Remove All Ads from XDA

Deep IAT Hooking

26 posts
Thanks Meter: 18
By sweetlilmre, Junior Member on 26th February 2008, 06:21 PM
Post Reply Email Thread

I've been porting a large number of linux based programs to the Gizmondo (CE 4.2 device).

One of the main issues is the broken c-runtime of CE, specifically the lack of current dir support (not to mention no posix layer ). At any rate I wanted to be able to hook fopen etc. to call my own functions which would handle current dir.

To do this I thought I'd make some nice and easy IAT hooking code, that was until I discovered how complex this was on CE (relative to Win32 that is).
After much head scratching and looking at the stellar work of those such as mamaich, itsme etc. I finally managed to get it right.

I hope this is useful to someone (I searched this board, but couldn't find any code, though I do remember someone asking how to do it) and have attached a zip file with the hooking code. In order to use this you will need to provide your own undoc.h with the relevant kernel struct and function definitions for your wince flavour.

Once again, I stand on the shoulders of giants, without whom this would not have been possible

Attached Files
File Type: zip - [Click for QR Code] (2.6 KB, 679 views)
26th April 2008, 04:11 PM |#2  
Junior Member
Thanks Meter: 0
You are genius~
Thank you.
11th July 2008, 03:16 AM |#3  
Junior Member
Thanks Meter: 0
You are so beautiful~ ^_____^
Thank you.
12th January 2009, 04:19 PM |#4  
Senior Member
Thanks Meter: 0
I just wanted to start asking questions here... sweetlilmre, THANK YOU VERY MUCH!!!
17th September 2009, 07:10 AM |#5  
Junior Member
Thanks Meter: 0
excellent job~
thank you
11th January 2010, 02:57 PM |#6  
Senior Member
Thanks Meter: 16
Does anybody have undoc.h created for windows mobile 6 (wince 5.x)? If not, where should I look for the undocumented type info?
2nd February 2010, 02:27 PM |#7  
Junior Member
Thanks Meter: 0
Hi~ JKingDev
I have ever created undoc.h with referencing "private" directroty.
"private" directory is installed with Platform builder. ( I used Platform Builder 5.0 )
If PB is installed, then C:\WINCE500\PUBLIC and C:\WINCE500\PRIVATE is created.
( I don't know Window Mobile 6.0 environment. )

p.s :
If you can translate KOREAN, then visit
This site has attached file "". ( bottom side )
It is not my post, maybe it is posted by "jung cheulwon".
21st June 2017, 09:31 AM |#8  
Junior Member
Thanks Meter: 0
Hi all,
first of all, thank you sweetlilmre for posting this.
Your solution works perfectly fine for platforms based on Win CE 5, e.g. Win Mobile 6.1 and Win Mobile 6.5.3.
However it does unfortunately not work on Win CE 6 and Win CE 7.
I assume that this is due to changes in the memory architecture of Win CE 6 and higher.
Does anyone have a clue on how to port the "Deep IAT Hooking" solution on Win CE 6 and Win CE 7?
Some techical details on what i have tried so far...

PROC WINAPI DeepHookImportedFunction( LPCWSTR pwszModuleToHook, // Module to intercept calls to LPCWSTR pwszFunctionToHook, // Function to intercept calls to PROC pfnNewProc, // New function (replaces old function) LPWSTR* ppwszExcludeList // List of module names to exclude from the hook ) { PROC pfnOriginalProc; PIMAGE_IMPORT_DESCRIPTOR pImportDesc; PIMAGE_THUNK_DATA pThunk; PPROCESS pProcess; struct info inf; PMODULE pmods; LPVOID baseptr; BOOL bHooked = FALSE; SetKMode(TRUE); // Get current process struct from KData pProcess = KData.pCurPrc; // Get process import descriptor inf = pProcess->e32.e32_unit[IMP];
The program crashes (at the red marked spot) when i try to access the member

This is because the structure
is filled up by the value zero only.

This happens quite early in the implementation, therefore i didn't proceed very far. I still hope that somebody can help me out with this case.

Kind regards
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes