Click here to Skip to main content
15,867,308 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
im using ms-detours to hook functions. im successfully injecting my dll to a process. im successfully catching functions of createfile\deletefile and event see them at "debugView".

im unable to catch all registry functions.

tried:

REGSETVALUEX OrigRegSetValueEx = NULL;

REGOPENKEYEXA OrigRegOpenKeyExA = NULL;

REGOPENKEY OrigRegOpenKey = NULL;

REGCREATEKEYEXW OrigRegCreateKeyExW = NULL;

REGCREATEKEYW OrigRegCreateKeyW = NULL;

REGSETVALUEXW OrigRegSetValueExW = NULL;

i have a self-written code (c#) 32bit console programe that have 3 functions:

createNewFile
DeleteFile
open Registry subkey and set key value. code snip of number 3:

enter code here string Mash = String.Concat(Environment.MachineName, Environment.OSVersion.VersionString, Environment.UserName); RegistryKey rkApp = Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", true); rkApp.SetValue("newvalue", Mash); rkApp.Close();
createNewFile + DeleteFile - catching successfully.

open Registry subkey and set key value. - not catching event


im using the following code for functions and detours:

What I have tried:

I was debugging with:

1.Process monitor - which catching my events. ProcessMonitor Catching Registry Events

2.Placed messagebox3 at 'HookRegSetValue' function and not seeing it poping. im not sure but guessing it`s an issue with detours.

3.tried other registry functions - non of them fired.



C++
include "stdafx.h"
include "windows.h"
include "tchar.h"
include "stdio.h"


typedef HANDLE(WINAPI *CREATEFILEW)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
typedef HANDLE(WINAPI *DELETEFILEW)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
typedef LONG(WINAPI *REGSETVALUE)(HKEY, LPCTSTR, DWORD,LPCSTR,DWORD);


CREATEFILEW OrigCreteFileW = NULL;
DELETEFILEW OrigDeleteFileW = NULL;
REGSETVALUE OrigRegSetValue = NULL;


HANDLE WINAPI HookCreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
	OutputDebugString(__TEXT("Inside HookCreateFileW"));
    OutputDebugStringW(lpFileName);
	return OrigCreteFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
HANDLE WINAPI HookDeleteFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
	OutputDebugString(__TEXT("Inside HookDeleteFileW"));
	OutputDebugStringW(lpFileName);
	return OrigDeleteFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
LONG WINAPI HookRegSetValue(HKEY hKey, LPCTSTR lpSubKey, DWORD dwType, LPCTSTR lpData, DWORD cbData)
{
	MessageBox(0, "And text here3", "MessageBox caption", MB_OK);
	OutputDebugString(__TEXT("Inside HookRegSetValue"));
	OutputDebugStringW((LPCWSTR)hKey);
	return OrigRegSetValue(hKey, lpSubKey, dwType, lpSubKey, cbData);
}


void InstallHooks(void)
{
	
	HMODULE modKernel32 = GetModuleHandle(TEXT("KERNEL32.dll"));
	HMODULE advapi32 = GetModuleHandle(TEXT("ADVAPI32.dll"));

	
	OrigCreteFileW = (CREATEFILEW)GetProcAddress(modKernel32, "CreateFileW");
	OrigDeleteFileW = (DELETEFILEW)GetProcAddress(modKernel32, "DeleteFileW");
	OrigRegSetValue = (REGSETVALUE)GetProcAddress(advapi32, "RegSetValue");

	// install hooks
	DetourTransactionBegin();
	DetourUpdateThread(GetCurrentThread());

	//File Hooks

	OutputDebugString(__TEXT("4.DetourAttach"));
	/*DetourAttach(&(PVOID&)OrigCreteFileW, HookCreateFileW);
	OutputDebugString(__TEXT("HookCreateFileW"));
	DetourAttach(&(PVOID&)OrigDeleteFileW, HookDeleteFileW);
	OutputDebugString(__TEXT("HookDeleteFileW"));*/
	DetourAttach(&(PVOID&)OrigRegSetValue, HookRegSetValue);
	OutputDebugString(__TEXT("HookRegSetValue"));


	DetourTransactionCommit();

void RestoreHooks(void)
{

	DetourTransactionBegin();
	DetourUpdateThread(GetCurrentThread());

	//File Hooks

	OutputDebugString(__TEXT("5.DetourDetach"));
	DetourTransactionCommit();
}

// dllmain.cpp : Defines the entry point for the DLL application.


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		OutputDebugString(__TEXT("InstallHooks"));
		InstallHooks();
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		//OutputDebugString(__TEXT("RestoreHooks"));
		//RestoreHooks();
		break;
	}
	return TRUE;
}
Posted
Updated 27-Nov-16 19:04pm
v2
Comments
Arthur V. Ratz 28-Nov-16 1:04am    
I've review your code and I have no idea exactly why this happens. Probably not all API calls can be hooked by using MS-Detours.

I hit the same problem: took a day of debugging what to hook.
If you want to hook the registry access -- you need to snag the versions in kernelbase.dll not advapi32.dll or kernel32.dll. Otherwise some things will hook, but others, like CoCreateInstance will be missed.
 
Share this answer
 
Comments
Member 12161906 24-Jul-21 6:42am    
I just want to say thank you!

This was it for me; I was trying to hook Registry functions (RegSetValueExW etc) - and getting nowhere (even though other non-Registry hooks were working fine). Switched from Kernel32.dll to KernelBase.dll and finally working :)
I've just reviewed your code and this all seems to me a kind of strange. I'd recommend you to read this article API Hooking with MS Detours
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900