HookImportFunctionByName v1.0

Enclosed is MFC source code for a function which can be used to hook any imported function call which your application makes. Since most of the Win32 API is implemented using import functions in dlls, this means that you hook Win32 API calls. This is useful when for example you want to be called for every call to the file system (::CreateFile && CloseHandle) which your app makes. This example of hooking the file system calls your app makes could form the basis of code to ensure you do not have any handle leaks in your application. You could also use this code to spy on COM port activity in remote processes by injecting the DLL into the remote process.

The code is based on the code developed by John Robbins for his "BugSlayer"articles in the MSJ magazine. I have removed the dependencies on his other DLL functions, converted the code to MFC and addition of numerous ASSERT's

History

V1.0 (24 December 1999)

• Initial Public Release.

API

The API consists of the single global function

HookImportFunctionsByName

HookImportFunctionsByName

BOOL HookImportFunctionsByName(HMODULE hModule, LPCSTR szImportMod, UINT uiCount, LPHOOKFUNCDESC paHookArray, PROC* paOrigFuncs, UINT* puiHooked);

Return Value

TRUE if the specified API call(s) were hooked otherwise FALSE. To get extended error information, call ::GetLastError

Parameters

hModule This is the instance handle of the process calling the function. Normally in MFC you can obtain this from the function "AfxGetInstanceHandle()"

szImportMod This is the name of the module which contains the functions which you want to hook. e.g. for hooking file system calls, this would be "KERNEL32.DLL".

uiCount This is the size of the paHookArray parameter.

paHookArray This is the size of the paHookArray parameter.

paHookArray This is an array which specifies what functions to hook. The members of the HOOKFUNCDESC are "szFunc" which is the name of your function to hook and "pProc" is a function pointer to the function which you want to have called instead of normal unhooked case.

paOrigFuncs Upon successful return this will contain the original unhooked function pointers. These would be useful if you want to pass the request onto the original function after your hook function has been called.

puiHooked Upon return this will contain the number of functions which were hooked. This will be less than or equal to "uiCount".

Remarks

If you are hooked standard Win32 API calls then make sure that your hook function is using the right calling convention namely "STDCALL". This is one of the most common problems encountered when using the hooking function.

PLANNED ENHANCEMENTS

• Provide a sample app. I started using this code for a number of private contracts which I have been working on. Some ideas for sample apps would be a serial port monitor, a file system monitor to do the same as the Filemon application on the System Internals Web site.
• If you have any other suggested improvements, please let me know so that I can incorporate them into the next release

Contacting the Author

PJ Naughter
Email: pjn@indigo..ie
Web: http://indigo.ie/~pjn
24 November 1999