Are there any approaches for global interception of functions (without DLL injection) from a specific DLL?

S

slinkinone2018-12-23 17:20:24

C++ / C#

slinkinone, 2018-12-23 17:20:24

Good day!
Studying intercepting in Windows , I noticed that it all comes down to SetWindowsHookEx , the DLL injection technique (DLL-injection) and kernel-level drivers (but here, apparently, only WinAPI too ).
The question arose whether it is possible to intercept a function call from a specific DLL without using these techniques. Suppose there is no need to intercept from a specific process, but interception from all processes is necessary.
As I imagine, if this DLL is already loaded into virtual memory, therefore its functions have specific addresses that are substituted during the application launch process using LoadLibrary(of course, if the application depends on this library). Those. you need to intercept calls to these addresses and it doesn’t matter which process accesses the library. And in the case of redefining the behavior of functions GLOBALLY , just patching these addresses is enough.
If I'm wrong - correct me.
If there is knowledge on approaches or libraries - share.
Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

K

Kozel-007, 2019-03-05
@Kozel-007

You can replace the library with your own, binary compatible one, which forwards all calls to the original one, if you want. If you have enough rights in the system for what you described, then it’s enough to stupidly replace the library in the system.