The MASM Forum Archive 2004 to 2012

Soley to improve my own knowledge on the subject. I'm trying to create a dll that acts as a proxy between the calling process and the target DLL.

I have written a basic 'HelloWorld' Application, that calls messagebox followed by ExitProcess. My intention is to hook the exitprocess and get a messagebox to popup just before it actually terminates...

My proxy kernel32.dll (renamed to vernel32.dll, then patch the target process to point to vernel32.dll NOT kernel32.dll, straight forward, just have to patch one by 'k' to 'v').

Anyway, the dll (bare basics);

.386
.model flat,stdcall
option casemap:none

include windows.inc
include kernel32.inc
includelib kernel32.lib

.code

DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD
mov eax,TRUE
ret
DllEntry Endp

End DllEntry

The Important part, the .DEF file;

LIBRARY vernel32
EXPORTS
ExitProcess <equ> kernel32.ExitProcess

Now, when I patch the process to point to vernel32.dll it does, and forwards the call onto the real kernel32.

This is all fine, no problems. NOW, if I try to 'intercept' the function doing the following, it DOES NOT work.

dll;

.386
.model flat,stdcall
option casemap:none

include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib

.data

szCaption db "Message!", 0
szText db "ExitProcess Hooked...", 0

.code

DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD
mov eax,TRUE
ret
DllEntry Endp

hookedExitProcess PROC code:UINT
INVOKE MessageBox, 0, ADDR szText, ADDR szCaption, 0
INVOKE ExitProcess, code
ret
hookedExitProcess EndP

End DllEntry

and importantly, the .DEF;

LIBRARY vernel32
EXPORTS
ExitProcess <equ> hookedExitProcess ;redirect EditProcess call to hooked function

When I open the DLL and click the exported function "ExitProcess" it actually points to the real kernel32.ExitProcess located in the IAT as opposed to my 'hooked' hookedExitProcess function.

Any ideas on how to remedy this??? This process is based on a tutorial I read (Here: http://www.osix.net/modules/article/?id=728) based in C++, but I see no reason why what I have posted is not working?

Anyone have an idea?

Cheers

Your use of equ in the DEF file is a bit baffling to me.  Use = instead.  You do understand that a .def is intended for the linker and not the assembler right?

Hope this helps.

Well, that seemed to fix it straigt up.

Thanks Timbo.

I wasn't aware equ was soley asm, but now I do.