Hooking windows API functions to intercept dll loading (Windows only)

Question

I want to intercept dll's loading so I can use them. My first idea was to hook GetProcAddress. Surprisingly, by hooking it, I can only intercept calls made within the process that owns my library. (I opened another executables that call GetProcAddress and those calls don't get intercepted) (I guess because it is dynamically compiled against my lib)

Example of the output:

C:\Windows\syswow64\kernel32.dll Module32NextW

C:\Windows\syswow64\kernel32.dll CreateToolhelp32Snapshot

C:\Windows\system32\DINPUT.dll DirectInputCreateW

C:\Windows\SysWOW64\ntdll.dll DirectDrawCreate

Anyway, what I want to know is where I should start to be able to intercept dlls loading so I can then use their functions.

Basically, I want to be able to call GetModuleInformation for any dll loaded.

Duplicate of http://stackoverflow.com/questions/873658/how-can-i-hook-windows-functions-in-c-c and many more similar questions. — mghie, Feb 08 '10 at 07:43
I don't know if I should call you names or ignore you. I don't want to know how to hook functions. I want to know what functions should I hook to intercept Dll's loading. — user246100, Feb 08 '10 at 08:33

score 4 · Accepted Answer · answered Nov 30 '10 at 20:36

4

First, what are you doing that requires a global hook?

If you want to be notified that a DLL has loaded in any process, you can look into PsSetImageLoadNotifyRoutine, which is a kernel-mode routine. Despite it being kernel mode, it's not very hard to use and writing a basic driver is pretty fun.

Another way would be to force a load of your library in every process. There are a variety of methods, one of the more legit ones would be Windows Message hooks.

answered Nov 30 '10 at 20:36

Daniel Goldberg

19,908
4
21
29

1

Hello. I just saw your answer now, sorry for that. This is meant to be used to intercept the loading of a game and then modify its working. Like cheats do. I saw code that detects it by using a permanent loop and finding if a process (by name) was created inside it. I was searching for a more clean way of doing this and your suggestion of a basic windows driver seems nice. Thank you! – user246100 Jul 08 '11 at 08:46

score 0 · Answer 2 · answered Feb 08 '10 at 23:52

0

Install a system-wide hook on the LoadLibrary function. (I have no idea how to use that small comment thing underneath the question so)

answered Feb 08 '10 at 23:52

Sam Blackburn

288
2
9

The question was: how to make it "system-wide". – user246100 Jul 08 '11 at 09:13
Any hook you set on your process is not copied due to copy-on-write functionality. To hook code globally, you need to insert yourself globally. – Daniel Goldberg Jul 08 '11 at 11:35

Hooking windows API functions to intercept dll loading (Windows only)

2 Answers2