-3

I want to use the following native APIs:

NtOpenProcess 
NtOpenThread 
NtReadVirtualMemory 
NtWriteVirtualMemory 
PsCreateSystemThread 
KiAttachProcess

Is it possible to hook these APIs from managed C# code? If so, can someone provide an example of how this would be done?

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
unbalanced
  • 1,192
  • 5
  • 19
  • 44
  • 2
    Everything is possible. Go get some good book on windows system programming. – Sergio Tulentsev May 06 '12 at 09:57
  • did you already try hooking some other APIs? if Yes, once you try to hook these ones above what does it happen? – Davide Piras May 06 '12 at 09:58
  • SO's popularity means people don't even bother with the most basic research any more. Makes me long for the CodeProject days. – Mahmoud Al-Qudsi May 06 '12 at 09:59
  • 5
    i think it's a valid question, just very poorly articulated. The crux of the question is useful though. Furthermore, I'd say just because the answer to this question is available out in the web, via research, doesn't mean it shouldn't be in SO. Indeed, I'd rather find the answer here than in some forum somewhere. – andy May 06 '12 at 10:05
  • I see someone has edited your question to be about *calling* APIs. That's very different from *hooking* calls to those APIs. Which do you want? – Cody Gray - on strike May 06 '12 at 10:19
  • Hey Cody, that's my bad, I changed it to calling. I may well be wrong, perhaps it is Hooking that Harun is looking for. Harun, could you edit your question if I've incorrectly edited it? – andy May 06 '12 at 10:27
  • actually I want to hook when this apis called some programs .. and send some id to a server.. its about anti-hack for a game.. Because some people want to hack the game with cheating programs.. I want to determine who use these type programs.. then its not about calling api. its catching api which program called it.. maybe its clear ? – unbalanced May 06 '12 at 10:55
  • 1
    Then, definitively, no. This cannot be done from managed code, such as C#. – Cody Gray - on strike May 06 '12 at 11:24
  • @HarunAbi, see my answer for updated guide about what you want to achieve (in C#). – Luka Ramishvili May 08 '12 at 06:10

1 Answers1

0

You can declare NtOpenProcess with original arguments and then DllImport("kernel32.dll") just before its declaration (you can use this method just about any dll/procedure combination).

Just like this:

[DllImport("kernel32.dll")]
internal static extern int NtOpenProcess(IntPtr32 arguments...);

Here's an explanation on MSDN.

Update: Actually what you want to do is doable from C#, but with the help of C++. If you want to intercept API calls from other programs, an easier way is to write the API intercepting code in C++ (using native windows functionality) and then DllImport-ing your C++ DLL into your C# application, doing only function calls from C# code.

Luka Ramishvili
  • 889
  • 1
  • 11
  • 20
  • thank you for your answer.. I dont want to use some api. as you said in your update, I want to intercept api.. I have to use C++ for api intercepting? If no, how do i api intercepting with c#? – unbalanced May 08 '12 at 17:08
  • He wants to *hook* calls to these functions—that is, receive a *notification* whenever *another application* calls them. This is not possible from managed code like C#, and you can't do it by simply P/Invoking a function. (I would have downvoted, but someone altered the question to say something else while it was closed. Now it's been re-opened, so I fixed it back.) – Cody Gray - on strike May 09 '12 at 00:15
  • Actually, my answer includes a guide how to intercept API calls of other programs. It should be done in a C++ library which should be DllImport-ed in C# code. He will P/Invoke his own C++ code which does it for him. Maybe I didn't explain sufficiently, maybe you didn't read it fully. – Luka Ramishvili May 09 '12 at 04:36
  • But as for C++ code, intercepting api calls may cause system destabilisation. Maybe the question was edited, but OP said in comments he wanted to catch which program used these APIs, so we're on a right track. – Luka Ramishvili May 09 '12 at 04:40