2

I have a devilish-gui.exe, a devilish.dll and a devilish.h from a C codebase that has been lost.
devilish-gui is still used from the customer and it uses devilish.dll

devilish.h is poorly documented in a 30-pages pdf: it exposes a few C functions that behave in very different ways according to the values in the structs provided as arguments.

Now, I have to use devilish.dll to write a new devilish-webservice. No, I can't rewrite it.

The documentation is almost useless, but since I have devilish-gui.exe I'd like to write a different implementation of the devilish.h so that it log function's call and arguments in a file, and than calls the original dll function. Something similar to what ltrace does on linux, but specialized for this weird library.

How can I write such "intercepting" dll on windows and inject it between devilish.dll and devilish-gui.exe?

Giacomo Tesio
  • 7,144
  • 3
  • 31
  • 48
  • Could you implement your own `devilish.dll` that internally performs `LoadLibrary()` on the original version, and you implement all the APIs to call the original version except for those calls you actually want to annotate? – jxh Sep 27 '13 at 19:40
  • possible duplicate of [LD\_PRELOAD equivalent for Windows to preload shared libraries](http://stackoverflow.com/questions/1178257/ld-preload-equivalent-for-windows-to-preload-shared-libraries) – jxh Sep 27 '13 at 19:44
  • Yes, that's what I'd like to do, but on windows I've no idea of how to force devilish-gui load my own implementation. The only constraint is that I can't change neither devilish-gui nor devilish.dll. – Giacomo Tesio Sep 27 '13 at 19:46

1 Answers1

3

A couple of possibilities:

  1. Use Detours.
  2. If you put your implementation of devilish.dll in the same directory as devilish-gui.exe, and move the real implementation of devilish.dll into a subdirectory, Windows will load your implementation instead of the real one. Your implementation can then forward to the real one. I'm assuming that devilish-gui isn't hardened against search path attacks.
  3. Another approach would be to use IntelliTrace to collect a trace log of all the calls into devilish.dll.
Eric Brown
  • 13,774
  • 7
  • 30
  • 71
  • Good links. Can you suggest any open source alternative to Detours? In particular, the devilish.dll and gui are x86 programs but we are running them on x64 windows 8 desktops. – Giacomo Tesio Sep 29 '13 at 18:09
  • @GiacomoTesio Some quick googling results in a reference to [EasyHook](http://code.google.com/p/easyhook-continuing-detours/), but I haven't used it, so I can't comment further. If you have VS 2012, Intellitrace might help, too. – Eric Brown Sep 30 '13 at 03:55
  • IntelliTrace is mot an option, since the gui was written in C. – Giacomo Tesio Sep 30 '13 at 07:51