apihooks.txt

window编程,非常的好

			      ApiHooks for Win32
			      ------------------
		       version 2.0, released Jan-04-2000


ApiHooks allows to hook any API in specified process.
-----------------------------------------------------
ApiHooks allows inserting module (with hooks) into the specified process.
ApiHooks exports EstablishApiHooks functions for usage in your programs.


What is it good for?
--------------------
File monitors, Registry monitors, Windows hooks, Antiviruses, Dumpers,
Unpackers, Patchers, Spies, Trainers, ....


In any doc "to hook something" means "to apply hooks to something".



What's API hook?
----------------

	      module0					   module1
		 |					      |
	CALL module1!API001 --------------------------------->| API001
		 |<-------------------------------------------|
		 |					      |
	  API215 |<----------------------------------CALL module0!API215
		 |------------------------------------------->|
		 |					      |
		 *					      *
				       vs.

	      module0		   Hooooks.dll		   module1
		 |		       |		      |
	CALL module1!API001 -------->API001>----------------->| API001
		 |<-----------------<HOOOOK<------------------|
		 |		       |		      |
	  API215 |<-----------------<API215<---------CALL module0!API215
		 |------------------>HOOOOK>----------------->|
		 |		       |		      |
		 *		       *		      *


Hooking is module specific, so you can hook import of selected modules
in process and watch selected pathways. Use ALL_MODULES to hook everything.

ApiHooks was not tested, cause I have no testers.

ApiHooks uses "OpenThread9x" technique seen in ATM by Enrico Del Fante
(great!).
ApiHooks and examples were built using WINDOWS.inc by Iczelion & hutch.

------------------------------------------------------------------------------
Installation
------------
Select in BIN directory version which matches to your OS, copy ApiHooks.exe
and ApiHooks.dll into Windows system directory or to any directory in PATH.
Then will be ApiHooks always available for usage as application and library.
If you want to use ApiHooks in more operating systems you can choose ALL
version.

------------------------------------------------------------------------------
Using ApiHooks.exe
------------------

Syntax
-------
ApiHooks <-n | -o>[q | r] <[PathTo\]Hooks> <[PathTo\]Target | PID> [Parameters]
 -n .. ......... create new process (process is not created in debug mode).
 -o ............ find and open existing process.
  q ............ display no message box if all went OK
  r ............ display no message box even if there was an error
 Hooks ......... module with hooks. When -n option is used and Hooks isn't in
		 PATH or current directory, PathTo\ must be specified. When -o
		 option is used and Hooks isn't in current directory, PathTo\
		 must be specified.
 Process to open can be specified by name or by process ID. When there are
 several processes with the same name in the system, specification by PID is
 suitable. Process IDs can be obtained from process viewers and debuggers.
 Process to create must be specified by name.
 Target ........ the name of the file (main module) used for process creation.
		 ApiHooks can find both Target and [PathTo\]Target in the
		 system.
 PID............ process ID = hexadecimal number with 0x prefix
 Parameters .... Target's command-line-parameters (when -n option is used)
		 (example: -s ddt "e e" -x).

Examples of usage
-----------------
  ApiHooks.exe -n MyHooks.dll notepad.exe
   !) creates notepad.exe process and applies MyHooks.dll to this.
   A) MyHooks.dll must be in PATH or current directory.
   B) notepad.exe must be in PATH or current directory.
   C) info message box is displayed.

Check ApiHooks.exe exit code for more info (exit codes are the same as for
EstablishApiHooks functions).

  C:\DOS\ApiHooks.exe -nq F:\HOOKS\MyHooks.dll D:\WINNT\SYSTEM32\notepad.exe "new file.txt"
   !) creates notepad.exe process and applies F:\HOOKS\MyHooks.dll to this.
   A) no message box is displayed if all went ok.
   note) full specifications -> faster execution.

  ApiHooks.exe -o Hooks001.dll winver.exe
   !) applies Hooks001.dll to the first of winver.exe processes found in the
      system.
   A) Hooks001.dll must be in the current directory.
   B) info message box is displayed.

  ApiHooks.exe -or Hooks001.dll D:\123\winver.exe
   !) applies Hooks001.dll to the first of D:\123\winver.exe processes found
      in the system.
   A) no message box is displayed even if there was an error.
   note) if you use W2K or ALL version under Windows 2000, the process won't
      be found.

  ApiHooks.exe -o NThexpl.drv 0x45
   !) applies NThexpl.drv to the process with PID = 0x45.
   A) NThexpl.drv must be in current directory.
   B) info message box is displayed.

  ApiHooks.exe -oq C:\TEMP\hookdlls\mpghooks\mpghks.333 mmxmpeg1.dll
   !) applies C:\TEMP\hookdlls\mpghooks\mpghks.333 to the first of
      mmxmpeg1.dll processes found in the system.
   A) no message box is displayed if all went ok.

  ApiHooks.exe -or D:\DEB\95hooks\0hooks\0hOOK.h 0XfFfFc67B
   !) applies D:\DEB\95hooks\0hooks\0hOOK.h to the process with
      PID = 0xFFFFC67B.
   A) no message box is displayed even if there were errors.

  ApiHooks -nq RegLog.dll CMD /C CMD /C CMD /C CMD /C TASKMGR
   !) creates CMD process and applies RegLog.dll to it.
   A) no message box is displayed if all went ok.

------------------------------------------------------------------------------
Using ApiHooks.dll
------------------
See AHasDLL.txt in the HDK subdirectory.

------------------------------------------------------------------------------
Hooking running process (here running process = process whose primary thread
----------------------- has executed at least one instruction in main module)
 For applying hooks to an running process is most suitable WNT-2K version, so
NT4 users are OK. Also in Windows 2000 use WNT-2K version for hooking running
process if possible.
 If you use W95-98, W2K or ALL version, here are the rules for hooking running
process:
A) You should know what you are hooking.
B) Hook processess with visible windows only.
C) Don't hook process with realtime priority.
 If you will not respect above rules, there is a chance EstablishApiHooks
functions never return (and 2 tasks will have to be killed or PC rebooted).
 If process is not waiting (for example playing mplayer2.exe) it will be
hooked in few seconds. If process is waiting, try to invoke some activity in
it, for example move with mouse over window or switch to it. Without activity
it may last several minutes (1-10) to hooks application.
 WakeUpGUI significantly decreases time to hooks application because it
generates activity in waiting target process (with windows, dialogs,..). So in
Windows 95/98 and 2000 can be hooked more running processes faster.
 From practice I can say that in 95/98 can be hooked everything except
KERNEL32.dll and 16bit processes. Processes waiting for console input are
hooked after some activity in console window/full screen.
 In Windows 2000 is hooking processes waiting for non-windows-message object
(console input, mutex,.. finally any waiting projects to KeWaitForMutexObject)
difficult. For example when you open any windows .hlp file, 2 winhlp32.exe
processes are created in NT4/W2K. One process has window and can be easily
hooked but the second process which created the 1st winhlp32 process doesn't
have windows and waits for the 1st process termination (WaitForSingleObject)
will be hooked after termination of the 1st winhlp32 process. Processes
waiting for console input will be hooked after pressing Enter.

Hooking running protected process
---------------------------------
 If you have right to debug programs (typically if you are administrator) you
can apply hooks to any process except Idle, System and smss.exe (kernel
process or kernel32.dll not present). For -o hooking protected processes like
services, csrss, lsass,... use WNT-2K version only! The only exception is
winlogon where can be used W2K version as well.

------------------------------------------------------------------------------
Hooks format
------------
See HookDLL.txt in the HDK subdirectory.

------------------------------------------------------------------------------
Windows 9x global hooks
-----------------------
See 9xGlobal.txt in the HDK subdirectory.

------------------------------------------------------------------------------
Examples
--------
See Examples subdirectory.

------------------------------------------------------------------------------
Contact
-------
WWW: http://members.xoom.com/EliCZ (elicz.cjb.net, elicz.tsx.org)
EML: http://www.InsideTheWeb.com/mbs.cgi/mb869669
IRC: EFNet: #syscoding
ICQ: 14142829

------------------------------------------------------------------------------
Questions & Answers
-------------------

Q: Can I distribute ApiHooks with my program?
A: Yes, ApiHooks is free for any purpose.

Q: Can ApiHooks work with DOS and Win16 applications?
A: No, ApiHooks is designed for Win32 applications only. You can try to hook
   NTVDM.exe and hook them indirectly. DOS hooks are interrupt hooks, usually
   used in TSRs (see for example Trash.zip\moninte.asm on my webpage).

Q: Can ApiHooks watch VxD calls and driver calls?
A: No, use Systems Internals VxDMon or NuMega BoundsChecker.

Q: What does it mean that process is not created in debug mode?
A: It consumes less system resources. Debugger must be still active, cannot
   be terminated, is detectable, while ApiHooks does its job and quits.
   Also hooking running process is much better.

Q: What are the disadvantages of ApiHooks?
A: In NT are missed calls during DllMain(ATTACH_PROCESS) of statically loaded
   DLLs in the newly create-suspended process; all modules loaded later can be
   hooked. If module loaded later has bound import there are difficulties:
   dynamically loaded modules can be hooked using LoadLibrary hooks;
   statically loaded modules aren't hooked. Apply UnBind to everything what
   has bound import to allow hooking.
   In 9x (if HOOK_HARD attribute was used) is hooked everything. If HOOK_HARD
   wasn't used you must help yourself with GetProcAddress and LoadLibrary
   hooks.
   If module is packed it will be hooked always.

Q: What about forwarded exports?
A: Forwarded exports are kind of API hooks. ApiHooks has no problems with
   them. On the other hand, today's protectors with anti API hooks are bad
   and if they work it's a chance which mayn't work in the next OS versions.

Q: I can't apply hooks to 0x0, 0x2, *ss, ... ?
A: Because these are kernel processes, or you don't have right to open them.

Q: I wrote GetDlgItemTextW hook, but can't apply it to WinLogon... ?
A: If all was that easy.... wait for exploits. There is a WinLogon example in
   Examples\EliASM directory.

Q: Where is the original API address?
A: If you imported API in your DLL, it is there. Don't use addresses in
   API_UNHOOK structures!

Q: ApiHooks writes it can't create process, even if path is right... ?
Q: Process was created, but isn't hooked... ?
A: There's not enough free memory in the system.