Page 3 of 3 FirstFirst 123
Results 31 to 40 of 40

Thread: Not quite hooking...

  1. #31
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    That's such a boring solution.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  2. #32
    Quote Originally Posted by dELTA View Post
    That's such a boring solution.
    TRUE! But since I was seemingly unable to properly define what it was that I needed help with, and was unable to work it out myself, I had to look for OTHER avenues, and this one just happened to be available to me.

    It was amazing how much my source was cleaned up once I removed the 6 types of hooking that I had in it. And all their support functions, and whatnot.

  3. #33
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Hehe, it's completely right though, the path of the reverser is the one of least resistance, anything else is superfluous. For educational or entertainment purposes it could be comparatively boring sometimes though, as e.g. in this case.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #34
    Completely boring, I admit. I would have liked to have done it the other way, but it was not to be.

    Much like flowing water, we must take the path of least resistance.

  5. #35
    Well, I'm 99.99% of the way there. Here's the latest twist.

    Did you know that if you Logout of windows all your cursor, and key routines fail, causing you to timeout? I certainly didn't until now!

    Here's the deal, as long as I'm logged in, my "Timeout stopper" works just fine, but if the user logs out, the timeout timer starts running, and my code can't reset it.

    Weird, huh?

    Ideas?

  6. #36
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Quote Originally Posted by FrankRizzo View Post
    Ideas?
    Don't log out of Windows while playing the game you're trying to cheat in?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  7. #37
    Quote Originally Posted by dELTA View Post
    Don't log out of Windows while playing the game you're trying to cheat in?
    He he he.

    Believe it or not, it's not a game, I'm just raping an internet radio station.

  8. #38
    Anyone care if I resurrect my own thread?

    A long time ago, I mentioned circumventing ASPR via EAT hooking. Well, time marches on, and here I am again. Staring at a target packed with ASPR, the target calls a DLL which is also packed. This DLL calls WriteProcessMemory to update some bytes in the "slave app" that gets launched by the main app, which is a launcher.

    So, main app "Launcher", and DLL used to do WriteProcessMemory, both protected with ASPR.
    The launcher launches an app suspended, and dittles with it before releasing it to run.

    I can't find my old EAT hooking code, so I grabbed CHook, and started from there. Since I ONLY need EAT hooking, I grabbed the function, and gutted all the unneeded stuff from it.

    Now. In my app, I hook the EAT for WriteProcessMemory, and then execute the launcher, (which loads the DLL, which calls WriteProcessMemory).

    My replacement function is never called.

    Here's the code (Everything except for the #define that would give you the target name)

    Code:
    int _tmain(int argc, _TCHAR* argv[])
    {
    	STARTUPINFO si;
    	PROCESS_INFORMATION pi;
    	HANDLE hProcess;
    	DWORD exitValue;
    
    	pfWriteProcessMemory = (pWriteProcessMemory) GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "WriteProcessMemory");
    	if(HookEAT(GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "WriteProcessMemory"), (FARPROC) &EAT_WriteProcessMemory) == FALSE)
    	{
    		error("Can't Hook");
    		return 0;
    	}
    
    	ZeroMemory( &si, sizeof(si) );
    	si.cb = sizeof(si);
    	ZeroMemory( &pi, sizeof(pi) );
    
    	if(CreateProcess(filename, NULL, NULL, NULL, false, NULL, NULL, NULL, &si, &pi) == 0)
    	{
    		error("CreateProcess");
    		return 0;
    	}
    
    	hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, pi.dwProcessId);
    	if(hProcess == NULL)
    	{
    		error("OpenProcess");
    		return 0;
    	}
    
    	for(;;) 
    	{ 		
    		GetExitCodeProcess(hProcess, &exitValue);
    		if(exitValue != STILL_ACTIVE)
    		{
    			break;
    		}
    		else
    		{
    			Sleep(500);
    		}
    	}
    
    	return 0;
    }
    
    
    BOOL WINAPI EAT_WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)
    {
            // Maybe listening to Dub side of the moon isn't good while writing code.  ;-)
    	MessageBox(NULL, "Money is power", "HA!", MB_OK);
    
    	return pfWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
    }
    
    
    
    /////////////////////////////////////////////////  Hooking code below here ////////////////////////////////////
    
    //	Matt Pietrek's function
    IMAGE_SECTION_HEADER *GetEnclosingSectionHeader(u32 rva) 
    {
    	IMAGE_SECTION_HEADER *section = IMAGE_FIRST_SECTION(ntHd); 
    	for (u32 i = 0; i < ntHd->FileHeader.NumberOfSections; i++, section++ )
    	{
    		// This 3 line idiocy is because Watcom's linker actually sets the
    		// Misc.VirtualSize field to 0.  (!!! - Retards....!!!)
    		u32 size = section->Misc.VirtualSize;
    		if ( 0 == size )
    			size = section->SizeOfRawData;
    
    		// Is the RVA within this section?
    		if ( (rva >= section->VirtualAddress) && 
    			(rva < (section->VirtualAddress + size)))
    			return section;
    	}
    
    	return NULL;
    }
    
    unsigned long GetMappedSectionOffset(IMAGE_SECTION_HEADER *seHd)
    {
    	IMAGE_SECTION_HEADER *section = IMAGE_FIRST_SECTION(ntHd);
    	u32 offset = MakeDelta(u32, section, dosHd);
    	for(u32 i = 0; i < ntHd->FileHeader.NumberOfSections; i++, section++)
    	{
    		if(section->Name == seHd->Name)
    		{
    			offset = MakeDelta(u32, section->VirtualAddress, section->PointerToRawData);
    			break;
    		}
    	}
    
    	return offset;
    }
    
    //	This function is also Pietrek's, with a modification by me so that it can handle
    //	images that are mapped into memory.
    void *GetPtrFromRVA(u32 rva, bool mapped)
    {
    	IMAGE_SECTION_HEADER *pSectionHdr = GetEnclosingSectionHeader(rva);
    	s32 offset = 0;
    
    	if(mapped)
    		offset = GetMappedSectionOffset(pSectionHdr);
    	if (!pSectionHdr)
    		return 0;
    
    	s32 delta = (s32)(pSectionHdr->VirtualAddress-pSectionHdr->PointerToRawData);
    	return (void *) ( (u8 *)dosHd + rva - delta + offset);
    }
    
    bool HookEAT(FARPROC hookFrom, FARPROC hookTo)
    {
    	u32 i;
    	HMODULE target;
    	u32 oldprot, oldprot2;
    
    	if(!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, (LPCSTR)hookFrom, &target))
    	{
    		return false;
    	}
    
    	dosHd = (IMAGE_DOS_HEADER *)target;
    	ntHd = MakePtr(IMAGE_NT_HEADERS *, target, dosHd->e_lfanew);
    	IMAGE_EXPORT_DIRECTORY *ied = (IMAGE_EXPORT_DIRECTORY *)GetPtrFromRVA(ntHd->OptionalHeader.DataDirectory[IMAGE_EXPORT].VirtualAddress, true);
    
    	FARPROC *funcs = (FARPROC *)GetPtrFromRVA(ied->AddressOfFunctions, true);
    
    	for(i = 0; i < ied->NumberOfFunctions; i++)
    	{
    		if(MakePtr(FARPROC, target, funcs[i]) == hookFrom)
    		{
    			break;
    		}
    	}
    
    	if(i >= ied->NumberOfFunctions)
    	{
    		return false;
    	}
    
    	VirtualProtect(&funcs[i], sizeof(u32), PAGE_READWRITE, (DWORD *)&oldprot);
    	funcs[i] = MakeDelta(FARPROC, hookTo, target);
    	VirtualProtect(&funcs[i], sizeof(u32), oldprot, (DWORD *)&oldprot2);
    
    	return true;
    }
    
    
    
    
    ////////////////////////////////// Utility Functions below here ///////////////////////////////////
    
    void error(LPSTR lpszFunction) 
    { 
    	LPVOID lpMsgBuf;
    
    	if (!FormatMessage( 
    		FORMAT_MESSAGE_ALLOCATE_BUFFER | 
    		FORMAT_MESSAGE_FROM_SYSTEM | 
    		FORMAT_MESSAGE_IGNORE_INSERTS,
    		NULL,
    		GetLastError(),
    		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
    		(LPTSTR) &lpMsgBuf,
    		0,
    		NULL ))
    	{
    		// Handle the error.
    		return;
    	}
    
    	MessageBox(NULL, (LPCTSTR)lpMsgBuf, lpszFunction, MB_OK);
    
    	// Free the buffer.
    	LocalFree( lpMsgBuf );
    }
    Anyone see anything obviously stupid that I'm doing?

  9. #39
    you seem to be hooking WPM in your own process instead of the target process

  10. #40
    Quote Originally Posted by aqrit View Post
    you seem to be hooking WPM in your own process instead of the target process




    :facepalm:

    Works fine. Thanks aqrit. Clear as the nose on my face when you pointed it out, but the prior 2 hours had yielded nothing. You take 3 years off, and stuff like this happens. :-)
    Last edited by FrankRizzo; November 14th, 2012 at 00:17.

Similar Threads

  1. Api hooking
    By w_a_r_1 in forum The Newbie Forum
    Replies: 8
    Last Post: January 31st, 2011, 19:22
  2. .NET hooking
    By rendari in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: January 30th, 2008, 15:59
  3. Preventing API hooking????
    By yaa in forum Advanced Reversing and Programming
    Replies: 17
    Last Post: September 23rd, 2002, 16:49
  4. api hooking via vxd...
    By hex0r in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: January 23rd, 2002, 14:15
  5. api hooking
    By 4oh4 in forum Advanced Reversing and Programming
    Replies: 21
    Last Post: December 6th, 2001, 21:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •