[Article]-Intercepted: Windows Hacking via DLL Redirection

Viewing 4 reply threads
  • Author
    • #3952
      Don Donzal

      Permanent link: [Article]-Intercepted: Windows Hacking via DLL Redirection


      In Windows, all applications must communicate with the kernel through API functions; as such, these functions are critical to even the simplest Windows application. Thus, the ability to intercept, monitor, and modify a program’s API calls, commonly called API hooking, effectively gives one full control over that process. This can be useful for a multitude of reasons including debugging, reverse engineering, and hacking (in all interpretations of the word).

      While there are several methods which can be used to achieve our goal, this tutorial will examine only DLL redirection. This approach was chosen for several reasons:

      • It is relatively simple to implement.
      • It allows us to view and modify parameters passed to an API function, change return values of that function, and run any other code we desire.
      • While most other methods require code to be injected into the target process or run from an external application, DLL redirection requires only write access to the target application’s working directory.
      • We can intercept any API call without modifying the target (either on disk or in memory) or any system files.

      Let us know what you think or if you have questions for Craig.


    • #25268

      first of all thanks for this article it helped me much in my project.
      It’s working for all the applications i want except one : Openoffice (3.1).
      I can redirect ol32.dll without any problem but when i try with gdi32.dll it crashes during the launching, and it crashes at start with user32.dll. I made several tests without any success even if i just redirect all originals functions it crashes the same way.
      Do you have any clue of why it doesn t work.

    • #25269

      Hi again

      Well got no clues for the previous question.

      I have another question : how the hell to use the loadFrom in the manifest file, to allow us to not have to copy the both dlls in each application folder ?


    • #25270


      I can’t say for sure what the problem might be with OpenOffice; I assume that you are building your redirector DLL against the same original DLLs on the target system? Have you tried running it in a debugger and seeing where it is crashing? Knowing what function in the DLL is causing problems can help a lot. In the case of user32.dll, it is probably crashing near the entry point, so you could single-step through the code and find the culprit in short order. For gdi32.dll, you’ll probably want to go into your debugger (OllyDbg for instance) and set a breakpoint on all calls to gdi32 to see where the problem is.

      I didn’t know about the loadFrom attribute in the manifest files, and I couldn’t dig up much on it. According to Microsoft’s Schema (http://msdn.microsoft.com/en-us/library/aa375635(VS.85).aspx), it looks like it would just be another attribute to the file tag in the manifest though, so it would look something like:


      I’ll try it out when I get a chance – if you try it first, let us know if/how it works!

    • #25271

      thanks for the answer.

      For the dll its been some time that i ve try it, i forgot which function causes the crash but i ll tell you soon.

      For the manifest i already go to msdn and others sites the good typo should be like this :

      But when do this i got a launching error like ” _crt_debugger_hook cannot be found in msvcr80.dll” … (It is for the case of an Office Application )” But it works for other applications like IExplore and others.
      It seems that the application which already have a manifest file with this line :

      If i suppress this line Office tells me that he “cant load msvcr80.dll” …
      But for the f sake i dont modify the way he access to msvcr80 i just add a new path to load gdi32 …

      If you have any clue it would be great


Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?