Is trapping OS functions possible ?
Hi all,
In good old DOS, there was a simple way of trapping DOS (or BIOS) functions by changing vector to software (or hardware) interrupt to custom procedure.
It was easy to catch file operations, device communication, etc.
Is it possible to trap OS functions in Windows ?
I need to view/log parameters passing to OS functions, especially CreateFile, and similar functions.
Any ideas ?
Best Regards
PawelS
[453 byte] By [
PawelS] at [2007-11-19 6:14:31]
# 1 Re: Is trapping OS functions possible ?
Yes ... those wonderful old days where you could reprogramme the IDT ... :rolleyes:
Well you should take a look at these articles:
For Win9X (http://www.dev-archive.com/Cpp/W-P/system/vxd/article.php/c2849/) and for WinNT this (http://www.dev-archive.com/Cpp/W-P/system/misc/article.php/c5667/).
:wave:
NoHero at 2007-11-11 0:32:03 >
# 2 Re: Is trapping OS functions possible ?
"Detours intercepts Win32 functions by re-writing target function images."
check this ( http://research.microsoft.com/sn/detours/)
# 3 Re: Is trapping OS functions possible ?
It is possible for Windows NT and is called API hooking .
This term was misused many times; it was used to describe message procedure hooks or windows subclassing.
It is also called system-call hooking and it is explained by Mark Russinovich and Bryce Cogswell in Windows NT System-Call Hooking article that you can find on: http://www.ddj.com/articles/1997/9701/
Also go to this site and search it. (http://www.sysinternals.com/)
Powodzenia
JohnCz at 2007-11-11 0:33:59 >
# 4 Re: Is trapping OS functions possible ?
most OS functions are in dlls so you can create your own dll to replace original and forward the functions after your code is executed. I'm not sure about the kernel functions but I can tell you it works great with most of the others! :p
# 5 Re: Is trapping OS functions possible ?
Not for all the funtions it is possibe to trap ... yes you can trap the Interept's by all means ...... Old tech...
but some part of you query is possibe By Hooking the functions...
Chekc the following...
http://msdn.microsoft.com/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/abouthooks.asp?frame=true
thx
x86
x8086 at 2007-11-11 0:36:03 >
# 6 Re: Is trapping OS functions possible ?
Thank you all for your replies.
The subject is really very deep, I have to dig into it :)
Best Regards
PawelS
PawelS at 2007-11-11 0:37:09 >
# 7 Re: Is trapping OS functions possible ?
... yes you can trap the Interept's by all means ...... Old tech...
It's not possible to reprogrammate the IDT from Win32 user mode code... Believe me, I have tested this. You can reprogrammate the IDT from kernel mode, but it's not recommended because, it is not possible callback functions you don't want to handle (for example interrupt 0 > division by zero) to the win32 system.
NoHero at 2007-11-11 0:38:02 >
# 8 Re: Is trapping OS functions possible ?
I made use of a trampoline technique to trap OS calls to TraclPopupMenu/Ex in this article:
http://www.codeproject.com/menu/QuickODmenu.asp
You should be able to take the InterceptAPI function from that and apply it quite easily to the CreateFile() function. There is also a reference internally in the article as to where I got the InterceptAPI function from originally (I had to do a small modification because of the C++ compiler generated code)
