How to DLL hook in windows CE?
for example how to hook RIL_Dial in ril.dll?

the process is nearly similar to normal Windows. For example you can make a wrapper around the dll, or patch its export table, or import table of app that uses it. Read cracking sites for more info.

Thanks for replay.
I need a sample code for used fast.

But WinCE does not support SetWindowHook and CreateRemoteThread (at least I cannot find it in the SDK help)

We can use VirtualProtect to change API entry but I cannot enter address space of other process.


that means we can hook API within our program only we cannot implement interprocess API interception like under win32 platform. :(

Writting a wrapper for API is too tough for big DLLs with hundreds of APIs.
Patching export table in binary file is impossible for system DLLs in the ROM.

headache

SetWindowsHook is obsolete. Use SetWindowsHookEx.

There is no need to use CreateRemoteThread. All processes in CE share the same 4Gb linear address space and can access each other's data. To convert a pointer from your or any other processes' address to a "global" that can be accessed from everywhere use a poorly docummented function:
extern"C" LPVOID MapPtrToProcess(LPVOID lpv, HANDLE hProc);
To inject DLL into address space of other process I use
typedef struct _CALLBACKINFO {
HANDLE hProc; /* destination process */
FARPROC pfn; /* function to call in dest. process */
PVOID pvArg0; /* arg0 data */
} CALLBACKINFO;
typedef CALLBACKINFO *PCALLBACKINFO;

extern"C" DWORD PerformCallBack4(CALLBACKINFO *pcbi,...);
...
HANDLE Proc=OpenProcess(0,0,Pid);

void *Ptr=MapPtrToProcess(L"phonehook.dll",GetCurrentProcess());
CALLBACKINFO ci;
ci.hProc=Proc;
void *t=GetProcAddress(GetModuleHandle(L"coredll.dll"),L"LoadLibraryW");
ci.pfn=(FARPROC)MapPtrToProcess(t,Proc);
ci.pvArg0=Ptr;
PerformCallBack4(&ci);

CloseHandle(Proc);
The method is unstable - it can hang your device if the process was inside an API function. I call Sleep(500) before PerformCallBack4 and it works in most cases.

The other metod that allows hooking of most kernel functions is patching the SystemAPISets table. Search this forum, an example was posted here.

I Understand attach dll to other process but no Understand to change the original function adress to my hook function .

for example in hook dll write this code

typedef HRESULT t_RIL_Dial(HRIL hRil, LPCSTR lpszAddress, DWORD dwType, DWORD dwOptions);
HRESULT New_RIL_Dial(HRIL hRil, LPCSTR lpszAddress, DWORD dwType, DWORD dwOptions);
t_RIL_Dial *Old_RIL_Dial;

HINSTANCE hRilDll = LoadLibrary(L"\\Windows\\Ril.Dll");
Old_RIL_Dial = (t_RIL_Dial*)GetProcAddress(hRilDll, L"RIL_Dial");


and my hook function

HRESULT New_RIL_Dial(HRIL hRil, LPCSTR lpszAddress, DWORD dwType, DWORD dwOptions)
{
// hook code
}

how to change the Old_RIL_Dial to New_RIL_Dial.
please help me.

Cannot give you a simple code to demonstrate it. You must have knowledge of assembly language and how win32 system works.

in breif,
1. use system hook to enter other process
2. get entry address of API
3. change protection type of that address
5. save that value
4. replace that address with your function and a long jmp
5. in your function, write that value back and call original API and replace that address again.
6. Use interprocess communication APIs.
7. keep multi-thread safe and be very careful

I think SetWindowsHookEx is not a documented API in win CE sdk/MSDN.

This isn't anything like regular win32 hooking. Because WINCE uses XIP technology.

Since rill.dll and rilgsm.dll are XIP dll's, they're executed directly from ROM. Without being loaded to RAM. Therefore, it is not possible to patch those modules "on the fly" and insert a jump/hook because ROM is read only.

Correct me if I'm wrong?

This isn't anything like regular win32 hooking. Because WINCE uses XIP technology.

Since rill.dll and rilgsm.dll are XIP dll's, they're executed directly from ROM. Without being loaded to RAM. Therefore, it is not possible to patch those modules "on the fly" and insert a jump/hook because ROM is read only.

Correct me if I'm wrong?
this is true only sometimes:
modern devices usual have in ROM only 5-10 files (example Dell x51v)
Also if ROM code section is compressed, it will be decompressed to RAM at first.

XIP is eXecution In Place, so all above can't be called XIP.