// include winsock2.h or #define _WINSOCKAPI_ before including windows.h
#include <winsock2.h>
#include <windows.h>
#include "Tools/Process/APIOverride/ApiOverride.h"
void CallBackBeforeAppResume(DWORD dwProcessID,PVOID pUserParam);
void CallbackMonitoringLog(LOG_ENTRY* pLog,PVOID pUserParam);
void CallBackUnexpectedUnload(DWORD dwProcessID,PVOID pUserParam);
HWND hWndListView=NULL;
HANDLE hevtUnexpectedUnload=NULL;
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow
)
{
UNREFERENCED_PARAMETER(hInstance);
UNREFERENCED_PARAMETER(hPrevInstance);
UNREFERENCED_PARAMETER(lpCmdLine);
UNREFERENCED_PARAMETER(nCmdShow);
CApiOverride* pApiOverride;
pApiOverride=new CApiOverride(hWndListView); // hWndListView : handle to the listview that will receive logs,
// put to NULL if you don't use a listview
// you can optionally set a monitoring log call back
pApiOverride->SetMonitoringCallback(CallbackMonitoringLog, // call back
pApiOverride, // call back parameter
FALSE); //we don't want to keep log in memory
// after callback has been called
// set an unload callback to now when the hooked process ends
pApiOverride->SetUnexpectedUnloadCallBack(CallBackUnexpectedUnload, // call back
pApiOverride // call back parameter
);
// create event for unexpected unload
hevtUnexpectedUnload=CreateEvent(NULL,FALSE,FALSE,NULL);
// start all
if (!pApiOverride->Start("c:\\windows\\notepad.exe", // app path
NULL, // app command line
CallBackBeforeAppResume, // call back before resuming application : trap to inject
// monitoring files and faking dll before the application start.
// application will be resumed at the end of the callback
pApiOverride, // callback parameter (current ApiOverride object)
CApiOverride::StartWaySuspended,// start with suspended app
0 // useless parameter for StartWaySuspended start
))
{
delete pApiOverride;
CloseHandle(hevtUnexpectedUnload);
return -1;
}
// wait for the end of launched application
WaitForSingleObject(hevtUnexpectedUnload,INFINITE);
CloseHandle(hevtUnexpectedUnload);
delete pApiOverride;
return 0;
}
void CallBackBeforeAppResume(DWORD dwProcessID,PVOID pUserParam)
{
CApiOverride* pApiOverride=(CApiOverride*)pUserParam;
// load a monitoring file
pApiOverride->LoadMonitoringFile("c:\\winapioverride\\monitoring files\\InputTextDataRetrival.txt");
// load a faking file
pApiOverride->LoadFakeAPI("c:\\winapioverride\\example\\messagebox and internal faking\\FakeMsgBox.dll");
}
void CallbackMonitoringLog(LOG_ENTRY* pLog,PVOID pUserParam)
{
// get object on which event applies
CApiOverride* pApiOverride=(CApiOverride*)pUserParam;
// do whatever you want with the log (write some fields to file,....)
}
void CallBackUnexpectedUnload(DWORD dwProcessID,PVOID pUserParam)
{
// get object on which event applies
CApiOverride* pApiOverride=(CApiOverride*)pUserParam;
// do some of your freeing memory actions
// signal end of process hooking
if (hevtUnexpectedUnload)
SetEvent(hevtUnexpectedUnload);
}