Home/ Questions/Q 6882273
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T05:13:59+00:00

I am trying to hook a function to cmd.exe process the dll is injected

  • 0

I am trying to hook a function to cmd.exe process
the dll is injected just fine the problem is i can’t get the cmd.exe to call my function
when im trying to enter the word “dir” on the command prompt it’s showing me the same results instade of changing the first name to ‘dan’
what am i doing wrong?

HANDLE WINAPI newFindFirstFileA(__in   LPCTSTR lpFileName, __out  LPWIN32_FIND_DATA lpFindFileData) 
{
    WIN32_FIND_DATA FindFileData;
    HANDLE hFind = FindFirstFile(lpFileName, &FindFileData);
    *FindFileData.cFileName = L'Dan';
    lpFindFileData = &FindFileData;
    return hFind;
}


BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                       DWORD reason        /* Reason this function is being called. */ ,
                       LPVOID reserved     /* Not used. */ )
{
    switch (reason)
    {
        case DLL_PROCESS_ATTACH:
        MessageBox(NULL,L"DLL Was injected!", L"Message" ,NULL);

        /* Hooking function */
        DWORD* dw = (DWORD*)GetProcAddress( GetModuleHandleA("kernel32.dll"), "FindFirstFileA" );
        *dw = (DWORD)newFindFirstFileA;
        break;
    }  

    /* Returns TRUE on success, FALSE on failure */
    return TRUE;
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    GetProcAddress does not return the pointer to IAT entry. Instead, it returns the location of the actual function. Thus, *dw = (DWORD) newFindFirstFileA would overwrite the prolog of the FindFirstFileA function, which would be disastrous. Refer to this article for detailed explanation for hooking an API

    • 0