May I hook calls without tying to specific program?

[Pinhuer]

I'd like to hook all calls to some API function independent from what program makes them. Getting the information about calling program would be nice too.

Can Deviare be used for that? It looks like it is possible but I cannot find an example of such usage. Are there any?

It's a new sphere for me, I'd like to ask a question before I dive in.

[scnale]

Since a hook is written to the code pages of the process, to do that you would need to hook all processes, or at least the ones you really are interested in. A hook in Deviare lets you intercept any API call before and/or after it is given course. Every hook handler must have a specific signature that receives several objects. Among those is the NktProcess which gives you information about the process that had its call intercepted. With it you can easily adapt your handler to the hooked process. You can take a look at its interface here.

I don't think there are any examples that do this because hooking all processes should be avoided when possible as a design choice.

[Pinhuer]

Thanks for the reply.

Well, my application is different, there is no "good design" in it, it won't be distributed. I need to intercept API calls issued by driver. I guess that it is not possible.

[mxmauro]

Hooking kernel apis is not a good idea and deviare is user-mode. But depending on your needs, a filter driver might fit your requirements.