API-hooking
hi bro's,
i'm searching for a way to hook API's for a simple protected application (won't name protector ;)) this should be generic working on Win 95 / 98 / Me / NT / 2000 / XP. i won't use import-redirection. on XP i used a method of unprotecting kernel pages and redirect from there to my code. it worked, but it doesn't work on other OS. 95 / 98 / Me can't unprotect kernel-memory. it's the same as with export-patching. i heard something of an undocumented API with ordinal 1 that should be able to unprotect this memory. anybody knows about this? or any suggestions? |
suits for you the paper of E.Labir on codebreakers-journal about Unpacking by Code Injection?
|
hehe ;) already read this. searched something new...
|
well,
this is what I took away in my readings.. API Hooking revealed http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5667 APIHijack - A Library for Easy DLL Function Hooking http://www.codeguru.com/Cpp/W-P/dll/hooking/article.php/c127/ Detours Library for Injection (it's my favourite one) http://research.microsoft.com/sn/detours/ DLL Injection and function interception tutorial http://www.codeproject.com/dll/DLL_Injection_tutorial.asp RemoteLib - DLL Injection for Win9x & NT Platforms (not exactly api spy but useful to) http://www.codeproject.com/dll/RemoteLib.asp hope something helps. |
hey,
i read something on the old fravia sites of this undocumented API function there it was using for Vbox. Here is the link maybe a help. From the retired +Tsehp. http://www.woodmann.com/fravia/vbox42.htm regards Nukacola |
Shub-Nigurrath:
that's exactly what i searched for :) thanks! |
Afaik VirtualProtectEx should finish the job for you. But if you are looking for another way look at attachment. Very nice tut there, with masm source code and proc to get write permission to some address... What are you trying to make with it? Import resolver?
I cant seem to attach the file :/ If you still need this pm me bro |
Quote:
Code:
//------------------------------------------------------------------------------ |
i dont know if i am right but the standalone program ollyghost
was doing some thing of that kind for a single session it enabled putting a break point on api calls in system dlls in w98 series if you are looking for that kind of functionality try searching biws old forum there is a copy in one of attachments |
Quote:
@nikola i don't want to make an import resolver, the thing i'm trying to make is generic protection inline-patcher through API-hooking. it works through a hook of CreateFileA (backup-file) or optional hook of CreateFileMappingA (writing old bytes back) or ReadFile (also write old bytes back). then GetModuleHandleA is also hooked because it's near OEP for most programs. from there the real inline-patch is done. this should all work through a in-memory patch of kernel32 export table or an external dll hooked for all processes. i don't think direct API patching is good idea because you will have trouble then getting back to the next API-commands. the idea comes from DZA-patcher or dUP, but these inline-patches don't work for applications like arma or ASPr. i successful inline-patched some ASPr-targets (any version) this way without problems. |
Bro, i trying to do same thing ;) I done patching the file but now i need to hook GetModuleFileNameW to return program name. I made a loader. My target was anydvd, so i made loader, but anydvd checks program name.
btw, nerst, thanks millions times :) I was wondering how to call VxDCall from delphi. I done my with VirtualProtect, but i made it work even without that. I... dont it different way :) If someone has some experiance with Debug API, can you tell me, how do i load program so that it loads dlls from import table? I load with createproccess with DEBUG creation flag, but when i do that only exe header gets loaded to memory. I want dlls to load too so i can put a BP on them, or hook them |
Hooking Windows API - Technics of hooking API functions onWindows
1 Attachment(s)
This Document is about hooking API functions on OS Windows. All examples here completely works on Windows systems
based on NT technology version NT 4.0 and higher (Windows NT 4.0, Windows 2000, Windows XP). Probably will also work on others Windows systems.You should be familiar with processes on Windows, assembler, PE files structure and some API functions to understand whole text. When using term ĦħHooking APIĦħ here, I mean the full change of API. So, when calling hooked API, our code is run immediately. I do not deal with cases of API monitoring only. I will write about complete hooking. :D |
All times are GMT +8. The time now is 17:36. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX