API Interception via DLL Redirection
In Windows, all applications must communicate with the kernel through API functions; as such,
these functions are critical to even the simplest Windows application. Thus, the ability to intercept,
monitor, and modify a program's API calls, commonly called API hooking, effectively gives one full
control over that process. This can be useful for a multitude of reasons, including debugging, reverse
engineering, and hacking (in all interpretations of the word).
While there are several methods which can be used to achieve our goal, this tutorial will
examine only DLL redirection. This approach was chosen for several reasons:
1. It is relatively simple to implement.
2. It allows us to view and modify parameters passed to an API function, change return values of
that function, and run any other code we desire.
3. While most other methods require code to be injected into the target process or run from an
external application, DLL redirection requires only write access to the target application's
working directory.
4. We can intercept any API call without modifying the target (either on disk or in memory) or any
system files.
Tools and Prerequisites
The following software will be used throughout this paper. You may of course use whatever
utilities to which you are partial, however, bear in mind that their specific usage and implementation
may vary:
• Visual C++ – Used to compile our DLL files.
• OllyDbg – Used to examine the target application and any external modules.
• DumpbinGUI – Used to obtain a list of functions exported by a target DLL.
• Linkout.pl – A perl script used to automate the majority of our leg work (requires ActivePerl).
It is assumed that the reader has a fairly solid grasp on Win32 programming in C/C++,
assembly language, and usage of the above mentioned applications (minus the linkout script of course).
A basic understanding of other methods used for API hooking is also helpful.
What is DLL Redirection?
Since an executable imports API functions from DLL files, DLL redirection allows us to tell a
program that the DLLs it needs are located in a different directory than the originals; in this way we
can create a DLL with the same name as the original, which exports the same function names as the
original, but each function may contain whatever code we like. There are two ways to achieve DLL
redirection; the first method is sometimes referred to as “dot local” redirection:
“Applications can depend on a specific version of a shared DLL and start to fail if another application
is installed with a newer or older version of the same DLL. There are two ways to ensure that your
application uses the correct DLL: DLL redirection and side-by-side components. Developers and
administrators should use DLL redirection for existing applications, because it does not require any
changes to the application. “