4 C++ Programming How-To’s

C++ is a versatile programming language commonly used in software development. Many programmers use the C programming language because it is efficient and gives them maximum control. However, programming in C++ can be complicated and even the most experienced programmers and software developers may be unaware of some effective development tips that can help prevent corrupted data and program crashes. To help our fellow programmers, we’ve provided a list of 4 C++ development “how-to’s” to improve code quality and speed up development time.

Below is a list of 4 C++ Development “How To’s” for fellow programmers:

1.  How to load a custom Dynamic-Link Library (DLL) into another process

It’s easy to load a DLL into the current process by calling the LoadLibrary Application Programming Interface (API).  However, sometimes we need to inject a DLL into another process.  There are two ways to achieve this:

One is to create a remote thread in the target process through the CreateRemoteThread API. From there, we then would call the LoadLibrary in the thread context. Before beginning to call LoadLibrary, you need to write the DLL file path into the remote process memory by calling the WriteProcessMemory and retrieving the path string address—passing it on to the LoadLibrary.

The other way is to register a global hook by using SetWindowsHookEx. In general, the hook procedure must reside in a DLL.  After calling SetWindowsHookEx, the system maps the DLL into the remote process that the hooked thread belongs to.

2. How to achieve kernel mode API hook and user mode API hook

API hook can be achieved in either user mode or kernel mode. If done in user mode, we don’t have to write a device driver, instead we must write a DLL and inject it into the target process. From here, we must then replace the target API address in the IAT with the fake API address in your DLL.

If in kernel mode, we need to understand that most system API calling finally calls the kernel mode system routine. All the addresses of these routines are stored in the System Service Dispatch Table (SSDT).  We can replace the corresponding item in the table with the address of your custom routine. Remember that the fake routine is executed in kernel mode and, therefore, should be implemented in a windows driver.

3. How to intercept the network packets filter

We can intercept the network packets in many ways. For instance, if we just want to monitor the http protocol packets that belong to a specific process, such as Internet Explorer, we can hook the Winsock API: Send and Receive. If we intend to implement a network firewall, then we should not use such a method, because Winsock hook can only intercept Transmission Control Protocol (TCP) /Internet Protocol Suite (IP) based packets. And furthermore, Winsock hook is unable to retrieve an Ethernet packet header.

If we want to intercept all the packets that are based on any protocol, we have to write a Network Driver Interface Specification (NDIS) intermediate driver, which can retrieve a full Ethernet packet as well. But it’s difficult to write and install, and is unable to get process information, so most firewalls combine these methods to achieve powerful functions.

4. How to monitor file operations

We can manipulate files by calling correlative APIs like CreateFile, OpenFile, WriteFile, DeleteFile, FindFirstFile, etc. Windows Explorer displays files through these API as well.

Specific software, such as antivirus software, needs to monitor illegal file operations. For example, virus programs normally scan executable files and write malicious code in everything in its path. We can hook the WriteFile to intercept these write operations.

Otherwise, we can hook FindFirstFile and FindNextFile to hide some files in Windows Explorer; we just need to remove the corresponding file from the result of the call to the two API. These APIs are high-level API. They always call low-level API internally.

For instance, CreateFile calls NtCreateFile and NtCreateFile calls kernel routine in the System Device Dispace Table (SSDT). The kernel routine sends an I/O Request Packet (IRP) to the file system driver. We can intercept the file operations in any of the above steps. Most commercial software uses a file system filter driver to monitor various file operations.

C++ is an efficient programming language that offers many benefits including rapid development, productivity and extensibility. Visit our website to learn more about our expertise in C++ programming and development.

Photo credit: Pixabay