HookImportFunctionByName v1.02
Enclosed is MFC source code for a function which can be used to hook any imported function call which your application makes. Since most of the Win32 API is implemented using import functions in dlls, this means that you hook Win32 API calls. This is useful when for example you want to be called for every call to the file system (::CreateFile && CloseHandle) which your app makes. This example of hooking the file system calls your app makes could form the basis of code to ensure you do not have any handle leaks in your application. You could also use this code to spy on COM port activity in remote processes by injecting the DLL into the remote process.
The code is based on the code developed by John Robbins for his "BugSlayer"articles in the MSJ magazine. I have removed the dependencies on his other DLL functions, converted the code to MFC and addition of numerous ASSERT's
| Contents |
| History |
| API |
| Copyright |
| Planned Enhancements |
| Contacting the Author |
V1.0 (24 December 1999)
V1.01 (1 January 2001)
V1.02 (20 April 2002)
The API consists of the single global function
BOOL HookImportFunctionsByName(HMODULE hModule, LPCSTR szImportMod, UINT uiCount, LPHOOKFUNCDESC paHookArray, PROC* paOrigFuncs, UINT* puiHooked);
Return Value
TRUE if the specified API call(s) were hooked otherwise FALSE. To get extended error information, call ::GetLastError
Parameters
hModule This is the instance handle of the process calling the function. Normally in MFC you can obtain this from the function "AfxGetInstanceHandle()"
szImportMod This is the name of the module which contains the functions which you want to hook. e.g. for hooking file system calls, this would be "KERNEL32.DLL".
uiCount This is the size of the paHookArray parameter.
paHookArray This is the size of the paHookArray parameter.
paHookArray This is an array which specifies what functions to hook. The members of the HOOKFUNCDESC are "szFunc" which is the name of your function to hook and "pProc" is a function pointer to the function which you want to have called instead of normal unhooked case.
paOrigFuncs Upon successful return this will contain the original unhooked function pointers. These would be useful if you want to pass the request onto the original function after your hook function has been called.
puiHooked Upon return this will contain the number of functions which were hooked. This will be less than or equal to "uiCount".
Remarks
If you are hooked standard Win32 API calls then make sure that your hook function is using the right calling convention namely "STDCALL". This is one of the most common problems encountered when using the hooking function.
You are allowed to include the source code in any product (commercial, shareware, freeware or otherwise) when your product is released in binary form. You are allowed to modify the source code in any way you want except you cannot modify the copyright details at the top of each module. If you want to distribute source code with your application, then you are only allowed to distribute versions released by the author. This is to maintain a single distribution point for the source code.
PJ Naughter
Email: pjna@naughter.com
Web: http://www.naughter.com
20 April 2002