Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed: Hooking API RegCreateKeyA,RegCreateKeyW
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Hooking API RegCreateKeyA,RegCreateKeyW
 Post Reply Post Reply Page  123 7>
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
slhack View Drop Down
Newbie
Newbie


Joined: 21 May 2008
Online Status: Offline
Posts: 33 		  Quote slhack Quote  Post ReplyReply Direct Link To This Post Topic: Hooking API RegCreateKeyA,RegCreateKeyW
    Posted: 27 May 2008 at 1:22pm
Hi all!
I'm looking for hook an API in C++. i need to hook the calls named  RegCreateKeyA and RegCreateKeyW and other function like the regmon's software. My goal is to hook globally these calls but I don't know how to start hooking.
I know that I've to use the function named SetWindowsHookEx(); but I can't use the correct values for each parameter...And 1 more thing: do I need to create a dll to have a global hook?

I'm using Visual Studio 2008 and say me if I have to change some settings on my project parameters.

Is there anyone who can help me? Can you write me few lines of code,plz? Cause I surfed dozen and dozen of websites and I found a lot of differences on how to hook, but I don't know which is the best...

Thanks in advance


Edited by slhack - 27 May 2008 at 2:32pm
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 27 May 2008 at 3:17pm
Hi slhack,
 
Regmon doesn't hook APIs, it uses a driver to obtain its information.
 
SetWindowsHookEx
This function is not used to hook functions.
 
You might have a look at this topic for more details / ideas:
 
Daily affirmation:
net helpmsg 4006
Back to Top
slhack View Drop Down
Newbie
Newbie


Joined: 21 May 2008
Online Status: Offline
Posts: 33 		  Quote slhack Quote  Post ReplyReply Direct Link To This Post Posted: 28 May 2008 at 4:12am
thanks very much! It's very useful!
But I get these errors/warnings when I compile with Visual Studio

1>c:\documents and settings\cesco\my documents\visual studio 2008\projects\bau\bau\Form1.h(19) : warning C4561: '__fastcall' incompatible with the '/clr' option: converting to '__stdcall'
1>c:\documents and settings\cesco\my documents\visual studio 2008\projects\bau\bau\Form1.h(133) : warning C4441: calling convention of '__stdcall ' ignored; '__clrcall ' used instead
1>c:\documents and settings\cesco\my documents\visual studio 2008\projects\bau\bau\form1.h(19) : warning C4793: 'N_RegCreateKeyExW' : function compiled as native :
1> The function is marked as 'naked'
1>Linking...
1>bau.obj : error LNK2028: unresolved token (0A00002D) "extern "C" long __stdcall RegCreateKeyExW(struct HKEY__ *,wchar_t const *,unsigned long,wchar_t *,unsigned long,unsigned long,struct _SECURITY_ATTRIBUTES *,struct HKEY__ * *,unsigned long *)" (?RegCreateKeyExW@@$$J236YGJPAUHKEY__@@PB_WKPA_WKKPAU_SECURITY_ATTRIBUTES@@PAPAU1@PAK@Z) referenced in function "private: long __clrcall bau::Form1::N_RegCreateKeyExW(struct HKEY__ *,wchar_t const *,unsigned long,wchar_t *,unsigned long,unsigned long,struct _SECURITY_ATTRIBUTES *,struct HKEY__ * *,unsigned long *)" (?N_RegCreateKeyExW@Form1@bau@@$$FA$AAMJPAUHKEY__@@PB_WKPA_WKKPAU_SECURITY_ATTRIBUTES@@PAPAU3@PAK@Z)
1>bau.obj : error LNK2001: unresolved external symbol _RegCreateKeyExW@36
1>bau.obj : error LNK2019: unresolved external symbol "extern "C" long __stdcall RegCreateKeyExW(struct HKEY__ *,wchar_t const *,unsigned long,wchar_t *,unsigned long,unsigned long,struct _SECURITY_ATTRIBUTES *,struct HKEY__ * *,unsigned long *)" (?RegCreateKeyExW@@$$J236YGJPAUHKEY__@@PB_WKPA_WKKPAU_SECURITY_ATTRIBUTES@@PAPAU1@PAK@Z) referenced in function "private: long __clrcall bau::Form1::N_RegCreateKeyExW(struct HKEY__ *,wchar_t const *,unsigned long,wchar_t *,unsigned long,unsigned long,struct _SECURITY_ATTRIBUTES *,struct HKEY__ * *,unsigned long *)" (?N_RegCreateKeyExW@Form1@bau@@$$FA$AAMJPAUHKEY__@@PB_WKPA_WKKPAU_SECURITY_ATTRIBUTES@@PAPAU3@PAK@Z)
1>C:\Documents and Settings\cesco\My Documents\Visual Studio 2008\Projects\bau\Debug\bau.exe : fatal error LNK1120: 3 unresolved externals


(I tried to change Project properties to avoid the"/clr" option but I still get errors...without "clr" I got errors anyway Dead)


I created this Declaration:
    DETOUR_TRAMPOLINE(LONG WINAPI N_RegCreateKeyExW (HKEY hKey,
    LPCSTR lpSubKey,
    DWORD Reserved,
    LPSTR lpClass,
    DWORD dwOptions,
    REGSAM samDesired,
    LPSECURITY_ATTRIBUTES lpSecurityAttributes,
    PHKEY phkResult,
    LPDWORD lpdwDisposition),RegCreateKeyExW);


And then this one:
        LONG WINAPI N_RegCreateKeyExW(HKEY a0,
                                    LPCWSTR a1,
                                    DWORD a2,
                                    LPWSTR a3,
                                    DWORD a4,
                                    REGSAM a5,
                                    LPSECURITY_ATTRIBUTES a6,
                                    PHKEY a7,
                                    LPDWORD a8)
            {
                txt->Text="OK!";    
                return RegCreateKeyExW(a0,a1,a2,a3,a4,a5,a6,a7,a8);
            }


Why? Can u help me? I know that I'm noob but I'm ready to learn Big%20smile
thanks again!


Edited by slhack - 28 May 2008 at 4:24am
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 28 May 2008 at 4:35am
Do you have Advapi32.lib specified in the linker settings?
 
The easiest thing would probably be for you to ZIP and upload (somewhere) a sample project that produces the problems you're encountering.  You could PM me the link to the uploaded project, if you didn't wish to make it publicly known.
 
However, it looks like you're attempting to use the code inside of a mixed project, etc.  I might suggest trying to isolate just the code you're having trouble with into its own project, and get it working there, before attempting to integrate it into a larger, more complex project.
Daily affirmation:
net helpmsg 4006
Back to Top
slhack View Drop Down
Newbie
Newbie


Joined: 21 May 2008
Online Status: Offline
Posts: 33 		  Quote slhack Quote  Post ReplyReply Direct Link To This Post Posted: 28 May 2008 at 4:46am
Here it is my little and simple project:

http://www.megafileupload.com/en/file/67044/Registry-test-rar.html

If u can see it for a while I think that u can solve my little problem.

Thank you very much!!
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 28 May 2008 at 7:48pm
What version of Detours are you using?  Use of "DETOUR_TRAMPOLINE" seems to suggest an older version than the current Detours Express 2.1.
 
The following code in a Win32 DLL project set up to use the Detours library will produce a DLL that can be used with the WithDLL.exe sample to inject the DLL into a target process' address space, and hook the RegCreateKeyExW function.  I used calc.exe.  So, I invoked WithDLL.exe as follows:
"C:\path to\withdll.exe" /d:C:\path to\thedllwiththehook.dll "c:\path to\calc.exe"
 
DbgView verifies that InterceptRegCreateKeyExW is called a number of times.
 
#include <windows.h>
#include <tchar.h>
#include "detours.h"
 
static LONG (WINAPI* TrueRegCreateKeyExW)(
 HKEY hKey,
 LPCWSTR lpSubKey,
 DWORD Reserved,
 LPWSTR lpClass,
 DWORD dwOptions,
 REGSAM samDesired,
 LPSECURITY_ATTRIBUTES lpSecurityAttributes,
 PHKEY phkResult,
 LPDWORD lpdwDisposition) = RegCreateKeyExW;
 
LONG WINAPI InterceptRegCreateKeyExW(
  HKEY hKey,
  LPCWSTR lpSubKey,
  DWORD Reserved,
  LPWSTR lpClass,
  DWORD dwOptions,
  REGSAM samDesired,
  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  PHKEY phkResult,
  LPDWORD lpdwDisposition )
{
    OutputDebugString( _T("in InterceptRegCreateKeyExW...") );
    // Do preprocessing
    LONG lResult = TrueRegCreateKeyExW( hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition );
    // Do postprocessing
 
    return lResult;
}
 
BOOL APIENTRY DllMain( HMODULE hMod,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    if( DLL_PROCESS_ATTACH == ul_reason_for_call )
    {
        DetourRestoreAfterWith();
        DetourTransactionBegin();
        DetourUpdateThread( GetCurrentThread() );
        DetourAttach( &(PVOID&)TrueRegCreateKeyExW,
                      InterceptRegCreateKeyExW );
        DetourTransactionCommit();
    }
    else if( DLL_PROCESS_DETACH == ul_reason_for_call )
    {
        DetourTransactionBegin();
        DetourUpdateThread( GetCurrentThread() );
        DetourDetach( &(PVOID&)TrueRegCreateKeyExW,
                      InterceptRegCreateKeyExW );
        DetourTransactionCommit();
    }
 
    return TRUE;
}
Daily affirmation:
net helpmsg 4006
Back to Top
slhack View Drop Down
Newbie
Newbie


Joined: 21 May 2008
Online Status: Offline
Posts: 33 		  Quote slhack Quote  Post ReplyReply Direct Link To This Post Posted: 29 May 2008 at 3:02am
thank you but I have another problem: I discovered that I have to compile detours.lib(cause I haven't seen the guide before) but I can't compile it i get a lot of errors:

this one if I try to compile makefile in main directory ("C:\Program Files\Microsoft Research\Detours Express 2.1")

Microsoft (R) Program Maintenance Utility Version 9.00.21022.08
Copyright (C) Microsoft Corporation.  All rights reserved.

        cd "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\src"
Building for 32-bit X86.
        if not exist "..\include" mkdir "..\include"
        if not exist "..\lib" mkdir "..\lib"
        if not exist "..\bin" mkdir "..\bin"
        rc detoured.rc
'rc' is not recognized as an internal or external command,
operable program or batch file.
NMAKE : fatal error U1077: 'rc' : return code '0x1'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual Studio 9.0\VC\bin
\nmake.exe"' : return code '0x2'
Stop.

And this one when i try to make it from "src" directory

Microsoft (R) Program Maintenance Utility Version 9.00.21022.08
Copyright (C) Microsoft Corporation.  All rights reserved.

Building for 32-bit X86.
        if not exist "..\include" mkdir "..\include"
        if not exist "..\lib" mkdir "..\lib"
        if not exist "..\bin" mkdir "..\bin"
NMAKE : fatal error U1073: don't know how to make 'detoured.cpp'
Stop.



Why? and I can't find a solution on these errors!!


Edited by slhack - 29 May 2008 at 3:08am
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 29 May 2008 at 3:23am
If you open a Visual Studio 2008 Command Prompt, change to the folder where Detours is installed (C:\Program Files\Microsoft Research\Detours Express 2.1), and type nmake, what results do you get?

Edited by molotov - 29 May 2008 at 3:23am
Daily affirmation:
net helpmsg 4006
Back to Top
slhack View Drop Down
Newbie
Newbie


Joined: 21 May 2008
Online Status: Offline
Posts: 33 		  Quote slhack Quote  Post ReplyReply Direct Link To This Post Posted: 29 May 2008 at 3:43am
YEEEEESS!!It WORKS!! THANK you A LOT!!

but I still get few errors in the final stage of nmake:

symtest.cpp
symtest.cpp(270) : error C2664: 'BOOL (HANDLE,PSYM_ENUMMODULES_CALLBACK64,PVOID)
' : cannot convert parameter 2 from 'overloaded-function' to 'PSYM_ENUMMODULES_C
ALLBACK64'
        None of the functions with this name in scope match the target type
NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual Studio 9.0\VC\BIN
\cl.EXE"' : return code '0x2'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual Studio 9.0\VC\BIN
\nmake.exe"' : return code '0x2'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual Studio 9.0\VC\BIN
\nmake.exe"' : return code '0x2'
Stop.

But I've seen that lib was compiled. But why I got these errors?
In the afternoon I'll try again with my project.
Thank u very much again!
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 29 May 2008 at 4:35am
But why I got these errors?
Probably, this is covered here:


Edited by molotov - 29 May 2008 at 4:36am
Daily affirmation:
net helpmsg 4006
Back to Top
 Post Reply Post Reply Page  123 7>

Forum Jump Forum Permissions View Drop Down

Privacy Statement