{"id":315,"date":"2019-01-02T01:13:34","date_gmt":"2019-01-02T01:13:34","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=315"},"modified":"2019-01-02T01:13:34","modified_gmt":"2019-01-02T01:13:34","slug":"basic-api-hooking-using-detours","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2019\/01\/02\/basic-api-hooking-using-detours\/","title":{"rendered":"Basic API hooking using detours"},"content":{"rendered":"\n

Below is a basic example on how to use the detours<\/a> library to hook APIs.<\/p>\n\n\n\n

#<\/span>include <\/span><<\/span>stdio.h<\/span>><\/span>\n#<\/span>include <\/span><<\/span>windows.h<\/span>><\/span>\n#<\/span>include <\/span><<\/span>detours.h<\/span>><\/span>\n\n\/\/ API that we want to hook <\/span>\nDWORD<\/span> (<\/span>WINAPI<\/span> *<\/span> Real_SleepEx)<\/span>(<\/span>DWORD<\/span> dwMilliseconds,<\/span> BOOL<\/span> bAlertable)<\/span> =<\/span> SleepEx<\/span>;<\/span>\n\n\/\/ This function will be called *before* the API.<\/span>\n\/\/ We will modify one of the parameters <\/span>\n\/\/ and then call the real API<\/span>\nstatic<\/span> DWORD<\/span> WINAPI<\/span> Catch_SleepEx(<\/span>DWORD<\/span> dwMilliseconds,<\/span> BOOL<\/span> bAlertable)<\/span>\n{<\/span>\n    printf<\/span>(<\/span>\"<\/span>SleepEx: <\/span>%d<\/span>\\n<\/span>\"<\/span>,<\/span> dwMilliseconds)<\/span>;<\/span>\n    dwMilliseconds =<\/span> 10<\/span>;<\/span>\n    printf<\/span>(<\/span>\"<\/span>SleepEx: new value = <\/span>%d<\/span>\\n<\/span>\"<\/span>,<\/span> dwMilliseconds)<\/span>;<\/span>    \n    return<\/span> Real_SleepEx(<\/span>dwMilliseconds,<\/span> bAlertable)<\/span>;<\/span>\n}<\/span>\n\nint<\/span> main<\/span>(<\/span>int<\/span> argc,<\/span> char<\/span> *<\/span>*<\/span>argv)<\/span>\n{<\/span>\n    (<\/span>void<\/span>)<\/span>argc;<\/span>\n    (<\/span>void<\/span>)<\/span>argv;<\/span>\n \n    DetourTransactionBegin(<\/span>)<\/span>;<\/span>\n    DetourUpdateThread(<\/span>GetCurrentThread<\/span>(<\/span>)<\/span>)<\/span>;<\/span>\n    DetourAttach(<\/span>&<\/span>(<\/span>PVOID<\/span>&<\/span>)<\/span>Real_SleepEx,<\/span> Catch_SleepEx)<\/span>;<\/span>\n    DetourTransactionCommit(<\/span>)<\/span>;<\/span>\n\n    SleepEx<\/span>(<\/span>5000<\/span>,<\/span> 0<\/span>)<\/span>;<\/span>\n\n    return<\/span> 0<\/span>;<\/span>\n}<\/span>\n<\/pre>\n\n\n\n\n
Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"
Below is a basic example on how to use the detours library to hook APIs. #include <stdio.h> #include <windows.h> #include <detours.h> \/\/ API that we want to hook DWORD (WINAPI * Real_SleepEx)(DWORD dwMilliseconds, BOOL bAlertable) = SleepEx; \/\/ This function will be called *before* the API. \/\/ We will modify one of the parameters \/\/ […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[107,109,108,4],"class_list":["post-315","post","type-post","status-publish","format-standard","hentry","category-security","tag-api","tag-detours","tag-hooking","tag-windows"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"
Below is a basic example on how to use the detours library to hook APIs. #include <stdio.h> #include <windows.h> #include <detours.h> \/\/ API that we want to hook DWORD (WINAPI * Real_SleepEx)(DWORD dwMilliseconds, BOOL bAlertable) = SleepEx; \/\/ This function will be called *before* the API. \/\/ We will modify one of the parameters \/\/ and then call the real API static DWORD WINAPI Catch_SleepEx(DWORD dwMilliseconds, BOOL bAlertable) { printf(“SleepEx: %d\\n”, dwMilliseconds); dwMilliseconds = 10; printf(“SleepEx: new value = %d\\n”, dwMilliseconds); return Real_SleepEx(dwMilliseconds, bAlertable); } int main(int argc, char **argv) { (void)argc; (void)argv; DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourAttach(&(PVOID&)Real_SleepEx, Catch_SleepEx); DetourTransactionCommit(); SleepEx(5000, 0);…<\/p>\n","category_list_v2":"Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=315"}],"version-history":[{"count":1,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/315\/revisions"}],"predecessor-version":[{"id":316,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/315\/revisions\/316"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}