Results 1 to 9 of 9

Thread: LINK: API Hooking: a new and fast technique

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5

    LINK: API Hooking: a new and fast technique

    I hope our Friendly Neighbourhood Wizard won't mind me posting this link
    An interesting variation on a popular subject.


    API Hooking: a new and fast technique
    by bilbo

    http://www.osix.net/modules/article/?id=728

    In the present article a new, simple and efficient technique will be described to solve API hookings problems.
    A step by step approach will be taken to make things even easier.



    Cheers,
    Kayaker

  2. #2
    Great stuff. Thanks Bilbo for writing it and Kayaker for posting it.

    By the way, there's another interesting article on that site for "reversers", titled: "Create a loader for your reversing needs" by sefo. Might be worth a look see.

    Also other interesting sounding articles in the ASM section, found at:

    http://www.osix.net/modules/article/topic.php?id=22

    Better yet, check out ALL the sections.

    Regards,
    JMI

  3. #3
    PizzaPan
    Guest
    Intresting arcticle, id sayit more wrapper oriented that hooking, this way has been used a lot in online cheats, they wrap opengl32.dll the same way, thus making wallhacks etc.

    Nice job
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    NeO
    Guest
    Its nice article but i think this techincks was used more often.... and i dont recall but i think i was reading about this somewhere ..i will post a link if i recall it


    bye NeO
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    but... bilbo, iirc I saw this method somewhere in an old great italian group

  6. #6
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Good article. Basic information though. But still always nice to see an alternative method ! Anyone who's studied up on PE headers should see this technique immediately obvious. (And I've written those "wallhacks" before, it's actually great fun )

    ~niko20

  7. #7
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    Well, mates,

    Thanks for the appreciations...
    As for the criticism, thanks too, but I really would like to see the links you (NeO, ZaiRon) told about: if I'd known about them, I'd surely given them credits.

    OPENGL wrapping (and wallhacks) is another interesting field I had not thought of, but the way it has generally been implemented (I have found a "blank OpenGL wrapper" at http://panic.elitecoders.org/files/source/CrusadersWrapper.zip) is the usual one: some code is generated to wrap every exported function.
    What I, on the other hand, tried to describe in my article is different: no code is generated at all, but a redirection is used which is understood from the Windows loader. Just a slight difference, interesting only on a theoretical point of view.
    By the way, if you try to apply the technique described in my article to a "non system" DLL as OPENGL32.DLL, you don't need to patch any byte in the executable itself, and the "spoofing" DLL can preserve the same name. In a different manner, for libraries like KERNEL32.DLL/USER32.DLL, you have to adopt the trick I wrote about (e.g. patching KERNEL32 to VERNEL32 in the executable), else the system DLL is prioritary (I think this is due to the fact that the loader finds the system DLL already loaded in cache).

    Another interesting and big project about graphic library wrapping is DirectX wrapper, which converts DirectX calls to OpenGL API's (http://realtech-vr.com/directx/). But this is not concerned so much in API hooking, because DirectX exports essentially one function, Direct3DCreate8 (version 8).

    Best regards, bilbo
    Last edited by bilbo; October 3rd, 2005 at 07:17.
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  8. #8
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    I heard about it but it wasn't documented by anyone.

  9. #9
    I think I've read about it on old Fravia's site. Also, check this Codeproject article:
    http://www.codeproject.com/system/hooksys.asp (Paragraph 2b: Proxy DLL)
    Bilbo's text is clear and simple though, good work
    Vulnerant omnes, ultima necat.

Similar Threads

  1. The Point-R technique
    By upb in forum Blogs Forum
    Replies: 19
    Last Post: November 10th, 2007, 04:30
  2. Saffron, fast OEP finder
    By Harding in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: August 8th, 2007, 08:58
  3. Replies: 15
    Last Post: March 21st, 2005, 03:07
  4. Emulate a fast-eye dongle
    By grep in forum The Newbie Forum
    Replies: 1
    Last Post: January 2nd, 2004, 03:06
  5. debuggin technique? dumping eip
    By fred in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: January 16th, 2003, 14:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •