Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   API-hooking (https://forum.exetools.com/showthread.php?t=7211)

MaRKuS-DJM 03-23-2005 23:08

API-hooking
 
hi bro's,

i'm searching for a way to hook API's for a simple protected application (won't name protector ;))
this should be generic working on Win 95 / 98 / Me / NT / 2000 / XP.
i won't use import-redirection.
on XP i used a method of unprotecting kernel pages and redirect from there to my code. it worked, but it doesn't work on other OS. 95 / 98 / Me can't unprotect kernel-memory. it's the same as with export-patching. i heard something of an undocumented API with ordinal 1 that should be able to unprotect this memory. anybody knows about this?
or any suggestions?

Shub-Nigurrath 03-23-2005 23:37

suits for you the paper of E.Labir on codebreakers-journal about Unpacking by Code Injection?

MaRKuS-DJM 03-23-2005 23:49

hehe ;) already read this. searched something new...

Shub-Nigurrath 03-24-2005 00:32

well,
this is what I took away in my readings..

API Hooking revealed
http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5667

APIHijack - A Library for Easy DLL Function Hooking
http://www.codeguru.com/Cpp/W-P/dll/hooking/article.php/c127/

Detours Library for Injection (it's my favourite one)
http://research.microsoft.com/sn/detours/

DLL Injection and function interception tutorial
http://www.codeproject.com/dll/DLL_Injection_tutorial.asp

RemoteLib - DLL Injection for Win9x & NT Platforms (not exactly api spy but useful to)
http://www.codeproject.com/dll/RemoteLib.asp

hope something helps.

Nukacola 03-24-2005 00:47

hey,
i read something on the old fravia sites of this undocumented API function there it was using for Vbox.
Here is the link maybe a help.

From the retired +Tsehp.
http://www.woodmann.com/fravia/vbox42.htm

regards
Nukacola

MaRKuS-DJM 03-24-2005 02:09

Shub-Nigurrath:
that's exactly what i searched for :)
thanks!

nikola 03-24-2005 02:56

Afaik VirtualProtectEx should finish the job for you. But if you are looking for another way look at attachment. Very nice tut there, with masm source code and proc to get write permission to some address... What are you trying to make with it? Import resolver?

I cant seem to attach the file :/ If you still need this pm me bro

nerst 03-24-2005 16:03

Quote:

Originally Posted by MaRKuS-DJM
hi bro's,

i'm searching for a way to hook API's for a simple protected application (won't name protector ;))

i heard something of an undocumented API with ordinal 1 that should be able to unprotect this memory. anybody knows about this?
or any suggestions?

Here is an example on Delphi from different public sources & articles.

Code:

//------------------------------------------------------------------------------

function ProtectAddress( Address, Flag : DWORD ): Boolean; stdcall;
var
//fa      : DWORD;  // FirstAddress
  fp,np  : DWORD;  // FirstPage / numPages
  VXDCall : Pointer;

begin
  Result  := False;

  try

// fa := Address;
  fp := 1;//Address div 4096;
  np := 1;
// DEC( fa, fa mod 4096 );
// Result := not IsBadWritePtr( Pointer(fa), np*4096 );
  if not Result then
  begin
    // Get undocumented VxDCall procedure
    VXDCall := GetProcAddress_(GetModuleHandle(kernel32), 1);
    if @VXDCall = nil then Exit;
    asm
//    push 020060000h          // PC_WRITEABLE | PC_USER | PC_STATIC
      push Flag
      push 0FFFFFFFFh          // Keep all previous bits
      push DWORD PTR [np]      // dword ptr [mbi+0Ch] # of pages
      push DWORD PTR [fp]      // dword ptr [ped] page #
      push 1000Dh              // _PageModifyPermissions (win32_service_table #)
      call DWORD PTR [VXDCall]  // VxDCall0
    end;
//  Result := not IsBadWritePtr( Pointer(fa), np*4096 );
    Result := True;
  end;

  except
  end;
end;

//------------------------------------------------------------------------------

function SetWriteAccess( Address, Size : DWORD ) : Boolean;
var
  OldProtect : DWORD;

begin
  Result    := False;

  If IsNT then
  begin

    if VirtualProtect( Pointer(Address), Size, PAGE_EXECUTE_READWRITE, OldProtect ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) = False);

  end else
  begin

    If ProtectAddress( Address, PC_USER OR PC_STATIC OR PC_WRITEABLE ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) = False);

  end;

end;

//------------------------------------------------------------------------------

function SetReadAccess( Address, Size : DWORD ) : Boolean;
var
  OldProtect : DWORD;

begin
  Result    := False;

  If IsNT then
  begin

    if VirtualProtect( Pointer(Address), Size, PAGE_EXECUTE_READ, OldProtect ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) );

  end else
  begin

    If ProtectAddress( Address, PC_USER OR PC_STATIC ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) );

  end;

end;

br, nerst

JuneMouse 03-24-2005 17:10

i dont know if i am right but the standalone program ollyghost
was doing some thing of that kind for a single session
it enabled putting a break point on api calls in system dlls in w98 series
if you are looking for that kind of functionality try searching biws old forum there is a copy in one of attachments

MaRKuS-DJM 03-24-2005 18:44

Quote:

Originally Posted by nikola
Afaik VirtualProtectEx should finish the job for you.

i tried this, but you aren't able to do this for Win 95 / 98 / Me kernel because it won't remove it's protection. i want to make it generic for every win OS.

@nikola
i don't want to make an import resolver, the thing i'm trying to make is generic protection inline-patcher through API-hooking. it works through a hook of CreateFileA (backup-file) or optional hook of CreateFileMappingA (writing old bytes back) or ReadFile (also write old bytes back). then GetModuleHandleA is also hooked because it's near OEP for most programs. from there the real inline-patch is done.
this should all work through a in-memory patch of kernel32 export table or an external dll hooked for all processes. i don't think direct API patching is good idea because you will have trouble then getting back to the next API-commands.
the idea comes from DZA-patcher or dUP, but these inline-patches don't work for applications like arma or ASPr. i successful inline-patched some ASPr-targets (any version) this way without problems.

nikola 03-24-2005 22:55

Bro, i trying to do same thing ;) I done patching the file but now i need to hook GetModuleFileNameW to return program name. I made a loader. My target was anydvd, so i made loader, but anydvd checks program name.

btw, nerst, thanks millions times :) I was wondering how to call VxDCall from delphi. I done my with VirtualProtect, but i made it work even without that. I... dont it different way :)

If someone has some experiance with Debug API, can you tell me, how do i load program so that it loads dlls from import table? I load with createproccess with DEBUG creation flag, but when i do that only exe header gets loaded to memory. I want dlls to load too so i can put a BP on them, or hook them

NimDa2k 03-25-2005 13:27

Hooking Windows API - Technics of hooking API functions onWindows
 
1 Attachment(s)
This Document is about hooking API functions on OS Windows. All examples here completely works on Windows systems
based on NT technology version NT 4.0 and higher (Windows NT 4.0, Windows 2000, Windows XP). Probably
will also work on others Windows systems.You should be familiar with processes on Windows, assembler, PE files
structure and some API functions to understand whole text. When using term ĦħHooking APIĦħ here, I mean the
full change of API. So, when calling hooked API, our code is run immediately. I do not deal with cases of API
monitoring only. I will write about complete hooking. :D


All times are GMT +8. The time now is 17:36.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX