Problem with imported function redirection. Thank you.

[Anton]

Hi all, I need to monitor some API calls. To do that I use library injection technique, then my dll scans import names table to find an API, redirects that call to its own function, which make some job and calls the original function. The problem is that after it returns from redirected function application crashes. Seems that I missed something, probably I have to do something to set/restore registers, return address, etc… At this stage I could not find an answer in MSDN. I do something similar to apimon or spyapi programs. I would be very thankful if anybody knows solution or any ideas. Below is just a few line of code to give an idea what I do and what could be wrong ... Thank you.

It is just part to make it shorter. Say I want to monitor function from “third” dll:
int UsefulFunc(int iP1, long lP2); //Ordinal 20
Code from my DLL:

int iFuncToMonitor=20
char szFuncToMonitor[]=”UsefulFunc”;

bool FindAndRedirect( PIMAGE_IMPORT_DESCRIPTOR pImportDesc, PVOID pBaseLoadAddr )
{
….
PIMAGE_THUNK_DATA pINT;
pINT = MakePtr( PIMAGE_THUNK_DATA, pBaseLoadAddr,
pImportDesc->OriginalFirstThunk );
PIMAGE_THUNK_DATA pIAT;
pIAT = MakePtr(PIMAGE_THUNK_DATA, pBaseLoadAddr,
pImportDesc->FirstThunk);
…
//Scan import table
while ( pIAT->u1.Function )
{
iFunc=0;
if ( IMAGE_SNAP_BY_ORDINAL(pINT->u1.Ordinal) ) // import by ordinal
{
iFunc=(unsigned int)IMAGE_ORDINAL32(pINT->u1.Ordinal);
}
else // It's imported by name
{
PIMAGE_IMPORT_BY_NAME pImportName;
pImportName=MakePtr(PIMAGE_IMPORT_BY_NAME,
pBaseLoadAddr,
pINT->u1.AddressOfData );
}

if(iFunc==iFuncToMonitor || lstrcmp(&pImportName->Name,szFuncToMonitor)
{
pIAT->u1.Function = (unsigned long *)MyMonitorFunc;
}

pIAT++;
pINT++;
}
….
}

int MyMonitorFunc(int iP1, long lP2)
{
int iret;
char szOutBuff[60];
iret=UsefulFunc(iP1, lP2);
sprintf(szOutBuff, "MyMonitorFunc: UsefulFunc was used. P1= %d, P2=%d,
returns %d", iP1, lP2, iret);
OutputDebugString( szOutBuff);
return iret;
}