --------------------------------->| API001 |<-------------------------------------------| | | API215 |<----------------------------------CALL module0!API215 |------------------------------------------->| | | * * vs. module0 Hooooks.dll module1 | | | CALL module1!API001 -------->API001>----------------->| API001 |<-----------------HOOOOK>----------------->| | | | * * * Hooking is module specific, so you can hook import of selected modules in process and watch selected pathways. Use ALL_MODULES to hook everything. ApiHooks was not tested, cause I have no testers. ApiHooks uses "OpenThread9x" technique seen in ATM by Enrico Del Fante (great!). ApiHooks uses command-line-parser from MASM32 package by hutch. -------------------------------------------------------------------------------- Using ApiHooks.exe as application --------------------------------- Syntax ------- [PathTo\]ApiHooks.exe <-n | -o>[q] <[PathTo\]Hooks.dll> <[PathTo\]Target.exe | PID> ["CmdLine"] -n .. ......... create new process (process is not created in debug mode). -o ............ find and open existing process. q ............ display no message box after successful work Hooks.dll ..... library with hook procedures. When -n option is used and library isn't in PATH or current directory, PathTo\ must be specified. When -o option is used and library isn't in current directory, PathTo\ must be specified. Process to open can be specified by name or by process ID. Specifying PID is useful when there is several processes with the same name. Process to create must be specified by name. Target.exe ... name of process. ApiHooks can find both Target.exe and [PathTo\]Target.exe in the system. PID............ process ID = hexadecimal number with 0x prefix "CmdLine" ..... Target.exe's command-line-parameters (when -n option is used) (example: "-s ddt.exe"). Installation ------------ Check if file ApiHooks.exe has size 7680 and valid PE checksum 0x5A4A. Then copy this file to Windows system directory or to any directory in PATH. Then will be ApiHooks always available for usage as application and library. Examples of usage ----------------- ApiHooks.exe -n MyHooks.dll notepad.exe ;MyHooks.dll must be in PATH or current directory ;notepad.exe must be in current directory ;check ApiHooks exit code for more info (exit codes are the same as for ;EstablishApiHooks functions) C:\UTILS\ApiHooks.exe -nq C:\UTILS\HOOKS\MyHooks.dll D:\WINNT\SYSTEM32\notepad.exe "new file" ;full specifications -> faster execution ;no message box is displayed if all went ok ApiHooks.exe -o Hooks001.dll winver.exe ;Hooks001.dll must be in current directory ;opens the first of winver.exe processes found in the system ApiHooks.exe -oq Hooks001.dll D:\123\winver.exe ;opens the first of D:\123\winver.exe processes found in the system ;no message box is displayed if all went ok ApiHooks.exe -o NThexpl.drv 0x45 ;hexpl.drv must be in current directory ;opens process with ID=0x45 ApiHooks.exe -oq C:\TEMP\hookdlls\mpghooks\mpghks.333 mmxmpeg1.dll ;opens the first of mmxmpeg1.dll processes found in the system ;no message box is displayed if all went ok ApiHooks.exe -oq D:\DEB\95hooks\0hooks\0hOOK.h 0XfFfFc67B ;opens process with ID=0xFFFFC67B ;no message box is displayed if all went ok -------------------------------------------------------------------------------- Hooks.dll format ---------------- See HookDLL.txt in the HDK subdirectory. -------------------------------------------------------------------------------- Using ApiHooks.exe as DLL ------------------------- See AHasDLL.txt in the HDK subdirectory. -------------------------------------------------------------------------------- Windows 9x global hooks ----------------------- See 9xGlobal.txt in the HDK subdirectory. -------------------------------------------------------------------------------- Examples -------- See Examples subdirectory. -------------------------------------------------------------------------------- Contact ------- EML: EliCZ@xoommail.com WWW: http://members.xoom.com/_XOOM/EliCZ/index.htm IRC: EFnet: /whois EliCZ /query EliCZ ICQ: 14142829