API Hooking in AutoIt

[wraithdu]

@monoceres

Can you weigh in on this?

http://www.autoitscript.com/forum/index.ph...st&p=613011

I've got the same problem on Vista - the callback is not being called from a compiled script.

EDIT - last minute thought, and I was right. UPX is breaking it. Any ideas why this is? Are the function addresses and such being mangled by the runtime decompression?

Edited December 4, 2008 by wraithdu

[wraithdu]

BTW, I found a small bug in your code. Line 101 should read -

"dword", DllStructGetData($mbi, "Protect"), "ptr", DllStructGetPtr($randomdword, 1))

Edited December 4, 2008 by wraithdu

[monoceres]

BTW, I found a small bug in your code. Line 101 should read -

"dword", DllStructGetData($mbi, "Protect"), "ptr", DllStructGetPtr($randomdword, 1))

Thanks, fixed

[wraithdu]

Oops, sorry I didn't mention before, same mistake on line 69 as well.

[wraithdu]

I combined your idea and Ward's method to come up with a version that will work when compiled with UPX. I included your ShellExecute example. Thoughts?

_HookApi_new.au3

Edited December 7, 2008 by wraithdu

[ChangMinYang]

@monoceres

I need your help, about hook back.

http://www.autoitscript.com/forum/index.ph...st&p=622307

[ChangMinYang]

@monoceres

I need your help, about hook back.

http://www.autoitscript.com/forum/index.ph...st&p=622307

expandcollapse popup

; Add the hook and save the "handle" to the hook, we need this to change the hook later on
global $regptr = DllCallbackRegister( "_ApiHookLog" , "int" , "ptr" )
global $hook = _ApiHookAdd( "Shell32.dll" , "ShellExecuteExW" , $regptr )

;; Lets try ShellExecute something
ShellExecute( FileOpenDialog( "All files", "" , "All files (*.*)" ) )

; Change back to the original ShellExecute
_ApiHookDel( $hook )


Func _ApiHookLog( $ptr )
; SHELLEXECUTEINFO struct
    Local $SHELLEXECUTEINFO = DllStructCreate( "dword;ulong;hwnd;ptr;ptr;ptr;ptr;int;ptr;ptr;ptr;ptr;dword;ptr;ptr;" , $ptr )

    Local $wstring = DllStructCreate( "wchar[255]" , DllStructGetData( $SHELLEXECUTEINFO , 5 ) )

    Local $confirm = MsgBox( 0x1 , "Shellexecute hook" , "AutoIt tried to shellexecute: " & DllStructGetData( $wstring , 1 ) & @CRLF & "Allow this?" )

    If $confirm Then
 ;Referred <= Dim $return[4] = [ $itd , $callBackReg , $orig , $NewProcAddress ]

        DllStructSetData( $hook[0] , 1 , $hook[2] )

        DllCallbackFree( $regptr )

        $regptr = DllCallbackRegister( "_ApiHookLog" , "int" , "ptr" )

        $hook[1] = $regptr

        DllStructSetData( $hook[0] , 1 , $hook[3] )
    EndIf

    $wstring = 0
    $SHELLEXECUTEINFO = 0

    Return 0
EndFunc

Is this just a simple level, the only possible example apihook as Hook/Unhook except 'hook forwading'?

Edited December 29, 2008 by GoodMan

[ProgAndy]

You have to save the old func-pointer (getprocAddres) and then use MemoryDllCall or write your own code with CallWindowProc

Edited December 29, 2008 by ProgAndy

[ChangMinYang]

You have to save the old func-pointer (getprocAddres) and then use MemoryDllCall or write your own code with CallWindowProc

Thanks reply.

But, if I needs to use 'CallWindowProc', aren't better to use 'SetWindowsHookEx + CallNextHookEx + UnhookWindowsHookEx'?

[ProgAndy]

For API-hooks it's not possible to use these functions.

But if you can use SetWindowsHookEx instead of API-Hook, it would be better to do so.

[ChangMinYang]

For API-hooks it's not possible to use these functions.

But if you can use SetWindowsHookEx instead of API-Hook, it would be better to do so.

This sample just shown like 'can not get back across the bridge'?

0xSOME JMP SHORT 0xHOOK

0xHOOK You can not return to 0xSOME, this is just 'JMP'. If you want to 'CallBack', fill this line by some CallBack routine.

Ok. Let's try ...

Thanks.

[StrategicX]

hey mate! thanks for this! Thgis is a great script for learning.. You say that you cant hook other processes addresses with just autoit code, like say if I wanted to hook an address in wow.exe while its running... and since autoit can handle anything(for the msot part) thats in a Dll, I could write a dll, in C++ that hooks a certain address and use DllCall() to call that function from the C++ dll with my autoit handler... Is this correct? because Im thinking of using a an Api hook in my telebot... Let me know... Ive taken C++ class last year mate so im sure i could make the dll... just need to know if I could use autoit to handle the functions and call them... Thanks agaion mate

[arcker]

the dll can be injected as we already seen in another post

to make this dll communicate with other programs, see IPC.

[monoceres]

hey mate! thanks for this! Thgis is a great script for learning.. You say that you cant hook other processes addresses with just autoit code, like say if I wanted to hook an address in wow.exe while its running... and since autoit can handle anything(for the msot part) thats in a Dll, I could write a dll, in C++ that hooks a certain address and use DllCall() to call that function from the C++ dll with my autoit handler... Is this correct? because Im thinking of using a an Api hook in my telebot... Let me know... Ive taken C++ class last year mate so im sure i could make the dll... just need to know if I could use autoit to handle the functions and call them... Thanks agaion mate

wraithdu has made a wonderful job for this in this topic:

http://www.autoitscript.com/forum/index.ph...c=87240&hl=

[StrategicX]

hey thanks mate! That helps alot...Im doing some testing since im pretty sure theres no why for autoit to support sending packets with only autoit native code, but only through a C++ Dll or anouther power language... but Im thinking of hooking a function by its address in game to make my speed faster...The faster the speed the faster the teleport thanks again mate

[AzKay]

Any ideas on how to hook http://msdn.microsoft.com/en-us/library/ms738520(VS.85).aspx?

Anything with struct's in them, Kinda blank me out.

[JRowe]

Ok, I'm a little confused. Am I restricted to using windows API DLLs?

I have a function in a c++ dll that takes a number and returns the number * 2.

double testFunc( int testVar ) 
{
    int newTestVar = testVar*2;
 return newTestVar;
}

What I'd like to do is reroute the function to an AutoIt script, that returned the number * 4, whenever this function was called by its original process.

Is that what this UDF does, or does it only work for functions that AutoIt calls?

The pic should explain better than I can in words.

[monoceres]

Is the Original Program an exe? If so, then you need, to read that little faq I wrote at the beginning of this topic. API Hooking is only supported in our address space. Trying to monitor what other processes do is not possible without injecting code into that process.

It doesn't matter if you hook the dll loaded in your address space. The original application will load its own version of the dll. Unhooked. And even if it didn't processes are bound to their own address space, it's not possible to transfer control between processes. Processes are on their own.

What you're trying to achieve is pretty easy with the help of some work by trancexx, I have uploaded and described the process here, it's almost exactly what you wanna do. However Rest assured you will not be able to do this in autoit (without the machinecode voodoo as you cleverly described it). Running you code inside the application is not optional.

Hit me an pm if you're not getting it to work. I can help you further on an IM service or something.

Edited October 22, 2009 by monoceres

[trancexx]

Here's the original monoceres's function rewritten to take advantage of some new features of the latest AutoIt versions and to be x64 compatible:

AddHookApi.au3

[DrH]

Heil Guys

I need some help to hook RegCreateKeyEx and RegSetValueEx to notify new created/changed registry keys.

Thank you for advance,I realy need it.