Skip to content

Skinmine - Elaborating on Jeffrey Richter's "Trojan DLL" method for API hooking



1. Introduction
Several years ago Jeffrey Richter1 published his book Programming Applications for Microsoft Windows2 in which he presents an overwhelming amount of information about the internals of Microsoft Windows. One of the chapters of this book, chapter 22, is titled DLL Injection & API hooking. In this chapter Mr Richter introduces the reader to several methods of injecting DLL files into the address space of running processes. And although this chapter, just like the other chapters of his book, is very well detailed and comes with several C++ code examples there's one method which he introduces only very briefly and doesn't elaborate any further on: Injecting a DLL with a Trojan DLL.

In fact Mr Richter, despite calling the technique "not too bad", advices the reader to avoid this approach as it's prone to certain problems. For example it's possible that newer versions of the original DLL file export new, additional functions the old proxy dll (or Trojan Dll, whichever name you prefer) obviously isn't aware of. Applications which use these new functions won't run correctly, in most cases they won't even start. This is certainly a valid concern if your DLL is supposed to be an all-purpose DLL file, for example if you plan to replace a system DLL like kernel32.dll with your own kernel32.dll file which logs all calls to kernel32 and afterwards calls the real kernel32.dll. For very customized DLL files which are only supposed to intercept calls from one application anyway this problem is not nearly serious enough to not even consider the Trojan DLL approach to API hooking.

2. Specifying the project
Let's take a first look at one of these "customized DLL files". I've chosen to modify Windows Minesweeper to provide a real-life example on using proxy DLLs everybody with a copy of Microsoft Windows 2000 or higher can easily test out.
The project is quickly described. Inspired by something I read on the Internet I decided to create a skinnable version of Minesweeper ("Skinmine"). The squares which have not yet been uncovered by the player will be painted differently than the boring default color. A bitmap file is loaded instead and this bitmap file is drawn onto the squares. The will be be able to select skins via a menu. To get a better impression about what the end result should look like you can scroll up to the title page of this document again.
Additional features include a "No skin" option to disable all skins and an INI file which stores the last used skin. When Skinmine is loaded the next time the last skin should automatically be reloaded.
...

The rest of this document and all source files can be found in the RAR file.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

westpoint2 on :

Awesome job, works like magic.

Myself write mostly in C++, but started also from assembler + C/C++.
About Richter cannot say too much warm words. Long time his book was useless in strugle with Win API.

Ones again great article and project.

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Form options

Submitted comments will be subject to moderation before being displayed.