Example of application

Here is a small example of application that can be done using CApiOverride class.
It shows you how it is easy to code your own application.

Since version 6.1.0, source code and static library WinApiOverride.lib are no more provided.
Since version 5.1.3, source code comes with a static library WinApiOverride.lib (located in WinAPIOverride32\_lib) and an example of use.

Some .dll or .sys must be placed in the same directory of your created application
 - InjLib.dll : always required
 - APIOverride.dll : always required
 - HookCom.dll : required only if you want to monitor / override COM interface or ActiveX
 - HookNet.dll : required only if you want to monitor / override .NET methods
 - ProcMonDrvJP[64].sys : required only if you want to hook all new created processes
 - IATLoader.dll : required only if you want to hook process before statically linked dll Tls or DllMain call

 

 

  1. // include winsock2.h or #define _WINSOCKAPI_ before including windows.h
  2. #include <winsock2.h>
  3. #include <windows.h>
  4.  
  5. #include "Tools/Process/APIOverride/ApiOverride.h"
  6.  
  7. void CallBackBeforeAppResume(DWORD dwProcessID,PVOID pUserParam);
  8. void CallbackMonitoringLog(LOG_ENTRY* pLog,PVOID pUserParam);
  9. void CallBackUnexpectedUnload(DWORD dwProcessID,PVOID pUserParam);
  10.  
  11. HWND hWndListView=NULL;
  12. HANDLE hevtUnexpectedUnload=NULL;
  13.  
  14. int WINAPI WinMain(HINSTANCE hInstance,
  15.     HINSTANCE hPrevInstance,
  16.     LPSTR lpCmdLine,
  17.     int nCmdShow
  18. )
  19. {
  20.     UNREFERENCED_PARAMETER(hInstance);
  21.     UNREFERENCED_PARAMETER(hPrevInstance);
  22.     UNREFERENCED_PARAMETER(lpCmdLine);
  23.     UNREFERENCED_PARAMETER(nCmdShow);
  24.  
  25.     CApiOverride* pApiOverride;
  26.     pApiOverride=new CApiOverride(hWndListView); // hWndListView : handle to the listview that will receive logs,
  27.                                                  // put to NULL if you don't use a listview
  28.  
  29.     // you can optionally set a monitoring log call back
  30.     pApiOverride->SetMonitoringCallback(CallbackMonitoringLog, // call back
  31.                                         pApiOverride,          // call back parameter
  32.                                         FALSE);                //we don't want to keep log in memory 
  33.                                                                // after callback has been called
  34.  
  35.     // set an unload callback to now when the hooked process ends
  36.     pApiOverride->SetUnexpectedUnloadCallBack(CallBackUnexpectedUnload, // call back
  37.                                       pApiOverride                      // call back parameter
  38.                                       );
  39.  
  40.     // create event for unexpected unload
  41.     hevtUnexpectedUnload=CreateEvent(NULL,FALSE,FALSE,NULL);
  42.  
  43.     // start all
  44.     if (!pApiOverride->Start("c:\\windows\\notepad.exe",    // app path
  45.                             NULL,                           // app command line
  46.                             CallBackBeforeAppResume,        // call back before resuming application : trap to inject 
  47.                                                             // monitoring files and faking dll before the application start.
  48.                                                             // application will be resumed at the end of the callback
  49.                             pApiOverride,                   // callback parameter (current ApiOverride object)
  50.                             CApiOverride::StartWaySuspended,// start with suspended app
  51.                             0                               // useless parameter for StartWaySuspended start
  52.                             ))
  53.     {
  54.         delete pApiOverride;
  55.         CloseHandle(hevtUnexpectedUnload);
  56.         return -1;
  57.     }
  58.  
  59.     // wait for the end of launched application
  60.     WaitForSingleObject(hevtUnexpectedUnload,INFINITE);
  61.  
  62.     CloseHandle(hevtUnexpectedUnload);
  63.  
  64.     delete pApiOverride;
  65.     return 0;
  66. }
  67.  
  68.  
  69. void CallBackBeforeAppResume(DWORD dwProcessID,PVOID pUserParam)
  70. {
  71.  
  72.     CApiOverride* pApiOverride=(CApiOverride*)pUserParam;
  73.  
  74.     // load a monitoring file
  75.     pApiOverride->LoadMonitoringFile("c:\\winapioverride\\monitoring files\\InputTextDataRetrival.txt");
  76.  
  77.     // load a faking file
  78.     pApiOverride->LoadFakeAPI("c:\\winapioverride\\example\\messagebox and internal faking\\FakeMsgBox.dll");
  79.  
  80. }
  81.  
  82. void CallbackMonitoringLog(LOG_ENTRY* pLog,PVOID pUserParam)
  83. {
  84.     // get object on which event applies
  85.     CApiOverride* pApiOverride=(CApiOverride*)pUserParam;
  86.  
  87.     // do whatever you want with the log (write some fields to file,....)
  88. }
  89.  
  90. void CallBackUnexpectedUnload(DWORD dwProcessID,PVOID pUserParam)
  91. {
  92.     // get object on which event applies
  93.     CApiOverride* pApiOverride=(CApiOverride*)pUserParam;
  94.  
  95.     // do some of your freeing memory actions
  96.  
  97.     // signal end of process hooking
  98.     if (hevtUnexpectedUnload)
  99.         SetEvent(hevtUnexpectedUnload);
  100. }