SQLite Forum

[Windows] SQLite dll hooking is nearly impossible due to recursive calls
Login
Hi,

I'm creating a tool (Windows) which is able to hook into the sqlite3.dll to monitor the actions from the main application.

Using function hooking the tool can detect when the application calls any of the exported functions from the sqlite3.dll and display the data.

What I have discovered is that the sqlite functionality inside the dll is calling its exported functions also. This is to me very strange that an exported function is used by the dll itself instead of calling internal functionality.

An example:

When the main application calls this from the sqlite3.dll

sqlite3_prepare16_v2 having this statement:

"CREATE TABLE Persons
(
id INTEGER PRIMARY KEY,
first_name TEXT NOT NULL,
last_name TEXT NOT NULL,
country_id INTEGER
);
COMMIT;"

The tool is able to detect this call and display the statement.

But then, while the initial sqlite3_prepare16_v2 is being executed, sqlite3 will call itself on the interface which is:

sqlite3_prepare_v2 having this statement:

"SELECT*FROM"main".sqlite_master ORDER BY rowid"

Then followed by sqlite3_step and sqlite3_finalize.

After that sqlite does another 	sqlite3_prepare_v2 having this statement:

"SELECT*FROM"main".sqlite_master WHERE tbl_name='Persons' AND type!='trigger' ORDER BY rowid"

followed with a couple of sqlite3_column_text calls.

All those internal calls are also detected by the tool, obviously because the functions are hooked.

So the tool gets a huge amount of internal calls which should not be known by the outside. The internal actions may be valid but why are those calls done on the provided interface and not internal?

Any trace tool will not be able to get any sensible information from sqlite when all this unrelated data is presented as one big pile of unknown calls.

So my question is why sqlite3.dll is doing this?

And how to solve this problem?
Is there another way to hook into sqlite3.dll to get the actual actions from the client of the dll?