mhook question

OK i am trying to understand the mhook library but there aren't much of examples for it.

It is said thatwe need to define _NtOpenProcess so it can dynamicallyt bind to a function. then somehow get the current address to the function to be hooked

somehow the below code is doing it and i can't fully understand it.

i would be very pleased if someone could explain it for a dumb person like me.

i know it would be easier to use the hooks provided by Microsoft but a task requires to use the mhook lib.

  typedef struct _CLIENT_ID {
	DWORD_PTR UniqueProcess;
	DWORD_PTR UniqueThread;
} CLIENT_ID, *PCLIENT_ID;

typedef ULONG (WINAPI* _NtOpenProcess)(OUT PHANDLE ProcessHandle, 
	     IN ACCESS_MASK AccessMask, IN PVOID ObjectAttributes, 
		 IN PCLIENT_ID ClientId );

typedef HGDIOBJ (WINAPI* _SelectObject)(HDC hdc, HGDIOBJ hgdiobj); 

_NtOpenProcess TrueNtOpenProcess = (_NtOpenProcess)
	GetProcAddress(GetModuleHandle(L"ntdll"), "NtOpenProcess");

_SelectObject TrueSelectObject = (_SelectObject)
	GetProcAddress(GetModuleHandle(L"gdi32"), "SelectObject");

Last edited on

coder777 (8444)

Line 6 and 10 are defining the pointer type to the respective function. See:

Line 6:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff556571%28v=vs.85%29.aspx

Line 10:
https://msdn.microsoft.com/en-us/library/windows/desktop/dd162957%28v=vs.85%29.aspx

The GetProcAddress() finds the functions in the dll ("ntdll"/ "gdi32"). See:

https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212%28v=vs.85%29.aspx

Line 12: Since GetProcAddress() does not return the wanted type (_NtOpenProcess) is used to cast it to the desired type. The same applies to line 15.

Later TrueNtOpenProcess/TrueSelectObject can be used as the wanted functions.

Topic archived. No new replies allowed.