API hooking revealed(API挂接透露)-伊沃·伊万诺夫

API hooking revealed
By Ivo Ivanov
The article demonstrates how to build a user mode Win32 API spying system

 

Introduction  (介绍)

Intercepting Win32 API calls has always been a challenging subject among most of the Windows developers and I have to admit, it's been one of my favorite topics. The term Hooking represents a fundamental technique of getting control over a particular piece of code execution. It provides an straightforward mechanism that can easily alter the operating system's behavior as well as 3rd party products, without having their source code available.

拦截Win32 API调用一直是一个具有挑战性的课题，其中大部分Windows开发商和我不得不承认，它是我最喜欢的主题之一。长期挂钩代表获得代码执行某项控制权的基本技术。它提供了一个简单的机制，可以很容易地改变操作系统的行为，以及第三方产品，而无需他们的源代码。

Many modern systems draw the attention to their ability to utilize existing Windows applications by employing spying techniques. A key motivation for hooking, is not only to contribute to advanced functionalities, but also to inject user-supplied code for debugging purposes.

许多现代系统提请注意自己的能力，利用现有的Windows应用程序雇用间谍技术。一个关键的动机挂钩，不仅是为了促进先进的功能，但也给用户提供的代码注入用于调试目的。

Unlike some relatively "old" operating systems like DOS and Windows 3.xx, the present Windows OS as NT/2K and 9x provide sophisticated mechanisms to separate address spaces of each process. This architecture offers a real memory protection, thus no application is able to corrupt the address space of another process or in the worse case even to crash the operating system itself. This fact makes a lot harder the development of system-aware hooks.

不像一些比较“老”的操作系统，如DOS和Windows3.xx，且目前Windows操作系统NT/2K和9x提供成熟的机制，每个进程独立的地址空间。这架构提供了一个真正的内存保护，因此没有应用程序能够破坏的地址空间另一个过程中或在最坏的情况下甚至操作系统本身的崩溃。这一事实使得很多困难感知系统挂钩的发展。

 

My motivation for writing this article was the need for a really simple hooking framework, that will offer an easy to use interface and ability to capture different APIs. It intends to reveal some of the tricks that can help you to write your own spying system. It suggests a single solution how to build a set for hooking Win32 API functions on NT/2K as well as 98/Me (shortly named in the article 9x) family Windows. For the sake of simplicity I decided not to add a support do UNICODE. However, with some minor modifications of the code you could easily accomplish this task.

 

我写这篇文章的动机是需要一个非常简单的挂钩框架，提供一个易于使用的界面和能力，以捕捉不同的API。拟揭示一些技巧，可以帮助你写你自己的间谍系统。它表明了如何建立一个单一的解决方案NT/2K以及98/Me中截取Win32 API函数（9x的文章不久命名）家庭的Windows。为了简单起见，我决定不添加支持UNICODE。然而，有一些小的修改的代码，你可以轻松地完成这一任务。

Spying of applications provides many advantages:

刺探应用提供了许多优势：

1.API function's monitoring
The ability to control API function calls is extremely helpful and enables developers to track down specific "invisible" actions that occur during the API call. It contributes to comprehensive validation of parameters as well as reports problems that usually remain overlooked behind the scene. For instance sometimes, it might be very helpful to monitor memory related API functions for catching resource leaks.

API函数的监控
API函数调用的控制能力是非常有用的，使开发人员能够追踪了具体的“无形”的行动过程中发生的API调用。它有助于全面验证参数以及报告通常存在的问题，背后的忽视一幕。例如，有时，它可能是非常有用的监视内存相关的API醒目的资源泄漏的功能。

2.Debugging and reverse engineering
Besides the standard methods for debugging API hooking has a deserved reputation for being one of the most popular debugging mechanisms. Many developers employ the API hooking
technique in order to identify different component implementations and their relationships. API
interception is very powerful way of getting information about a binary executable.

调试和反向工程
除了标准的方法进行调试API挂接有一个当之无愧的声誉，是最流行的调试机制之一。许多开发人员API挂接
技巧，以便识别不同的组件实现和他们的关系。 API
拦截是非常强大的方式得到一个二进制可执行文件的信息。

3.Peering inside operating system
Often developers are keen to know operating system in dept and are inspired by the role of being a "debugger". Hooking is also quite useful technique for decoding undocumented or poorly documented APIs.

凝视操作系统内
通常开发人员都热衷于知道操作系统部门和启发的作用“调试”。挂钩也是相当有用的技术解码无证或不良记录的API。

4.Extending originally offered functionalities by embedding custom modules into external Windows applications Re-routing the normal code execution by injecting hooks can provide an easy way to change and extend existing module functionalities. For example many 3rd party products sometimes don't meet specific security requirements and have to be adjusted to your specific needs. Spying of applications allows developers to add sophisticated pre- and post-processing around the original API functions. This ability is an extremely useful for altering the behavior of the already compiled code.

原本提供的功能，通过自定义模块嵌入到外部扩展Windows应用程序重新路由注入钩正常的代码执行可以提供一个简单的方法来改变和扩展现有的模块功能。例如，许多第三方
产品有时并不满足特定的安全需求进行调整，以您的的特定需求。从事间谍活动的应用程序允许开发人员添加精密预围绕原来的API函数的后处理。这种能力是非常有用的改变已编译的代码的行为。

Functional requirements of a hooking system
There are few important decisions that have to be made, before you start implementing any kind of API hooking system. First of all, you should determine whether to hook a single application or to install a system-aware engine. For instance if you would like to monitor just one application, you don't need to install a system-wide hook but if your job is to track down all calls to TerminateProcess() or WriteProcessMemory() the only way to do so is to have a system-aware hook. What approach you will choose depends on the particular situation and addresses specific problems.

挂钩系统的功能要求
有几个必须作出重要的决定，在你开始实施任何形式的API挂接系统。首先，应确定是否挂钩一个单一的应用程序或安装系统感知发动机。例如，如果你想监视只是一个应用程序，你不需要安装系统范围的挂钩，但如果你的工作是跟踪了所有呼叫TerminateProcess（）或WriteProcessMemory（）的唯一途径，这样做是有一个系统感知钩。你会选择哪种方法取决于具体情况和解决具体问题。

General design of an API spying framework
Usually a Hook system is composed of at least two parts - a Hook Server and a Driver. The Hook Server is responsible for injecting the Driver into targeted processes at the appropriate moment. It also administers the driver and optionally can receive information from the Driver about its activities whereas the Driver module that performs the actual interception. This design is rough and beyond doubt doesn't cover all possible implementations. However it outlines the boundaries of a hook framework.

一般API间谍框架设计
一般是由至少两个部分组成 - 一个钩服务器和驱动钩系统。钩服务器是负责在适当的时候注入的驱动程序到目标进程。它还负责管理驱动器和可选可以收到关于其从驱动程序的信息活动执行实际的拦截，而驱动程序模块。这种设计是粗糙的和毋庸置疑的不涵盖所有可能的实现。然而，它概述的钩框架的边界。

Once you have the requirement specification of a hook framework, there are few design points you should take into account:
What applications do you need to hook
How to inject the DLL into targeted processes or which implanting technique to follow
Which interception mechanism to use
I hope next the few sections will provide answers to those issues.

一旦你有一个钩子框架的要求规范，有几个设计要点应考虑：
你需要什么样的应用挂钩
如何注入DLL到目标进程或植入技术
其中使用的拦截机制
我希望未来的几节将提供这些问题的答案。

 

 

原文地址：http://www.rdsquared.net/2009/08/12/CodeProject_%20API_Hooking_Revealed.pdf