search

microsoft / Detours

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.
MIT License
5.01k stars 979 forks source link

how can i use detours to hook the WINDOWS API once the user has open the computer? #220

Open heimao63531 opened 2 years ago

heimao63531 commented 2 years ago

Hi detours team,

i would love to use the detours to hook the API SetupDiSetClassInstallParamsA so as to forbid user to disable network adapter. But i found it will only hook the api call in my process. Users still can disable the network adapter from the device manager. How can i use the dll to make it hook the SetupDiSetClassInstallParamsA API call in other process ?

Following is my code . VOID HookApi_Detours() {

DetourRestoreAfterWith();
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
Old_SetupDiSetClassInstallParamsA = SetupDiSetClassInstallParamsA;

DetourAttach((PVOID *)(&Old_SetupDiSetClassInstallParamsA), New_SetupDiSetClassInstallParamsA);

DetourTransactionCommit();

}

int _tmain(int argc, _TCHAR* argv[]) {

HMODULE hDll = ::LoadLibrary("HookApi_Detours_Dll.dll");
if (NULL == hDll)
{
    printf("LoadLibrary Error!\n");
}

NetCardStateChange(true, "Red Hat VirtIO Ethernet Adapter");
return 0;

}

danikdanik commented 2 years ago

@heimao63531 You'll need to load your hooking library in every process from which this API is called. How? Variety of options, but the simple one is to inject it from another process (you'll be able to easily find how-tos across the web, e.g. from controlling process call the CreateRemoteThread with the LoadLibrary as the parameter)

0xeb commented 2 years ago

Back in the old days, we used to hook explorer.exe (with the assumption that it is the parent of most processes). When a user runs a program, it will also be hooked and so on. Another way is to use AppDllInit or some other tech that lets you have a DLL loaded into every process.