Demo for IAT hooking and interception of Win32 API calls
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Bob Carroll baf677e3f1 initial commit 5 months ago
gdihook initial commit 5 months ago
.gitignore initial commit 5 months ago
readme.md initial commit 5 months ago
tripwire.c initial commit 5 months ago
tripwire.sln initial commit 5 months ago
tripwire.vcxproj initial commit 5 months ago

readme.md

Tripwire

Tripwire is a demo project for IAT hooking and interception of Win32 API calls.

  1. Start MS Publisher in a suspended state.
  2. Inject our custom GDIHOOK.DLL into the Publisher process.
  3. Inject a Publisher DLL we need to patch.
  4. Read the export address table for GDIHOOK.DLL and find the address of our replacement function.
  5. Read the import address table for Publisher's DLL looking for a specific Win32 API function.
  6. Write the address of our replacement function to the import thunk in Publisher's DLL.
  7. Resume the Publisher thread.
  8. Open a named pipe and wait.
  9. When Publisher calls the Win32 API function we want to intercept, our replacement function sends a signal over a named pipe to tripwire.
  10. Tripwire receives the signal from our DLL. If the intercepted function is never called the Tripwire waits indefinitely.