It is currently Wed Dec 11, 2019 6:19 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 28 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: Extended Inline API Hooking
PostPosted: Wed Aug 18, 2010 6:13 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Feb 19, 2005 5:05 pm
Posts: 1769
Location: Norway
I know that, but read the topic title and look at the source in the first post again.

It doesn't really hook the API (OS) function now does it? It just changes the function table pointer (!) in the "current" process,
that's what I reacted too originally when I saw the post.

It's not like I could guess it was Part B of a larger code now could I? ;)

(I just felt like pointing that confusion out as too often people just dump code into Tips'n'Tricks and it's not always easy to know what it's intended for or if it's a complete example or is supposed to be used with other code to really work, I liked how simple it was and felt a need to point out the few issues I found with it.)


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Wed Aug 18, 2010 9:52 pm 
Offline
User
User

Joined: Mon Mar 22, 2010 3:08 pm
Posts: 61
@Rescator
Hmm, taking all into one post, so basically you want me to do what? Make also an example to demonstrate the injection and ejection process? You should list it down :P. I was also trying to improve my code :D. Umm, about the Unicode function, can you name one function?


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Wed Aug 18, 2010 10:00 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Aug 15, 2009 6:59 pm
Posts: 1252
PyroStrex wrote:
Edit: Oh, and can you also tell me what other function that cannot be hooked? ASM view would be nice :)

For example DbgBreakPoint.
It's only a 2 byte procedure.

Code:
int 3
ret


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Wed Aug 18, 2010 10:09 pm 
Offline
User
User

Joined: Mon Mar 22, 2010 3:08 pm
Posts: 61
Thorium wrote:
PyroStrex wrote:
Edit: Oh, and can you also tell me what other function that cannot be hooked? ASM view would be nice :)

For example DbgBreakPoint.
It's only a 2 byte procedure.

Code:
int 3
ret


Owh, i can do IAT Hooking for this. If fails, EAT Hooking will try to support. But dunno if it will still fail though. I will go and take a look.


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Sun Sep 26, 2010 2:23 am 
Offline
User
User

Joined: Mon Mar 22, 2010 3:08 pm
Posts: 61
Added The UnHook Function and the example also updated.


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Wed May 21, 2014 2:00 pm 
Offline
Enthusiast
Enthusiast

Joined: Mon Aug 30, 2010 11:51 am
Posts: 101
I know this a bit old topic, but a very useful one.
My ASM knowledge is very poor.
Does anyone now how to get this function working for x64?


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Mon Oct 21, 2019 12:59 am 
Offline
Enthusiast
Enthusiast

Joined: Thu Jul 18, 2013 4:58 am
Posts: 122
Updated 5.7X as a module. Removed OpenProcess so it will only work for the current process that it's running in (you can re-add it if needed).

Detour.pbi
Code:
DeclareModule CHook
 
  Import "Kernel32.lib"
    GetProcAddress_(hModule.l, lpProcName.p-ascii) As "_GetProcAddress@8"
  EndImport
 
  Declare.b InlineHook(LibraryName.s, LibraryFunction.s, NewFunction.l, OldFunction.l)
  Declare.b InlineUnhook(LibraryName.s, LibraryFunction.s, NewFunction.l, OldFunction.l)
 
EndDeclareModule

Module CHook
 
  ; --------------------------------------------------
  ;   Install Hook
  ; --------------------------------------------------
 
  Procedure.b InlineHook(LibraryName.s, LibraryFunction.s, NewFunction.l, OldFunction.l)
   
    Protected.l OldAddr, NewAddr, RetAddr, CodeAddress, OldProtection
   
    OldAddr = GetProcAddress_(GetModuleHandle_(LibraryName), LibraryFunction)
    NewAddr = NewFunction
    RetAddr = OldAddr + 5
   
    CodeAddress = VirtualAllocEx_(GetCurrentProcess_(), #Null, 10, #MEM_COMMIT, #PAGE_EXECUTE_READWRITE)
   
    If CodeAddress = #Null
      ProcedureReturn #False
    EndIf
   
    VirtualProtect_(OldAddr, 5, #PAGE_EXECUTE_READWRITE, @OldProtection)
   
    ; Trampoline
    CopyMemory(OldAddr, CodeAddress, 5)
    PokeB(CodeAddress + 5, $E9)
    PokeL(CodeAddress + 6, RetAddr - (CodeAddress + 10))
   
    ; JMP To Detour Function
    PokeB(OldAddr + 0, $E9)
    PokeL(OldAddr + 1, ((NewAddr - OldAddr) - 5))
   
    VirtualProtect_(OldAddr, 5, OldProtection, @OldProtection)
   
    ; Update Prototype Pointer To Point To Trampoline
    PokeL(OldFunction, CodeAddress)
   
    ProcedureReturn #True
   
  EndProcedure
 
  ; --------------------------------------------------
  ;   Remove Hook
  ; --------------------------------------------------
 
  Procedure.b InlineUnhook(LibraryName.s, LibraryFunction.s, NewFunction.l, OldFunction.l)
   
    Protected.l OldAddr, CodeAddress, OldProtection
   
    OldAddr = GetProcAddress_(GetModuleHandle_(LibraryName), LibraryFunction)
    CodeAddress = PeekL(OldFunction)
   
    If CodeAddress = #Null
      ProcedureReturn #False
    EndIf
   
    ; Restore Bytes Of Original Function
    VirtualProtect_(OldAddr, 5, #PAGE_EXECUTE_READWRITE, @OldProtection)
    CopyMemory(CodeAddress, OldAddr, 5)
    VirtualProtect_(OldAddr, 5, OldProtection, @OldProtection)
   
    ; Free Trampoline
    FillMemory(CodeAddress, 10, 0)
    VirtualFreeEx_(GetCurrentProcess_(), CodeAddress, 0, #MEM_RELEASE)
   
    ; Update Prototype Pointer To Point To Hook Function
    PokeL(OldFunction, NewFunction)
   
    ProcedureReturn #True
   
  EndProcedure
 
EndModule


Example.pb
Code:
XIncludeFile "Detour.pbi"

Prototype.l RealMessageBoxW(hWnd.l, lpText.s, lpCaption.s, uType.l)

Global o_MessageBoxW.RealMessageBoxW

Procedure.l MyMessageBoxW(hWnd.l, lpText.s, lpCaption.s, uType.l)
  ProcedureReturn o_MessageBoxW(hWnd, "MessageBoxW Is Now Hooked!", lpCaption, uType)
EndProcedure

CHook::InlineHook("User32.dll", "MessageBoxW", @MyMessageBoxW(), @o_MessageBoxW)
MessageRequester("Demo", "This Is Test A!")

CHook::InlineUnhook("User32.dll", "MessageBoxW", @MyMessageBoxW(), @o_MessageBoxW)
MessageRequester("Demo", "This Is Test B!")

_________________
Image


Last edited by Opcode on Thu Oct 24, 2019 2:14 am, edited 3 times in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Mon Oct 21, 2019 11:50 pm 
Offline
Addict
Addict

Joined: Sat Jun 30, 2007 8:04 pm
Posts: 3362
I'm not well versed in these kind of things. The example works but it fails for detouring GetTickCount() with an invalid memory access:

Code:
Prototype.l o_GetTickCount()

Global o_GetTickCount.o_GetTickCount

Procedure.l MyGetTickCount()
  ProcedureReturn o_GetTickCount()
EndProcedure

CHook::InlineHook("Kernel32.dll","GetTickCount",@MyGetTickCount(),@o_GetTickCount)

MyGetTickCount()


This function doesn't seem to work with the solution from the hot patching thread either:

viewtopic.php?f=12&t=47406


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Tue Oct 22, 2019 5:08 am 
Offline
Enthusiast
Enthusiast

Joined: Thu Jul 18, 2013 4:58 am
Posts: 122
Mistrel wrote:
I'm not well versed in these kind of things. The example works but it fails for detouring GetTickCount() with an invalid memory access:

Code:
Prototype.l o_GetTickCount()

Global o_GetTickCount.o_GetTickCount

Procedure.l MyGetTickCount()
  ProcedureReturn o_GetTickCount()
EndProcedure

CHook::InlineHook("Kernel32.dll","GetTickCount",@MyGetTickCount(),@o_GetTickCount)

MyGetTickCount()


This function doesn't seem to work with the solution from the hot patching thread either:

viewtopic.php?f=12&t=47406

This should work, however retrieving the real tick count via o_GetTickCount() causes a crash. My guess is it gets patched by jmp unconditionally (e.g. hook has to be removed to call it).
Code:
XIncludeFile "Detour.pbi"

Prototype.i RealGetTickCount()

Global o_GetTickCount.RealGetTickCount

Procedure.i MyGetTickCount()
  ProcedureReturn 1337
EndProcedure

Debug GetTickCount_() ; Will display real tick count.

CHook::InlineHook("Kernel32.dll", "GetTickCount", @MyGetTickCount(), @o_GetTickCount)

Debug GetTickCount_() ; Will display 1337 from detour.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Tue Oct 22, 2019 6:18 am 
Offline
Addict
Addict

Joined: Sat Jun 30, 2007 8:04 pm
Posts: 3362
Is there a way to fix this to also support calling the old function? I want to adjust the result and need to call the original function for as a reference.


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Tue Oct 22, 2019 7:12 am 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sun Sep 11, 2016 2:17 pm
Posts: 577
Mistrel wrote:
Is there a way to fix this to also support calling the old function? I want to adjust the result and need to call the original function for as a reference.


Either unhook the function, call it and rehook (bad) or you just jump over the opcodes
of the hook by adjusting the function address.

Or be really lazy and call/use the Nt/Rtl/syscall counterpart.

Or hook the IAT to easily call the original function.


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Tue Oct 22, 2019 8:45 am 
Offline
Addict
Addict

Joined: Sat Jun 30, 2007 8:04 pm
Posts: 3362
I don't understand how to do any of that. Except maybe call the Nt counterpart.


Top
 Profile  
Reply with quote  
 Post subject: Re: Extended Inline API Hooking
PostPosted: Tue Oct 22, 2019 8:37 pm 
Offline
Enthusiast
Enthusiast

Joined: Thu Jul 18, 2013 4:58 am
Posts: 122
Mistrel wrote:
I don't understand how to do any of that. Except maybe call the Nt counterpart.

That's one possibility.
Code:
XIncludeFile "Detour.pbi"

Prototype.l RealGetTickCount()

Global o_GetTickCount.RealGetTickCount

Procedure.l MyGetTickCount()
 
  Protected.l Result = NtGetTickCount_()
  ProcedureReturn Result / 2
 
EndProcedure

Debug GetTickCount_() ; Returns real tick count.

CHook::InlineHook("Kernel32.dll", "GetTickCount", @MyGetTickCount(), @o_GetTickCount)

Debug GetTickCount_() ; Returns real tick count / 2.

_________________
Image


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 28 posts ]  Go to page Previous  1, 2

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

 


Powered by phpBB © 2008 phpBB Group
subSilver+ theme by Canver Software, sponsor Sanal Modifiye