Page 2 of 2 FirstFirst 12
Results 16 to 19 of 19

Thread: API Hooking

  1. #16
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Read the return address that was pushed by the original call on the stack. Disassemble/decode the call instruction preceding it, and resolve the function address from that one. Done.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  2. #17
    Thanks delta,

    Well I have now done the first two parts of this (I have the return address and have disassembled the call instruction proceeding it)

    It seems this call has different levels of indirection depending upon whether the target is built in debug/release.

    I am at a point where I have the function address, but I would really like to get it's name, and pointers on the best way to go about this?

    Should I process the export table of the dll?
    Should i call GetProcessAddress for all exports on the dll and compare the returned address with the one i have calculated?

    Is there a better solution?

    I feel at the moment my code is somewhat sledge hammer to a nut

    I spent some time yesterday afternoon playing around with the dbghelp API and StackWalk64, before realising I could get the return address off the stack with a couple of lines of asm...

    Thanks all

  3. #18
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    If you are hooking only imports (contrary to arbitrary internal functions), I'd create a hash-table of all import addresses (or a plain sorted vector in which you can binary search) once at the start, and then resolve the function names from this one. Just remember to add all new addresses as soon as LoadLibrary() / GetProcAddress() is called (from your generic hook code, of course).

    And yes, the different levels of indirection should be auto-detected and handled first of all.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #19
    Jakor
    Guest
    I would personally suggest Hooking both the Import table on the application you want to 'spy on' as well as the Export table for the dll which you want to 'spy on' as well. Someone got kinda close but mixed it up. I havn't ever needed to hook the export table (as the programs I hook don't use GetProcAddress to dynamically lookup the addresses of the functions.) but you can use my HookImport routine (masm source). The call shows how to hook the function "send" from "WSOCK32.DLL" Just make sure you take care of the parameters just as the function would (otherwise, you *must* jmp dword ptr [OriginalFunctionAddress] to return) aka define the parameters. You could modify this code slightly to lookup the export address which is returned from GetProcAddress calls inside the module(dll)

    Code:
    HookImport proto :DWORD,:DWORD,:DWORD
    .data
    szWsock32dll db "WSOCK32.DLL",0
    szSend	db "send",0
    
    .code
    ...
    invoke HookImport,addr szWsock32dll,addr szSend,addr Send_Hook
    ...
    Send_Hook proc s:DWORD,buf:DWORD,llen:DWORD,flags:DWORD
    	invoke send,s,buf,llen,flags
    	ret
    
    Send_Hook endp
    ...
    HookImport proc lpszDllName:DWORD, lpszFunction:DWORD, lpCallback:DWORD
    	LOCAL hModule:DWORD
    	LOCAL lOrigProtect:DWORD
    	LOCAL lOldAddr:DWORD
    
    pushad
    .if lpszDllName != 0
    .if lpszFunction != 0
    .if lpCallback != 0
        invoke GetModuleHandle,lpszDllName
        .if eax != 0
        	invoke GetProcAddress,eax,lpszFunction
        	.if eax != 0
        		mov lOldAddr, eax
        		invoke GetModuleHandle,NULL
        		.if eax != 0
        			mov hModule, eax
        			mov edi, hModule
        			assume edi:ptr IMAGE_DOS_HEADER
        			.if [edi].e_magic == IMAGE_DOS_SIGNATURE
        				mov eax, [edi].e_lfanew
        				add edi, eax
        				assume edi:ptr IMAGE_NT_HEADERS
        				.if [edi].Signature == IMAGE_NT_SIGNATURE
        					lea edx, [edi].OptionalHeader
        					assume edx:ptr IMAGE_OPTIONAL_HEADER
        					lea edx, [edx].DataDirectory
        					add edx, sizeof IMAGE_DATA_DIRECTORY
        					assume edx:ptr IMAGE_DATA_DIRECTORY
        					mov edx,[edx].VirtualAddress
        					.if edx != 0
        						mov edi, hModule
        						add edi, edx
        						assume edi:ptr IMAGE_IMPORT_DESCRIPTOR
        						.while [edi].Name1 != 0
        							mov ecx, hModule
        							add ecx, [edi].Name1
        							mov edx, lpszDllName
        							invoke lstrcmpi,ecx,edx
        							.if eax == 0
        								.break
        							.endif
        							add edi, sizeof IMAGE_IMPORT_DESCRIPTOR
        						.endw
        						mov edi, [edi].FirstThunk
        						add edi, hModule
        						assume edi:ptr IMAGE_THUNK_DATA
        						.while TRUE
        							.if [edi] != 0
        								mov edx, [edi]
        								.if edx == lOldAddr
        									lea ebx, [edi].u1.Function
        									invoke VirtualProtect,ebx,4,PAGE_WRITECOPY,addr lOrigProtect
        									mov eax, lpCallback
        									mov [ebx], eax
        									invoke VirtualProtect,ebx,4,addr lOrigProtect,NULL
        									mov eax, 1
        									popad
        									ret
        								.endif
        							.endif
        						add edi, 4
        						.endw
        					.endif
        				.endif
        			.endif
        		.endif
        	.endif
        .endif
    .endif
    .endif
    .endif
        xor eax, eax
        popad
    	ret
    
    HookImport endp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. ApiMapSet Hooking
    By deroko in forum Blogs Forum
    Replies: 1
    Last Post: November 3rd, 2011, 12:37
  2. Hooking with Java?
    By AttonRand in forum The Newbie Forum
    Replies: 7
    Last Post: October 8th, 2009, 09:29
  3. Hooking ZwAllocateVirtualMemory
    By tadasv in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: June 3rd, 2009, 17:11
  4. SSDT Hooking + AV
    By bruno in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: December 6th, 2007, 12:31
  5. Hooking DLL functions
    By Hero in forum The Newbie Forum
    Replies: 1
    Last Post: July 28th, 2004, 08:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •