Import Table Hooking in C with Win32 API

[Karmic]

I have the following assignment in class:

Develop a Win32 DLL that can be injected into a process using the injector that you have developed in Lab #2 (Code Injection). This DLL must install an import table hook to intercept calls made to the function CreateFileW() in kernelbase.dll from the mode kernel32.dll. The hook function must display the lpFileName parameter to CreateFileW() using OutputDebugString(). You will build a DLL (not an .EXE).

I have programmed the the injector and it works, but I am having a lot of trouble with the DLL. I dont want the answer, just a few clarifications.


I understand how to locate the IAT entry for CreateFileW() and how to change the value for it. I don't quite understand the following:

1. What do I change the IAT entry of CreateFileW() to? my malicious dll and have it execute my version of CreateFileW()?

[HTH]

Correct, this is similar to hooking syscalls on a linux platform, there is also a good bit of info on this in the ShellCoders handbook.

[Xires]

Erm, what class is this?  Your course sounds far, far more interesting than mine.

[Karmic]

Thanks HTH, I looked through it and I think I have a better understanding of what needs to be done, and fortunately the deadline was extended so I think i'll be able to finish.

Xires, this is a Windows internals and exploit development course focusing on persistence and priv esc in Windows. It's offered through an organization called cyberwarriors (worst name ever) to university students with some security background.

It's sponsored by the U.S. defense community, with whom you may not necessarily agree with, but hey, if they want to give free training, take it

[Xires]

Ah, okay, that makes more sense.  I'm familiar with them.  Unfortunately, such courses are not offered to me.  Thanks for the info.