Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: API Hooking

  1. #1

    API Hooking

    I've done quite a bit of reading about API hooks, I've taken a look at Detours and a couple of other hooking API's. And the basic procedure i see is:

    Inject hooking dll into process (using CreateRemoteThread ?)
    Get address of API to hook, store original bytes (5)
    Overwrite with jump to hooked function
    etc...

    However, i basically want to hook all exported functions from a particular dll, also i want to do this in a thread safe way and on a per process basis (not system wide) i have also read about trampolining and suspending all threads whilst the hook is written, and i guess I'm going to have to do something along these lines

    Can any of the experts here offer any advice and the best/most practical way to achieve this?

    --
    bedrock

  2. #2
    IAT hooking is a good option if you only need to target calls from a single module, especially if you aim to target an existing project. The other reasonable choice is to write a proxy DLL (which forwards each exported call to the real DLL) and put it in the application's directory - provided this suits your needs, it's clean easy and reliable.
    www.ring3circus.com
    Diary of a programmer, journal of a hacker.

  3. #3
    I may have got confused, but will IAT hooking allow me to hook calls in the whole process (or just a single module?)

    A proxy dll sounds great, but i want to be able to hook 1 process while allowing another process which uses the same dll exports to run as normal. From what i know about proxy dlls, i would have to rename the real.dll to something like real_.dll and then insert my proxy dll as real.dll, so i'm not sure this is going to work.

    --
    bedrock

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Bedrock:
    You need to put the proxy (lets call it) my.dll, with the same name as the "general" my.dll but in the process' working folder.

    By default, the loader searches for my.dll first into the current working folder, loading your modified version. If not found, which would happen if any other process (starting from a different folder, of course) tries to load my.dll, the loader will look for modules called my.dll in the usual places, \windows\system32 etc.

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Quote Originally Posted by naides View Post
    Bedrock:
    You need to put the proxy (lets call it) my.dll, with the same name as the "general" my.dll but in the process' working folder.

    By default, the loader searches for my.dll first into the current working folder first, loading your modified version. If not found, which would happen if any other process (starting from a different folder, of course) tries to load my.dll, the loader will look for modules called my.dll in the usual places, \windows\system32 etc.
    Actually, this is not true by default in later Windows versions (XP SP2 and upwards). Windows can be tweaked to work this way on your own machine though, see the following for more info:

    http://msdn2.microsoft.com/en-us/library/ms682586.aspx
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  6. #6
    Quote Originally Posted by bedrock View Post
    I may have got confused, but will IAT hooking allow me to hook calls in the whole process (or just a single module?)
    Both, kind of. Each module has its own IAT, which it uses to resolve its own outgoing inter-modular calls. By patching an IAT entry you can redirect all calls from the owning module to wherever you choose, on a per-function basis. Calls from any other module to the same compile-time target will remain unaffected. Of course, there's nothing stopping you patching the IAT for each module in the process, which would then have the effect of re-routing all static calls, but this is usually unnecessary.
    www.ring3circus.com
    Diary of a programmer, journal of a hacker.

  7. #7
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    The next level would be to hook the APIs by patching a single hook into the first code bytes of each DLL export, which would be guaranteed to be global for all modules in the entire process (still only for that single process though, due to the copy-on-write semantics of DLLs in NT based Windows versions).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  8. #8
    Quote Originally Posted by dELTA View Post
    The next level would be to hook the APIs by patching a single hook into the first code bytes of each DLL export, which would be guaranteed to be global for all modules in the entire process (still only for that single process though, due to the copy-on-write semantics of DLLs in NT based Windows versions).
    We should probably mention Microsoft's Detours (http://research.microsoft.com/sn/detours/), which provides a slightly different but very powerful and reliable way of achieving the same thing.
    www.ring3circus.com
    Diary of a programmer, journal of a hacker.

  9. #9
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    We should probably mention the entire following CRCETL category, while we're at it.

    http://www.woodmann.com/collaborative/tools/index.php/Category:Code_Injection_Tools
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  10. #10
    Guy's thanks for all the info.

    I have read about Detours (and other hooking API's) I understand how to do the hooking, it was simply that i wanted to hook every export of a specific dll and i was just interested in the best way to achieve this.

    @Delta, i know how much you love the CRCETL, so here's a few more hooking engines i came across

    Code:
    http://www.madshi.net/madCodeHookDescription.htm
    http://codefromthe70s.org/mhook2.asp
    http://www.x86coders.com/public/DetourXS.rar
    --
    bedrock

  11. #11
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Thanks for the tips.

    I added all but the madCodeHook, since it was purely commercial, and in the cases/categories where there are enough equivalent free tools available, I usually don't add commercial-only ones at all.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  12. #12
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    i wouldn't recommend doing hooking via iat patching, since as admiral said above, this will only allow you to hook static imports. i've had good luck with detours (which doesn't use CreateRemoteThread for dll injection, btw).

  13. #13
    Careful though, detours has a couple of bugs
    --
    Best regards,
    Alex Ionescu

  14. #14
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    yes, it also has a bunch of unnecessary checks that can be removed. for example, it fails if it can't get a good crc, though you can change the code to tell it to ignore that. it also fails if the target doesn't have an import table, but you can modify detours to fix that as well so that it doesn't give up.

  15. #15
    I am progressing with this project a little and rather than writing lots of hook functions, it occurred to me that it would be nice to write a generic hook, that I could use to hook multiple functions inside the target.

    I don't know if this is possible?

    I am mostly a C/C++ coder, but i have dabbled with a little assembly and am comfortable inside olly for debugging purposes.

    I'd like to create the following (I think):
    Code:
    __declspec(naked) HRESULT WINAPI hook_Generic()
    {
    	__asm pushad;
    
            // do some stuff
    
    	__asm popad;
    
    	// call original func
    }
    My problem is this, assuming this is a generic hook, when it executes, how can I figure out which original function I should call?

    Thanks in advance

    --
    bedrock

Similar Threads

  1. ApiMapSet Hooking
    By deroko in forum Blogs Forum
    Replies: 1
    Last Post: November 3rd, 2011, 12:37
  2. Hooking with Java?
    By AttonRand in forum The Newbie Forum
    Replies: 7
    Last Post: October 8th, 2009, 09:29
  3. Hooking ZwAllocateVirtualMemory
    By tadasv in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: June 3rd, 2009, 17:11
  4. SSDT Hooking + AV
    By bruno in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: December 6th, 2007, 12:31
  5. Hooking DLL functions
    By Hero in forum The Newbie Forum
    Replies: 1
    Last Post: July 28th, 2004, 08:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •