Hooking API RegCreateKeyA,RegCreateKeyW

I'd suggest you go through the referenced links to get a feel for things.   The WDK includes a sample FSFD, I believe, and you will undoubtedly find some examples by searching...

The actual hook id used to get the module loaded doesn't really have to do anything - the HookProc can just be a dummy function.  Once the code is loaded you can detour the functions as the Detours examples show, etc.  There are other techniques for API hooking as well as other ways (AppInit_DLLs, CreateRemoteThread, etc.) to get your code loaded so you can hook the API.

i want to hook createFile from kernel32.dll

Probably, you would be better off hooking ntdll!NtCreateFile, if you're going this route...

Does a filesystem filter driver suit better to this?

One driver, vs. loading code into the address space of each process would seem to be a more direct approach.  Are you writing a commercial app, such that you would license Detours if you went with it?

File System Filter Drivers
Introduction to File System Filter Drivers

Hi zu1u,

however i didnt get the idea of how to hook a function globally

What do you mean by "globally"?  Every time it is called, regardless of the process that calls it?  If so, you will need to get your code loaded into the address space of each process and then devise some mechanism for dealing with what you wish to do once the hooked function is called.

so i can do some preprocessing before any file is opened

It sounds like a filesystem filter driver may be better suited for what you wish to do...

Thank you very much! It's very easier now to hook apis. Thanks to all!
Now I have to try a lot of things to create my application
You will hear me in a few days I think, for other problems


Edited by slhack - 08 June 2008 at 7:51am

I think you are using a wrong way for the detours library.

Here is some macro which i created to help you to hook APIs with detours lib:

------------------------------
#define BEGIN_HOOKS()    \
    DetourTransactionBegin();    \
    DetourUpdateThread(GetCurrentThread());

#define END_HOOKS()    \
    DetourTransactionCommit();

//////////////////////////////////////////////////////////////////////////

#define HOOK_ADD(n) DetourAttach(&(PVOID&)True_##n, Fake_##n);
#define HOOK_DEL(n) DetourDetach(&(PVOID&)True_##n, Fake_##n);

//////////////////////////////////////////////////////////////////////////

#define OLD_PROC(n)    True_##n
#define NEW_PROC(n) Fake_##n

//////////////////////////////////////////////////////////////////////////

#define DECLARE_HOOK(n,t,l)    extern t (WINAPI * True_##n)l;    \
extern t WINAPI Fake_##n l;

#define IMPLEMENT_HOOK(n,t,l)    t (WINAPI * True_##n)l = n;    \
                                t WINAPI Fake_##n l

#define ID(n)    FID_##n
-------------------------------------------------------

How to use it:

//////////////////////////////////////////////////////////////////////////
///@function: InstallHooks
///@note: Add APIs which you wanna hooking to the list
//////////////////////////////////////////////////////////////////////////

BOOL InstallHooks (void)
{
    BEGIN_HOOKS()
        HOOK_ADD(CopyFileA)
        HOOK_ADD(ExitProcess)
    END_HOOKS()

    return TRUE;
}

//////////////////////////////////////////////////////////////////////////
///@function: Uninstall Hooks
///@note: please remove the APIs which you hooked to the list
//////////////////////////////////////////////////////////////////////////

void UninstallHooks (void)
{
    BEGIN_HOOKS()
        HOOK_DEL(CopyFileA)
        HOOK_DEL(ExitProcess)
    END_HOOKS()
}

//////////////////////////////////////////////////////////////////////////
/// @function: DllMain
//////////////////////////////////////////////////////////////////////////

BOOL WINAPI DllMain (HINSTANCE hInst, DWORD dwReason, PVOID lpReserved)
{
    static HANDLE hMutex = NULL;

    switch (dwReason)
    {
    case DLL_PROCESS_ATTACH:
        {
            DisableThreadLibraryCalls(hInst);

            if ((hMutex=CreateMutex(NULL, FALSE, NULL))==NULL) return FALSE;
           
            if (InitEmit(hMutex)==FALSE || InstallHooks()==FALSE)
                return FALSE;
        }
        break;

    case DLL_PROCESS_DETACH:
        {
            UninstallHooks();
            TermEmit();
            if (hMutex) {
                ReleaseMutex(hMutex);
                CloseHandle (hMutex);
            }
        }
        break;
    }

    return TRUE;
}

-------------------------------
in hooks.h declare the hook function:

DECLARE_HOOK (CopyFileA, BOOL, (LPCSTR lpExistingFileName,LPCSTR lpNewFileName,BOOL bFailIfExists))

in hooks.cpp implement it:

IMPLEMENT_HOOK(CopyFileA, BOOL, (LPCSTR lpExistingFileName,LPCSTR lpNewFileName,BOOL bFailIfExists))
{
    pack p(ID(CopyFileA));
    p.add_s1(lpExistingFileName);
    p.add_s2(lpNewFileName);
   
    EMIT(p);
    return OLD_PROC(CopyFileA)(lpExistingFileName, lpNewFileName, bFailIfExists);
}

===========
Very easy isn't it? BTW: I use detours 2.1 express :)
Hope that it is useful to you.