I hope our Friendly Neighbourhood Wizard won't mind me posting this link
An interesting variation on a popular subject.


API Hooking: a new and fast technique
by bilbo

http://www.osix.net/modules/article/?id=728

In the present article a new, simple and efficient technique will be described to solve API hookings problems.
A step by step approach will be taken to make things even easier.


Cheers,
Kayaker

Great stuff. Thanks Bilbo for writing it and Kayaker for posting it.

By the way, there's another interesting article on that site for "reversers", titled: "Create a loader for your reversing needs" by sefo. Might be worth a look see.

Also other interesting sounding articles in the ASM section, found at:

http://www.osix.net/modules/article/topic.php?id=22

Better yet, check out ALL the sections.

Regards,

Intresting arcticle, id sayit more wrapper oriented that hooking, this way has been used a lot in online cheats, they wrap opengl32.dll the same way, thus making wallhacks etc.

Nice job

Its nice article but i think this techincks was used more often.... and i dont recall but i think i was reading about this somewhere ..i will post a link if i recall it


bye NeO

but... bilbo, iirc I saw this method somewhere in an old great italian group

Good article. Basic information though. But still always nice to see an alternative method ! Anyone who's studied up on PE headers should see this technique immediately obvious. (And I've written those "wallhacks" before, it's actually great fun )

~niko20

Well, mates,

Thanks for the appreciations...
As for the criticism, thanks too, but I really would like to see the links you (NeO, ZaiRon) told about: if I'd known about them, I'd surely given them credits.

OPENGL wrapping (and wallhacks) is another interesting field I had not thought of, but the way it has generally been implemented (I have found a "blank OpenGL wrapper" at http://panic.elitecoders.org/files/source/CrusadersWrapper.zip) is the usual one: some code is generated to wrap every exported function.
What I, on the other hand, tried to describe in my article is different: no code is generated at all, but a redirection is used which is understood from the Windows loader. Just a slight difference, interesting only on a theoretical point of view.
By the way, if you try to apply the technique described in my article to a "non system" DLL as OPENGL32.DLL, you don't need to patch any byte in the executable itself, and the "spoofing" DLL can preserve the same name. In a different manner, for libraries like KERNEL32.DLL/USER32.DLL, you have to adopt the trick I wrote about (e.g. patching KERNEL32 to VERNEL32 in the executable), else the system DLL is prioritary (I think this is due to the fact that the loader finds the system DLL already loaded in cache).

Another interesting and big project about graphic library wrapping is DirectX wrapper, which converts DirectX calls to OpenGL API's (http://realtech-vr.com/directx/). But this is not concerned so much in API hooking, because DirectX exports essentially one function, Direct3DCreate8 (version 8).

Best regards, bilbo

I heard about it but it wasn't documented by anyone.

I think I've read about it on old Fravia's site. Also, check this Codeproject article:
http://www.codeproject.com/system/hooksys.asp (Paragraph 2b: Proxy DLL)
Bilbo's text is clear and simple though, good work