WARNING: If you do not understand what you are doing you WILL really screw up your system. I take no responsibility for this.
Did you ever need to intercept DLL functions that are part of the Windows API? There are many good reasons for doing this; application debugging, process spying, clocking, etc. Even more powerful than function interception is the ability to modify the response of function calls back to the application. This is precisely what DLL Proxying (also known as DLL Hijacking) allows you to do.
In the following tutorial we are going to intercept Mozilla Firefox’s function call to the Windows Socket Library, “wsock32.dll”. The function is called “gethostbyname”. This function is invoked each time Firefox performs a DNS lookup of a domain name. Once this function is intercepted, our proxy DLL will log each URL that Firefox requests, outputting each request to a log file.
In this example, DLL Proxying works by using two DLL files to handle the function calls that normally call the system DLL file “wsock32.dll”. Later, we will be renaming the original DLL, “wsock32.dll” to a new name. In the example I am going to use the name “wsock32_.dll”. We will create a new “wsock32.dll” proxy DLL that points all of its function calls to the original DLL, “wsock32_.dll”, except for the function calls that we want to modify. This process allows all called functions to pass to the original library transparently, while allowing us to put our own twist on any of the functions we choose.
Applications required:
- Micrsoft Visual Studio 2005 – C++
- dumpbin.exe (included with Visual Studio 2005)
- ExportsToC++ Converter (written by me)
Note: While trying to run dumpbin you may get an error about a missing “link.exe” executable. This can be resolved by adding VC++’s “bin” directory to your environmental PATH variable. For my system, the full path to add was “C:\Program Files\Microsoft Visual Studio 8\VC\bin”. The environmental variable settings can be accessed from “System Properties”:
Another Note: We could modify the existing DLL file located in “%systemroot%\System32”. However, some people way smarter than me do not recommend it. Instead they recommend copying the files into the EXE’s directory to force the application to load the modified DLL libraries instead of the original. If you attempt to modify the original DLL libraries your system may become unstable. On top of that, Windows File Protection can become an issue if you do not overwrite both the library in “%systemroot%\System32”, and the library in your DLL cache. You have been warned.
Ok, let’s start. We are going to start by copying “%systemroot%\System32\wsock32.dll” to Firefox’s home directory: “C:\Program Files\Mozilla Firefox\”. In the process, rename the copied file “wsock32.dll” to “wsock32_.dll”.
cd "c:\program files\mozilla firefox\" cp %windir%\system32\wsock32.dll wsock32_.dll
Next we will need to import the the Windows Socket Library’s exported funtions into ExportsToC++. To do this, run the following command. Alternatively, you can open ExportsToC++, click “File”, and select “Open”.
ExportsToC++.exe “%windir%\system32\wsock32.dll”
To create C++ Proxy code from the dumpbin output, click “Convert→To C++ Wrapper”. You will be prompted to insert the name of the DLL to which you want to forward exported functions. Type “wsock32_.dll”. You should see the following output generated:
Select the Copy button from the Converter toolbar. Next, open up Vistual Studio 2005 and create a new C++ Win32 Project called “wsock32”. Creating a Win32 Project is extremely important because managed C++ cannot be used to create a proxy DLL.
When the Application Wizard appears click “Next” to continue to the next screen. Select DLL for the application type. Also select the Export Symbols checkbox. Click Finish.
Once the new project has loaded, open the file “wsock32.cpp”. Replace all of the pregenerated code with the code you copied to the clipboard using ExportsToC++. You now have a fully functional proxy DLL. Unfortuantely, this file is useless because we have not modified any function calls! We must first comment out the export statement for the function we wish to redirect.
Next we will add code to the library which will load the original library, retreive a pointer to the function we want, and redirect these calls to the original library. The code will intercept each function call for gethostbyname. The library will then log the request to disk, and then call the original function and return the correct data. The resulting code will appear as shown here.
One important item we must add in order for this whole scenario to work is a definition file. Create a new module definition file called wsock32.def inside of Visual Studio 2005 with the following text:
LIBRARY wsock32.dll EXPORTS gethostbyname=mygethostbyname @52
To add the definition file to the build configuration open the Project Properties. Navigate to the Configuration Properties→Linker→Input page and select Module Definition File. Type “wsock32.def”.
Build the project. Copy the resulting file “wsock32.dll” to Mozilla Firefox’s installation directory (“C:\Program Files\Mozilla Firefox”). Run Firefox as normal. You will notice a new log file being generated called “activity.log”. This log file will store all of your browser activity records. Congradulations, you have successfully hooked an API function using DLL Proxying.
Click here to download source file wsock32.cpp.
Click here to download source file wsock32.def.
Many of the ideas presented here were expanded from Craig Heffner’s white paper on DLL Redirection.