Why can not hook CloseHandle() file system API use detours method?

Why can not hook CloseHandle() file system API use detours method?

Post by Vic.Don » Fri, 04 Nov 2005 11:55:38


Hello All:

I use detours method of MS kit to hook CloseHandle() file systme API and
inject this hook.dll into NotePad process by static registry key value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs with one INI file that specified
only one NotePad application below is:

INI file:
[Scope]
UseWindowsHook=Yes
HookAll=No
Hook=notepad
Protect=MSDEV
[Trace]
Enabled=Yes

In my hook.dll:
use detours function:
DetourFunctionWith *** oline((PBYTE)Real_CloseHandle,(PBYTE)Mine_CloseHandle);
DetourRemove((PBYTE)Real_CloseHandle,
(PBYTE)Mine_CloseHandle);
.....
based MS detours sample.

But I found when my hooked dll was loaded in NotePad process that TXT file
can not be opend, and appears a lot of trace string in my Mine_CloseHandle()
function. But another function e.g.: CreatFile(), ReadFile() .... can be
hooked and open TXT file.

Why can not I hook CloseHandle() API?

B.R.

Vic
 
 
 

Why can not hook CloseHandle() file system API use detours method?

Post by inmat » Sat, 05 Nov 2005 07:40:41

I do not know your code, but what I suspect:

1. CloseHandle is called SIGNIFICANTLY more frequently that CreateFile
function. CloseHandle may be call after OpenProcess, DuplicateHandle,
CreateFileMapping, CreateFileForMapping and ...
It is why "appears a lot of trace string in my"

2. Also I suspect that DetourFunctionWith *** oline substitute the
function addresses only when it was called. However notepad in some
situation (for example, when you open file dialog) loads new DLLs and I
think it is necessary to update substitutions in those mew loaded DLLs.

If you run NOTEPAD under standard MSDEV de *** you may see when
notepad loads or unloads DLLs.

My opinion is instead of using DetourFunctionWith *** oline implement
your de *** application. Put break points at CreateFile, CloseHandle
and so on and hook all these functions. It is simple because
kernel32.dll is not loaded/unloaded dynamically.
I am doing hooking in this way in my product at http://www.yqcomputer.com/
Other example of hooking is at http://www.yqcomputer.com/