Windows Api Hooking

user1 · #1 11-01-2022, 18:59

http://www.compile.ro/2018/06/24/interceptarea-functiilor-din-windows/
Credits to developer !

Code:

VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header) {
    //adauga permisiunea de scriere in primii 5 octeti de la inceputul functiei
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    //salveaza cei 5 octeti originali ai functiei
    CopyMemory(old_header, (LPVOID)old_func, 5);

    //calculeaza distanta dintre noua si vechea functie
    //  folosita ca parametru de JMP
    DWORD size = new_func - (old_func + 5);

    //construieste instructiunea JMP
    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    //scrie instuctiunea la inceputul functiei vechi
    CopyMemory((LPVOID)old_func, new_header, 5);
}
BYTE OH_GetVersion[5];
BYTE NH_GetVersion[5];
...
DetourSet((DWORD)GetVersion, (DWORD)D_GetVersion, OH_GetVersion, NH_GetVersion);
DWORD WINAPI D_GetVersion()
{
    //copiaza cei 5 octeti originali inapoi in GetVersion
    CopyMemory((LPVOID)GetVersion, OH_GetVersion, 5);

    //apeleaza GetVersion
    DWORD v = GetVersion();

    //coipiaza JMP-ul in GetVersion
    CopyMemory((LPVOID)GetVersion, NH_GetVersion, 5);

    //modifica si returneaza valoarea
    return v & 0xFFFF00FF | 0x0200;
}
#include 
#include 

#define DETOUR_DEFINE(F) BYTE OH_##F[5]; BYTE NH_##F[5];
#define DETOUR_SET(F) DetourSet((DWORD)F, (DWORD)D_##F, OH_##F, NH_##F)
#define DETOUR_EXEC(R, F, ...) { CopyMemory((LPVOID)F, OH_##F, 5); R = F(__VA_ARGS__); CopyMemory((LPVOID)F, NH_##F, 5); }

DETOUR_DEFINE(GetVersion);
DWORD WINAPI D_GetVersion()
{
    DWORD v;
    DETOUR_EXEC(v, GetVersion);
    return v & 0xFFFF00FF | 0x0200;
}

VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header)
{
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    CopyMemory(old_header, (LPVOID)old_func, 5);

    DWORD size = new_func - (old_func + 5);

    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    CopyMemory((LPVOID)old_func, new_header, 5);
}

int main() {
    DWORD v = GetVersion();
    printf("Inainte de redirectionare versiunea este: %d.%d (%d)\n", LOBYTE(LOWORD(v)), HIBYTE(LOWORD(v)), HIWORD(v));

    DETOUR_SET(GetVersion);
    v = GetVersion();
    printf("Dupa redirectionare versiunea este: %d.%d (%d)\n", LOBYTE(LOWORD(v)), HIBYTE(LOWORD(v)), HIWORD(v));

    getchar();
}

Fyyre · #2 11-01-2022, 20:26

Hurray for C macros?

user1 · #3 11-02-2022, 02:08

@Fyyre

HTML Code:

https://reverseengineering.stackexchange.com/questions/15933/how-to-bypass-or-block-getsystemtime

A friend and I made this a long time ago, to bypass trial on a certain program (not naming it). It modifies the value that GetSystemTimeAsFileTime returned.

GetSystemTimeAsFileTime Hotpatch

http://fyyre.ru/dllmain.cpp

can please re upload it, very much interested.

Thanks !

MarcElBichon · #4 11-02-2022, 03:29

https://github.com/Fyyre/oldsite

Fyyre · #5 11-03-2022, 01:00

Hi there,

Today I made this method/project available via my Github. I hope you find it helpful:

https://github.com/Fyyre/proxy_dll

Quote:

Originally Posted by user1

@Fyyre

HTML Code:

https://reverseengineering.stackexchange.com/questions/15933/how-to-bypass-or-block-getsystemtime

A friend and I made this a long time ago, to bypass trial on a certain program (not naming it). It modifies the value that GetSystemTimeAsFileTime returned.

GetSystemTimeAsFileTime Hotpatch

http://fyyre.ru/dllmain.cpp

can please re upload it, very much interested.

Thanks !

user1 · #6 11-29-2022, 22:36

This code only for x86 for x64 need changed

anyone can help with this?

Code:

#define DETOUR_DEFINE(F) BYTE OH_##F[5]; BYTE NH_##F[5];
#define DETOUR_SET(F) DetourSet((DWORD)F, (DWORD)D_##F, OH_##F, NH_##F)
#define DETOUR_EXEC(R, F, ...) { CopyMemory((LPVOID)F, OH_##F, 5); R = F(__VA_ARGS__); CopyMemory((LPVOID)F, NH_##F, 5); }

VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header)
{
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    CopyMemory(old_header, (LPVOID)old_func, 5);

    DWORD size = new_func - (old_func + 5);

    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    CopyMemory((LPVOID)old_func, new_header, 5);
}

h4sh3m · #7 11-29-2022, 23:34

Quote:

Originally Posted by user1

This code only for x86 for x64 need changed

anyone can help with this?

Code:

#define DETOUR_DEFINE(F) BYTE OH_##F[5]; BYTE NH_##F[5];
#define DETOUR_SET(F) DetourSet((DWORD)F, (DWORD)D_##F, OH_##F, NH_##F)
#define DETOUR_EXEC(R, F, ...) { CopyMemory((LPVOID)F, OH_##F, 5); R = F(__VA_ARGS__); CopyMemory((LPVOID)F, NH_##F, 5); }

VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header)
{
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    CopyMemory(old_header, (LPVOID)old_func, 5);

    DWORD size = new_func - (old_func + 5);

    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    CopyMemory((LPVOID)old_func, new_header, 5);
}

Hi

Maybe you just need to change DWORD to UInt64 (old_func, new_func).
Also you might face error in some functions(size of instructions), you can't overwrite bytes blindly unless you don't have any plan to use original function anymore !!!

user1 · #8 11-30-2022, 16:27

false in x64 different.

h4sh3m · #9 11-30-2022, 18:55

Can you describe your problem with sample code ?!

It's working for me :|
Following link contains sample source (in delphi) with compiled x86/x64 files:

https://mega.nz/file/TUw2TQqJ#CnR-YKixZMICNTQ8H7wFwAkKCfOR3l5OpJq26S-AWvM

user1 · #10 12-01-2022, 01:11

I have solved with minhook, above code is only for x86 can not work correctly in x64 app, that;s why used minhook.

sendersu · #11 12-01-2022, 01:17

yeah, for x64 one need to use 8 byte addresses, means
DWORD -> QWORD, etc

user1 · #12 12-10-2022, 15:27

can if have time post correct code. I don;t get it sorry. but if you know how to please.

other idea's of time hooks can find in github, some working as expected some not.

I think some app use to detect time check some windows / registry entry??? time for a created existing etc files because windows start in real system with real time and compare that file time with time stored in secure SL storage???

WillyTerra · #13 12-24-2022, 09:57

Thanks for this, I will learning API Hook use new way.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
.NET dll hooking	Avi_RE	General Discussion	10	09-28-2023 07:09
API-hooking	MaRKuS-DJM	General Discussion	11	03-25-2005 13:27

The Following 2 Users Say Thank You to user1 For This Useful Post:
niculaita (11-02-2022)

The Following User Says Thank You to Fyyre For This Useful Post:
Stingered (12-24-2022)

The Following User Gave Reputation+1 to MarcElBichon For This Useful Post:
user1 (11-02-2022)

The Following 3 Users Say Thank You to MarcElBichon For This Useful Post:
Mendax47 (11-03-2022), sh3dow (11-02-2022), user1 (11-02-2022)

The Following 6 Users Gave Reputation+1 to Fyyre For This Useful Post:
chessgod101 (11-03-2022), copyleft (12-16-2022), MarcElBichon (11-03-2022), tonyweb (12-10-2022), user1 (11-29-2022), yoza (11-03-2022)

The Following 14 Users Say Thank You to Fyyre For This Useful Post:
besoeso (11-04-2022), chessgod101 (11-03-2022), copyleft (12-16-2022), FiNALSErAPH (11-06-2022), hp3 (11-03-2022), Mendax47 (11-03-2022), niculaita (11-03-2022), ontryit (12-03-2022), sh3dow (11-03-2022), Spiderz_Soft (12-16-2022), user1 (11-03-2022), user_hidden (11-03-2022), yoza (11-03-2022), zeuscane (11-03-2022)

The Following User Says Thank You to h4sh3m For This Useful Post:
user1 (12-10-2022)