Api Win
Api Win
Keywords: Windows CE, API Interception, Dynamically Linked Library, System Call.
Abstract. Windows CE API interception technology can be used for monitoring various system
services calls such as file systems, registry. API interception has a very important role on the
Windows CE system software debugging and performance analysis. This paper introduces the main
methods of the Windows CE API interception, discusses a number of key technologies involved,
how to use these methods flexible, and gives a practical example.
Introduction
Most of the functions of the application programming interface (API) provided by Windows CE
operating system is implemented in the system Dynamically Linked Library (DLL) files. The API is
based specification intended to be used as an interface by software components to communicate
with each other and the operating system. API interception means hooking application or operating
system calls to system services, and thus to probe the internal structure of application or operating
system. There are many tools and toolkits for API interception in desktop operating system. Such as
Process Monitor is a monitoring tool that shows Win32 APIs calls and Detours is software package
for re-routing Win32 APIs underneath applications for Windows. But there are few tools and
discussion in embedded system, such as Windows CE system. This paper summarizes the principle
as well as some key technologies of API interception in Windows CE system, compares the
different of the interception methods, and gives a specific case.
The rest of the paper is organized in the following way. Section II surveys previous work in API
interception. Section III presents the principle of API interception. Section IV presents details of
some API interception methods. In Section V, a practical example is given and the results are
analyzed. Finally, a few remarks and discussion are sketched as a conclusion in Section VI.
Related Work
No matter what platforms, the basic principle of API interception is same. Some methods can be
applied to both PC and embedded system. But in different system, the technology of API
interception may have its own characteristics, which is decided by the realization of the system.
Article [7] introduces the principle of system calls in Windows CE and a method to use the
principle to intercept API. Article [5] also describes this principle of system calls. The test code
given by article [7] is effective but the method to load DLL is a bit complicated and its
compatibility is not good. In Windows CE 4.0 and later, a new function is implemented to load a
DLL into the kernel's address space. This function can be used to load the DLL that intercept
system calls.
This article is an open access article under the terms and conditions of the Creative Commons Attribution (CC BY) license
(https://creativecommons.org/licenses/by/4.0)
Advanced Engineering Forum Vols. 6-7 27
functions that replace the original APIs are called pseudo-functions. The number and the types of
the actual arguments in a pseudo function should be same as the original API. The pseudo function
may call the original API or not. This is shown in Fig 1.
Key Technologies
Replacing the system DLL where the API in. An executable file uses a DLL in two ways in
Windows CE, one way is explicit linking and the other way is implicit linking. Explicit linking is
referred to as dynamic load or run-time dynamic linking. With explicit linking, the executable using
the DLL must make function calls to explicitly load DLL through the system call ‘LoadLibrary’ and
unload DLL through ‘FreeLibrary’. And to get the address of DLL’s exported functions through
‘GetProcAddress’. The client executable must call the exported functions through a function
pointer.
Implicit linking is referred to as static load or load-time dynamic linking. With implicit linking,
the executable using the DLL links to an import library provided by the maker of the DLL. The
operating system loads the DLL when the executable is loaded. The client executable calls the
DLL's exported functions just as if the functions were contained within the executable [1].
Regardless of what kinds of linking to a DLL, the name of the DLL must be specified in
executable file. The difference is in explicit linking the name of the DLL specified by programmer,
and in implicit linking the name of the DLL specified by linker. We can modify the name of the
original DLL to another name. The new DLL is called pseudo DLL. If we implement all of the
function which exported by the original DLL in the pseudo DLL, this means that all functions of the
original DLL are intercepted. The function of the original DLL can still be called by pseudo DLL.
This is shown in Fig. 2. If the DLL exists in the application's directory, ‘LoadLibrary’ ignores the
specified path and loads the DLL from the application's directory. So it is not need to modify the
target application, the name of the pseudo DLL and the original DLL can be same. It is only need
the target programs and pseudo DLL exist in the same directory.
When an executable links a DLL using explicit linking, it is difficult to find somewhere to call
the export functions of a DLL. An executable can call function pointer anywhere, and it has no
obvious features to find the code.
Another method is to find the entrance of the API in the DLL, save a few bytes of code at the
entrance and then modify the code to jump to the pseudo function. When pseudo function wants to
call the original API, the saved code is executed firstly then the rest code of the original API is
executed. This method is shown in Fig. 3.
Conclusion
There are several ways to intercept APIs in Windows CE system. But Windows CE is a
customizable embedded operating system. The customized systems are not identical. So those
methods have advantages and disadvantages respectively.
References
[1] http://msdn.microsoft.com
[2] Chen Xiangqun, Wang Lei, Ma Hongbing, Xiang Yong, “Windows CE.NET system analysis
and experimental tutorial,” China machine press, 2003
[3] John Murray, “Inside Microsoft Windows CE,” Microsoft Press, 1998
[4] Jeffrey Richter, “Programming Application for Microsoft Windows,” Beijing: Mechanical
Industry Press, 2008
[5] San, “Hacking Windows CE,” Phrack Magazine, 6(63), July 2005.
[6] http://itsme.home.xs4all.nl/projects/xda
[7] Dmitri Leman, “Spy: A Windows CE API Interceptor,” Dr. Dobb's Journal October 2003.
[8] Microsoft, “Windows CE Source Code and Advanced Debugger Commands,” May 07, 2000.