Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 40

Thread: Not quite hooking...

  1. #16
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I'm glad it all worked out for you. And yes, EAT hooks are non-detected by memory integrity checks 99% of the time, because it will be too hard for applications to analyze arbitrary new versions of the code in all imported DLLs.

    Oh, and Asprotect only emulates some APIs, not all (and only in some Asprotect versions and with some settings activated).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  2. #17

    Latest hooking challenge

    I'm not sure if this is ME, or what, so here goes.

    Latest app I'm messing with makes a call to an API in user32.dll, and I'd like to hook it. Sounds simple enough, but when I call my hooking function, it fails. Over and Over.

    A little deeper digging has shown that the call comes not from the app itself, but from a DLL that it uses. I'm PRETTY sure it's one that gets loaded by windows at load-time, not a LoadLibrary one.

    (What I believe is happening, is that the DLL calls the function in user32, NOT the main program, so when the main program's IAT is parsed, there is no call to the function, thus hooking fails).

    So, that being the case, this is what I'm thinking of doing, as always, if there is a better/easier way, please point it out!

    Using CreateProcess to load the app, and presumably all the DLLs into memory, use snapshot, and associated ModuleFirst/ModuleNext functions to FIND the info on the DLL, and try to patch IT'S IAT, instead of the IAT from the main program.

    Thoughts? Opinions?

  3. #18
    Well, an update of sorts.

    I loaded the app via CreateProcess, with it suspended, and did the snapshot, and Module32First ALWAYS tells me that there are no modules.

    So, looking into my toolbox, I figured I would just hook the EAT, instead of the IAT. So, I whipped out this code:

    Code:
    FARPROC Address;
    HMODULE Module;
    
    Module = GetModuleHandle("user32.dll");
    if(Module == NULL)
    {
    	MessageBox(NULL, "GetModuleHandle Failed", "Sucks", MB_OK);
    	return FALSE;
    }
    
    Address = GetProcAddress(Module, "GetLastInputInfo");
    if(Address == NULL)
    {
    	MessageBox(NULL, "GetProcAddress Failed", "Sucks", MB_OK);
    	return FALSE;
    }
    
    if(HookEat(Address, (FARPROC)&EAT_GetLastInputInfo) != true)
    {
    	MessageBox(NULL, "Injection Failed", "Sucks", MB_OK);
    	return FALSE;
    }
    Everything passes, but my function "EAT_GetLastInputInfo" never gets called.

    Any ?

  4. #19
    Still fighting this bastard. I invite anyone with sufficient hooking skills to give this a shot.

    Make an app that is linked with a DLL. Inside that DLL call an API from the system, say, GetLastInputInfo from user32.dll.

    Now, try to hook that API, and always return a constant value.

    Thus far "This > me".

  5. #20
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    Make an app that is linked with a DLL
    you mean like this

    Code:
    .386
    .model flat, stdcall
    option casemap:none
    
    include       \masm32\include\windows.inc
    include       \masm32\include\kernel32.inc
    includelib    \masm32\lib\kernel32.lib
    includelib    frizzo.lib
    include       \masm32\include\user32.inc
    includelib    \masm32\lib\user32.lib
    
    FrizzBox PROTO
    
    .code
    start:
    	invoke FrizzBox
    	invoke ExitProcess,NULL
    end start
    Inside that DLL call an API from the system, say, GetLastInputInfo from user32.dll.
    you mean like this

    Code:
    .386
    .model flat,stdcall
    option casemap:none
    include \masm32\include\windows.inc
    include \masm32\include\user32.inc
    include \masm32\include\kernel32.inc
    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\kernel32.lib
    
    
    LASTINPUTINFO STRUCT
    cbSize DWORD ?
    dwTime DWORD ?
    LASTINPUTINFO ENDS
    PLASTINPUTINFO typedef PTR LASTINPUTINFO
    
    
    .data
    deb_det             db "calling FrankRizzo hello hello",0
    caption             db "hooktesting",0
    format				db "LastInput Was At %x",0
    
    .data?
    
    plii				LASTINPUTINFO <>
    string              db 100 dup (?)
    
    .code
    
    DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD
    	.if		reason==DLL_PROCESS_ATTACH
    		call FrizzBox
    		mov plii.cbSize,sizeof(LASTINPUTINFO)
    		invoke GetLastInputInfo,addr plii
    		invoke wsprintf,addr string,addr format,plii.dwTime
    		invoke MessageBoxA,NULL,addr string,addr caption,NULL
    	.elseif reason==DLL_PROCESS_DETACH
    		call FrizzBox
    		mov plii.cbSize,sizeof(LASTINPUTINFO)
    		invoke GetLastInputInfo,addr plii
    		invoke wsprintf,addr string,addr format,plii.dwTime
    		invoke MessageBoxA,NULL,addr string,addr caption,NULL
    	.elseif reason==DLL_THREAD_ATTACH
    		call FrizzBox
    		mov plii.cbSize,sizeof(LASTINPUTINFO)
    		invoke GetLastInputInfo,addr plii
    		invoke wsprintf,addr string,addr format,plii.dwTime
    		invoke MessageBoxA,NULL,addr string,addr caption,NULL
        .else        
    		call FrizzBox
    		mov plii.cbSize,sizeof(LASTINPUTINFO)
    		invoke GetLastInputInfo,addr plii
    		invoke wsprintf,addr string,addr format,plii.dwTime
    		invoke MessageBoxA,NULL,addr string,addr caption,NULL
    	.endif
    	mov  eax,TRUE
    	ret
    DllEntry Endp
    
    FrizzBox proc
            invoke MessageBox ,NULL,offset deb_det,offset caption, NULL
            ret	
    FrizzBox endp
    
    End DllEntry

    Now, try to hook that API, and always return a constant value.
    hook with what ? my hooker

    and what or who should return constant value ? my hooker should return a constant value ? what constant are you expecting from hookers ?

    whatever

    i'd have been glad if i could have atleast understood the requirements

    anyway i can suspend and find the resolved address in remote process module with code like below

    Code:
    #include <stdio.h>
    #include <windows.h>
    #include <tlhelp32.h>
    
    int main (void)
    {
    	STARTUPINFO				si;
    	PROCESS_INFORMATION		pi;
    	MODULEENTRY32			mod32;
    	HANDLE					prochand;
    	HANDLE					hSnap;
    	BOOL					modnext = TRUE;
    	CHAR					getaddlast[16] = {0};
    
    	printf("creating and hooking getlast\n");
    	ZeroMemory( &si, sizeof(si) );
        si.cb = sizeof(si);
        ZeroMemory( &pi, sizeof(pi) );
    
        if( !CreateProcess( NULL,"frizzoxe.exe",NULL,NULL,FALSE,0,NULL,NULL,&si,&pi ) ) 
        {
            printf( "CreateProcess failed (%d)\n", GetLastError() );
            return 0;
        }
        prochand = pi.hProcess;
    	WaitForInputIdle(pi.hProcess,INFINITE);
    	Sleep(3000);
    	SuspendThread(pi.hThread);
    	hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pi.dwProcessId);
    	if((LONG)hSnap == -1)
    	{
    		printf( "CreateToolhelp32SnapShot Failed (%d)\n", GetLastError() );
            return 0;
    	}
    	ZeroMemory(&mod32,sizeof(mod32));
    	mod32.dwSize = sizeof(mod32);
    	if(!Module32First(hSnap,&mod32))
    	{
    		printf( "Module32FirstFailed (%d)\n", GetLastError() );
            return 0;
    	}
    	printf("first module is %s\n",mod32.szModule);
    	while(modnext==TRUE)
    	{
    		ZeroMemory(&mod32,sizeof(mod32));
    		mod32.dwSize = sizeof(mod32);
    		modnext = Module32Next(hSnap,&mod32);
    		printf("next module is %s\n",mod32.szModule);
    		if((strcmp(mod32.szModule,"frizzo.dll")) == 0)
    		{
    			printf("th32ModuleId	= %x\n",mod32.th32ModuleID);
    			printf("th32ProcessId	= %x\n",mod32.th32ProcessID);
    			printf("gibl			= %x\n",mod32.GlblcntUsage);
    			printf("procCUNT		= %x\n",mod32.ProccntUsage);
    			printf("modbase			= %x\n",mod32.modBaseAddr);
    			printf("modsize			= %x\n",mod32.modBaseSize);
    			printf("hMod			= %x\n",mod32.hModule);
    			printf("szmod			= %s\n",mod32.szModule);
    			printf("szExe			= %s\n",mod32.szExePath);
    			ReadProcessMemory(prochand,mod32.modBaseAddr+0x2000,getaddlast,4,NULL);
    			printf("GetLastInputInfo has been Resolved to %x in frizzo.dll\n",*(DWORD *)getaddlast);
    		}
    	}
    	printf("did a round robin of all modules in remote process\n");
    	ResumeThread(pi.hThread);
    	CloseHandle(hSnap);
    	CloseHandle(prochand);
    	return 1;
    }
    and output is like

    Code:
    F:\frizzo>loadandhookgetlast.exe
    creating and hooking getlast
    first module is frizzoxe.exe
    next module is ntdll.dll
    next module is kernel32.dll
    next module is frizzo.dll
    th32ModuleId    = 1
    th32ProcessId   = 0
    gibl                    = ffff
    procCUNT                = ffff
    modbase                 = 10000000
    modsize                 = 5000
    hMod                    = 10000000
    szmod                   = frizzo.dll
    szExe                   = F:\frizzo\frizzo.dll
    GetLastInputInfo has been Resolved to 77d49519 in frizzo.dll
    next module is user32.dll
    next module is GDI32.dll
    next module is uxtheme.dll
    next module is msvcrt.dll
    next module is ADVAPI32.dll
    next module is RPCRT4.dll
    next module is RPCRT4.dll
    did a round robin of all modules in remote process
    
    F:\frizzo>
    and attaching the whole baggage here just for no reason
    Attached Files Attached Files

  6. #21
    LMAO blabberer!

    OK, I'm trying to do either an IAT hook, or an EAT hook on GetLastInputInfo, which is called from the DLL.

    This hook will direct calls to MY routine, which returns a constant value to the caller. (It's value is actually acquired by calling GetTickCount(). In this particular case, an inactivity timeout is calculated by getting the current tick count, and subtracting the tick count of the last input to give them an idle time.) I'm trying to circumvent this timeout without stuffing a mouse-click, or key-press in the input buffer, as that should also stop the screensavers from kicking in.

  7. #22
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Any luck yet Frank? (sorry for the late reply, still behind in posts after my August vacation...)

    I suspect that your EAT hook is performed too late. Remember that the EAT is only used once, at the point the function is imported. It will then be stored locally in the module that imports it (in its IAT in the case of static imports, and in any arbitrary internal program variable in the case of dynamic imports).

    You should try the next "hooking level" (direct code patching hooks) if you can't seem to get in with your EAT hooks in time for the moment of import (which might actually be a little challenge in the case of statically imported functions).

    See what I mean?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  8. #23
    Not really dELTA, never done any direct code patching hooks. I'll look into that if I have to go back and work on that project again. (I was trying to manipulate a target without changing ANY bytes inside it. I finally got tired of farking with it, and just patched it). I always knew that was an option, I was just trying to be slick.

  9. #24
    Don't let my post stop anyone from testing this on their own!

    I'd like to know if it's possible.

  10. #25

    Not quite hooking... WriteProcessMemory()

    WriteProcessMemory is just a wrapper for NtWriteVirtualMemory
    so no matter how messed up the call to WriteProcessMemory
    you can always just hook the IAT of kernel32.dll where it imports
    NtWriteVirtualMemory

  11. #26

    hook a func called from a dll

    your EAT hook is performed too late
    CreateProcess with the CREATE_SUSPENDED flag

    the process is suspended after the IAT is fixed up but before
    any code is exec'd so no modules can be loaded dynamically yet.

    install your hooks now...

    attached is a bad example of this method.. hook_dll.zip
    Last edited by aqrit; September 19th, 2008 at 15:15.

  12. #27
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Quote Originally Posted by aqrit View Post
    ...so no modules can be loaded dynamically yet.
    Yes, but all imports from statically imported libraries will be toast at this point, which are actually the most common ones.

    And don't give up now Frank, direct code patching hooks are really not that hard, c'mon, let's beat this target now! And I'm not referring to patching the program's own code, but rather the first bytes of the code of the imported functions, inside the imported DLLs (and the patching will of course still take place in memory, by way of a primary hook of the LoadLibrary API, as described previously in this thread). The code at these locations will under most circumstanced contain static or at least predictable code, and thus this method will assure your goal!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  13. #28
    all imports from statically imported libraries will be toast at this point
    All the Import Tables for all the modules at this point will have the ProcAddress
    of functions that they are importing

    we just have to search for that address then overwrite it


    I changed my test app's code to dynamically and statically link with a dll
    that dynamically and statically calls MessageBoxA. Then I changed the first line
    in my hook_dll from GetModuleHandle(NULL) to GetModuleHandle("somedll.dll")

    It work fine.

  14. #29
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Yes, I was referring to EAT-hooking, which is a requirement to cover all later dynamic imports, which the IAT hooks won't do.

    But yes, it should be practically possible to:

    • First break at the point you are describing.
    • Then patch all EATs (which will take care of all dynamic imports from already statically loaded modules, which could otherwise be bypassed even if you hook the GetProcAddress API, since this is elementary to emulate for the process, contrary to the LoadLibrary API).
    • Then patch all IATs in all modules (to take care of all already statically imported functions).
    • Then hook the LoadLibrary function to take care of all dynamic imports in later dynamically loaded modules.

    This leaves us only with the possible hole of dynamic imports made in the DLL init functions of any of the statically imported DLLs (in any of the modules), since these will still be stored in arbitrary program variables inside the DLL code. The advantage of this is also that you avoid any messy direct code patching hooks, which is indeed good.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  15. #30
    As it turns out, I didn't actually NEED to catch, or patch anything. I was trying to get around GetLastInputInfo, and, as it turns out, a simple "GetCursorPos/SetCursorPos" resets the timer. And now it works.

Similar Threads

  1. Api hooking
    By w_a_r_1 in forum The Newbie Forum
    Replies: 8
    Last Post: January 31st, 2011, 19:22
  2. .NET hooking
    By rendari in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: January 30th, 2008, 15:59
  3. Preventing API hooking????
    By yaa in forum Advanced Reversing and Programming
    Replies: 17
    Last Post: September 23rd, 2002, 16:49
  4. api hooking via vxd...
    By hex0r in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: January 23rd, 2002, 14:15
  5. api hooking
    By 4oh4 in forum Advanced Reversing and Programming
    Replies: 21
    Last Post: December 6th, 2001, 21:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •