[yossi321]

I'm trying to hook readfile api with no success
this code work fine with messagebox api but stuck with readfile api
any idea?
from1 code

'Option Explicit
Private Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Any, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Private Declare Function OpenFile Lib "kernel32" (ByVal lpFileName As String, lpReOpenBuff As Any, ByVal wStyle As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function SetFilePointer Lib "kernel32" (ByVal hFile As Long, ByVal lDistanceToMove As Long, lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long
Private Declare Function WriteFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, lpOverlapped As Long) As Long

'Private Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, lpSecurityAttributes As Any, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Private Type SECURITY_ATTRIBUTES
        nLength As Long
        lpSecurityDescriptor As Long
        bInheritHandle As Long
End Type
Private Type OFSTRUCT
        cBytes As Byte
        fFixedDisk As Byte
        nErrCode As Integer
        Reserved1 As Integer
        Reserved2 As Integer
        szPathName(128) As Byte
End Type
Private Const GENERIC_READ = &H80000000
Private Const GENERIC_WRITE = &H40000000
Private Const FILE_SHARE_READ = &H1
Private Const FILE_SHARE_WRITE = &H2
Private Const OPEN_ALWAYS = 4
Private Const FILE_BEGIN = 0
Private Const OF_READ = &H0
Private Const FILE_CURRENT = 1
Private Const FILE_END = 2


Private Sub Command1_Click()
Dim hookproc As Long
hookproc = RemoteHook("User32.dll", "MessageBoxA", AddressOf MyMessageBox, AddressOf OldMessageBox)
'hookproc = RemoteHook("kernel32.dll", "ReadFile", AddressOf MyReadFile, AddressOf OldReadFile)

End Sub

Private Sub Command2_Click()
Dim str As String, buf(10000) As Byte, q(10) As Byte
buf(0) = 1: buf(1) = 2
'a = OpenFile("e:\tst", of, 0)
' w = WriteFile(a, buf(0), 2, rd, ByVal 0&)
' x = SetFilePointer(a, 0, 0, FILE_BEGIN)
' w = ReadFile(a, VarPtr(q(0)), 2, rd, ByVal 0&)
' CloseHandle (a)
'MsgBox q(0), , q(1)
str = MessageBoxA(0, "Welcome here  ", "Let go", vbQuestion Or vbYesNo)
End Sub


Private Sub Command4_Click()
Dim unhookproc As Long
unhookproc = Unhook = True

End Sub

module 1 code

Public Type OVERLAPPED
        Internal As Long
        InternalHigh As Long
        offset As Long
        OffsetHigh As Long
        hEvent As Long
End Type

Public Declare Function MessageBoxA Lib "user32" (ByVal hwnd As Long, ByVal Msg As String, ByVal title As String, ByVal style As Long) As Long
'Public Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As Long

Public Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, ByVal lpBuffer As Long, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Long) As Long

Public Function MyReadFile(ByVal hFile As Long, ByVal lpBuffer As Long, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Long) As Long
 OldReadFile hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped
 
End Function

Public Function OldReadFile(ByVal hFile As Long, lpBuffer As Long, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Long) As Long

End Function


Public Function MyMessageBox(ByVal hwnd As Long, ByVal Msg As String, ByVal title As String, ByVal style As Long) As Long
   Dim ***(200) As Byte, x As Integer
  For x = 0 To 6
    ***(x) = Asc(Mid("Test Mode", x + 1, 1))
  Next x
   OldMessageBox 0, Msg, VarPtr(***(0)), style
End Function

Public Function OldMessageBox(ByVal hwnd As Long, ByVal Msg As String, ByVal title As Long, ByVal style As Long) As Long
End Function

hook module code

'Option Explicit

'***********************************
' function redirection class
'
' [rm_code]
'***********************************
' Thanks to:
' EBArtSoft's API HOOK Demo II
'***********************************
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long

Private Declare Function VirtualProtect Lib "kernel32" ( _
            ByVal lpAddress As Long, _
            ByVal dwSize As Long, _
            ByVal flNewProtect As Long, _
            lpflOldProtect As Long) As Long

Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" ( _
             ByVal pDest As Long, _
             ByVal pSource As Long, _
            ByVal dwLength As Long)

Private Declare Function GetProcAddress Lib "kernel32" ( _
            ByVal hModule As Long, _
            ByVal lpProcName As String) As Long

Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" ( _
            ByVal lpModuleName As String) As Long

Private Const PAGE_EXECUTE_READWRITE          As Long = &H40&

Private blnHooked       As Boolean      ' function hooked?
Private lpOldAddr       As Long         ' address of hooked function

Private btOldASM(4)     As Byte         ' old 5 bytes of hooked function
Private btReal(31)      As Byte         ' hooked function

' restore old hooked function
Public Function Unhook() As Boolean
    If Not blnHooked Then Exit Function

    ' overwrite new with the old instruction
    blnHooked = PutMem(lpOldAddr, VarPtr(btOldASM(0)), UBound(btOldASM) + 1)
    Unhook = blnHooked
End Function



' redirect a exported function of a module to an other one
'
'   Param1: exporting module (eg "kernel32")
'   Param2: target function (eg "Sleep")
'   Param3: address of new function
' [Param4]: address of a function which
'           will point to new old one
'
Public Function RemoteHook(ByVal module As String, ByVal fnc As String, _
        ByVal NewAddr As Long, _
        Optional ProxyAddr As Long) As Boolean
        

    Dim hModule     As Long
    Dim hFnc        As Long

    hModule = GetModuleHandle(module)
    If hModule = 0 Then Exit Function

    hFnc = GetProcAddress(hModule, fnc)
    If hFnc = 0 Then Exit Function
    lpOldAddr = hFnc

    ' save old instructions
    If Not GetMem(hFnc, VarPtr(btOldASM(0)), UBound(btOldASM) + 1) Then
        Exit Function
    End If

    ' redirect ProxyAddr to target function
    If ProxyAddr <> 0 Then
        CopyMemory VarPtr(btReal(0)), VarPtr(btOldASM(0)), UBound(btOldASM) + 1
        Redirect VarPtr(btReal(UBound(btOldASM) + 1)), lpOldAddr + UBound(btOldASM) + 1
        Redirect ProxyAddr, VarPtr(btReal(0))
    End If

    ' redirect the target function to the replacement function
    blnHooked = Redirect(hFnc, NewAddr)
    RemoteHook = blnHooked

End Function

' write a JMP near instruction to an address
Private Function Redirect(ByVal OldAddr As Long, ByVal NewAddr As Long) As Boolean
    Dim btAsm(4)    As Byte
    Dim lngNewAddr  As Long

    ' relative jump address
    lngNewAddr = NewAddr - OldAddr - (UBound(btAsm) + 1)

    btAsm(0) = &HE9                     ' JMP near
    CopyMemory VarPtr(btAsm(1)), VarPtr(lngNewAddr), 4  ' rel. addr

    Redirect = PutMem(OldAddr, VarPtr(btAsm(0)), UBound(btAsm) + 1)

End Function

Private Function GetMem(ByVal lpAddr As Long, ByVal pData As Long, ByVal dlen As Long) As Boolean
    Dim lngOldProtect   As Long

    If 0 = VirtualProtect(lpAddr, dlen, PAGE_EXECUTE_READWRITE, lngOldProtect) Then
        Exit Function
    End If

    CopyMemory pData, lpAddr, dlen
    VirtualProtect lpAddr, dlen, lngOldProtect, lngOldProtect

    GetMem = True
End Function

Private Function PutMem(ByVal lpAddr As Long, ByVal pData As Long, ByVal dlen As Long) As Boolean
    Dim lngOldProtect   As Long

    If 0 = VirtualProtect(lpAddr, dlen, PAGE_EXECUTE_READWRITE, lngOldProtect) Then
        Exit Function
    End If

    CopyMemory lpAddr, pData, dlen
    VirtualProtect lpAddr, dlen, lngOldProtect, lngOldProtect

    PutMem = True
End Function

[raziel_]

and its not working why? do you get any errors? dose it not work as it should be? please specify at what line do you get the errors and what are the error messages

[BobRodes]

The point of raziel's questions is that we don't understand why we should have to spend an hour or so getting to the point that we understand what your problem is as well as you do, when you could spend five minutes explaining and save us the time. "It doesn't work, here, you fix it" just makes you look lazy.

[yossi321]

to use this app I must make it to exe otherwise it won't work
when I run it as exe it works for hook msgbox but for readfile when I press button2 I got an error "hook stopped to work, windows is searching for solution"

[GunnerInc]

Well, right off the bat, you are using GetModuleHandle and GetProcAddress incorrectly.

GetModuleHandle only gets the handle of a dll that is loaded by YOUR app. So, instead of using GetModuleHandle, use LoadLibraryEx instead, and use the returned handle in your call to GetProcAddress.

Also, reading other processes memory is not that easy for good reason.

[yossi321]

GunnerInc, on 14 March 2012 - 03:54 PM, said:

Well, right off the bat, you are using GetModuleHandle and GetProcAddress incorrectly.

GetModuleHandle only gets the handle of a dll that is loaded by YOUR app. So, instead of using GetModuleHandle, use LoadLibraryEx instead, and use the returned handle in your call to GetProcAddress.

Also, reading other processes memory is not that easy for good reason.

but I want to hook a dll that my app loaded like MessageBoxA or ReadFile
I don't want global hook
I declare those specifics dll in my app

[GunnerInc]

If your app is calling MessageBox or ReadFile, you are controlling it, why hook it?

I guess GetModuleHandle would work but its not guaranteed to.

[yossi321]

GunnerInc, on 14 March 2012 - 04:30 PM, said:

If your app is calling MessageBox or ReadFile, you are controlling it, why hook it?

I guess GetModuleHandle would work but its not guaranteed to.

messagebox is for test only
I want to use readfile calling by ocx of wmp
but the app sticks even in my declare readfile but it works great with my declare messagebox
why that?

[BobRodes]

I still don't understand why you are doing this. What is it that you are trying to accomplish, that requires you to go so far afield?

[yossi321]

BobRodes, on 16 March 2012 - 06:22 AM, said:

I still don't understand why you are doing this. What is it that you are trying to accomplish, that requires you to go so far afield?

I uploaded some movies to data storage site like skydrive and I want to watch those movies without loading them completely, So I'm using wmp ocx in my app to play those movies
And I need to download the movie file by pieces, so, because I want to know which part wmp want to read, I have to hook readfile and get the appropriate parameter that will give me the appropriate information to download the needed part

[BobRodes]

Ok, that makes sense. I'm not as familiar with this as Gunner appears to be.

[GunnerInc]

WMP ocx as in Windows Media Player? If you are using the ocx in your program, why don't you just use its interface? I am sure it exposes thing like you are after.
Everything you ever wanted to know about the Windows Media Player stuff << Read what is contained there and you should find what you are after.

As I don't have experience with OCX controls, to read another processes memory like I said is not just calling an API, this is especially true on newer OS's. If you are Admin, then it is a bit easier.. but for a normal user account, you need the proper privialages like SE_DEBUG should do it. Once you have that privilege, you create space for the data in the *OTHER* processes memory, read into that address space, then copy some memory to your address space.

This post has been edited by GunnerInc: 19 March 2012 - 04:23 PM

[yossi321]

GunnerInc, on 19 March 2012 - 04:23 PM, said:

WMP ocx as in Windows Media Player? If you are using the ocx in your program, why don't you just use its interface? I am sure it exposes thing like you are after.
Everything you ever wanted to know about the Windows Media Player stuff << Read what is contained there and you should find what you are after.

thank you GunnerInc
I tried to read the information in msdn but I didn't find what I want

Quote

As I don't have experience with OCX controls, to read another processes memory like I said is not just calling an API, this is especially true on newer OS's. If you are Admin, then it is a bit easier.. but for a normal user account, you need the proper privialages like SE_DEBUG should do it. Once you have that privilege, you create space for the data in the *OTHER* processes memory, read into that address space, then copy some memory to your address space.

I am the admin but I'm not sure how to do what you suggest
Can you please give me code for that?