Hi,

I just need to hook all functions of a dll because I want to know from which address a function is called (resolving api mangling).
My current approch:
1. hooking LoadLibrary and read the export table of the loaded dll
2. hook each function of the export table so my own call bridge is executed if a function gets called
3. inside the call bridge I analyse the stack values from which address this api function returns after execution

My solutions works but it's really error prone. So if anyone knows a better easier way of hooking a complete dll please speek up
Preferably a solution which isn't easy detectable

tr1stan

If you know all the functions the dll exports, you could possibly just use the proxy method and code a dll with the same name and forward all the calls to original dll, grabbing all arguments passed to it first..the technique is explained here: http://www.codeguru.com/cpp/g-m/directx/directx8/article.php/c11453/Intercept-Calls-to-DirectX-with-a-Proxy-DLL.htm and other places on the net.

This is a typical patch(verifier etc). IAT is located in the sections of code.

You can relocate the image. Lock the memory region with IAT(PAGE_NOACCESS).

As it points out I had some stupid errors in my code
If anyone is interested in a quite good hooking engine I can recommend the MinHook engine (hxxp://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x86-x64-API-Hooking-Libra)
Be sure to read some of the comments for fixing a small bug in this engine and how to speed it up.
Anyway thanks for the support!

tr1stan