2

I need any advice how to continue CreateFile() hooking after getting code as follows:

#include<windows.h>
#include "C:\Detours\Detours-4.0.1\include\detours.h"

static HANDLE(WINAPI* TrueCreateFileW)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile) = CreateFileW;

__declspec(dllexport) HANDLE WINAPI MyCreateFileW(LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD 
dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile)
{
if ((LPCTSTR)lpFileName == (LPCTSTR)L"C:\TestHook\file.txt")
{
    return TrueCreateFileW((LPCTSTR)L"C:\TestHook\file.txt", dwDesiredAccess, dwShareMode, lpSecurityAttributes,
        dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
return TrueCreateFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes,
    dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}


BOOL APIENTRY DLLMain(HMODULE hModule, DWORD reason_for_call, LPVOID lpReserved)
{

LONG error;
switch (reason_for_call)
{
case DLL_PROCESS_ATTACH:
    OutputDebugString(L"Attaching HookingDLL.dll");
    //OutputDebugString(strInfo);
    DetourRestoreAfterWith();
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach(&(PVOID&)TrueCreateFileW, MyCreateFileW);
    error = DetourTransactionCommit();

    if (error == NO_ERROR)
    {
        OutputDebugString(L"Hooking attempt succeeded");
    }
    else
    {
        OutputDebugString(L"Hooking attempt failed");
    }
    break;
case DLL_THREAD_ATTACH:
    break;
case DLL_THREAD_DETACH:
    break;
case DLL_PROCESS_DETACH:
    OutputDebugString(L"Detaching HookingDLL.dll");
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach(&(PVOID&)TrueCreateFileW, MyCreateFileW);
    error = DetourTransactionCommit();

    if (error == NO_ERROR)
    {
        OutputDebugString(L"Successfully detached hook");
    }
    else
    {
        OutputDebugString(L"Hook removal has failed");
    }
    break;
}
return TRUE;
}

What I need is a call of MyCreateFileW hooking when creating a new .txt file in Notepad++. Most likely, I have to add a DLL injector to aplly that hook, but in Internet I didn't find any comprehensible step-by-step guide for beginners (it's worth saying I'm a student). Could you suggest how to proceed with DLL injector in my case? Let me notice that I'm using Microsoft Detours to learn API hooking more smoothly and consistently.

Max_ReFactor
  • 67
  • 2
  • 7

1 Answers1

0

You have already prepared the detour DLL. What you need do to is creating a new process and load DLLs into it with DetourCreateProcessWithDlls. Something like this:

DetourCreateProcessWithDll(NULL, "C:\\windows\\notepad.exe", NULL,
        NULL, FALSE, CREATE_DEFAULT_ERROR_MODE, NULL, NULL,
        &si, &pi, DetourPath, DLLPath, NULL);

You can refer to this tutorial "API Hooking with MS Detours" for more detailed information.

Rita Han
  • 9,574
  • 1
  • 11
  • 24
  • Thank you for your advice, indeed. I gonna ask about two other things: shall I run { withdll \d:mydll.dll "path_to_notepad++"} via developer command prompt (I use VS 2019) or {setdll} instead of {withdll}? Will I need two cpp-files (one with code I posted earlier, other with main() as in tutorial), so whatever other files don't matter here, right? – Max_ReFactor Oct 08 '19 at 14:20
  • @Max_ReFactor Are you talking about official sample [withdll](https://github.com/microsoft/Detours/tree/master/samples/withdll) and [setdll](https://github.com/microsoft/Detours/tree/master/samples/setdll)? – Rita Han Oct 09 '19 at 08:08
  • No, my purpose is to learn how I shall start program in command prompt to apply a hook. Must I enter withdll as an exe-file name (indeed, this one belongs C:\Detours\Detours-4.0.1\bin.X86) in prior to the name of DLL I'd inject? Is it right choice of an executable file to launch hooking, isn't? – Max_ReFactor Oct 09 '19 at 17:29
  • @Max_ReFactor From withdll.exe usage it does work in this way: `withdll /d:mydll.dll "path_to_notepad++"`. `withdll` will insert your DLL and launch the notepad++ and restore changes after this execution complete. If you want insert your DLL next time you need enter withdll in prior. While setdll will edit the target app binary file (default with no restore changes) but not launch it. I don't test withdll and setdll. You can have a try to see if it helps. – Rita Han Oct 14 '19 at 08:19
  • Thank you. It seems I still need explaination. Now I've a couple of script files: first one contains the code I've inserted in the question, second one contains main() function I found by reference you pointed out courteously. I guess it's wrong because one project has both DLLMain() and main() (that's my wrongness). I launch notepad execution by withdll and trace hook setting in API Monitor. I watch there only DLLMain() calls from module ntdll.dll, not what I'm seeking. In prior to execution launch, I pasted DLL injection file into a folder with Detours lib, in notepad folder too. – Max_ReFactor Oct 16 '19 at 15:09
  • @Max_ReFactor No need "second one contains main() function I found by reference". – Rita Han Oct 17 '19 at 09:39