Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-23-2005, 23:08
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
API-hooking

hi bro's,

i'm searching for a way to hook API's for a simple protected application (won't name protector )
this should be generic working on Win 95 / 98 / Me / NT / 2000 / XP.
i won't use import-redirection.
on XP i used a method of unprotecting kernel pages and redirect from there to my code. it worked, but it doesn't work on other OS. 95 / 98 / Me can't unprotect kernel-memory. it's the same as with export-patching. i heard something of an undocumented API with ordinal 1 that should be able to unprotect this memory. anybody knows about this?
or any suggestions?
Reply With Quote
  #2  
Old 03-23-2005, 23:37
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 860
Rept. Given: 55
Rept. Rcvd 394 Times in 89 Posts
Thanks Given: 34
Thanks Rcvd at 219 Times in 79 Posts
Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399
suits for you the paper of E.Labir on codebreakers-journal about Unpacking by Code Injection?
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #3  
Old 03-23-2005, 23:49
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
hehe already read this. searched something new...
Reply With Quote
  #4  
Old 03-24-2005, 00:32
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 860
Rept. Given: 55
Rept. Rcvd 394 Times in 89 Posts
Thanks Given: 34
Thanks Rcvd at 219 Times in 79 Posts
Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399
well,
this is what I took away in my readings..

API Hooking revealed
http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5667

APIHijack - A Library for Easy DLL Function Hooking
http://www.codeguru.com/Cpp/W-P/dll/hooking/article.php/c127/

Detours Library for Injection (it's my favourite one)
http://research.microsoft.com/sn/detours/

DLL Injection and function interception tutorial
http://www.codeproject.com/dll/DLL_Injection_tutorial.asp

RemoteLib - DLL Injection for Win9x & NT Platforms (not exactly api spy but useful to)
http://www.codeproject.com/dll/RemoteLib.asp

hope something helps.
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #5  
Old 03-24-2005, 00:47
Nukacola's Avatar
Nukacola Nukacola is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 49
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Nukacola Reputation: 2
hey,
i read something on the old fravia sites of this undocumented API function there it was using for Vbox.
Here is the link maybe a help.

From the retired +Tsehp.
http://www.woodmann.com/fravia/vbox42.htm

regards
Nukacola
Reply With Quote
  #6  
Old 03-24-2005, 02:09
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
Shub-Nigurrath:
that's exactly what i searched for
thanks!
Reply With Quote
  #7  
Old 03-24-2005, 02:56
nikola nikola is offline
Friend
 
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
Afaik VirtualProtectEx should finish the job for you. But if you are looking for another way look at attachment. Very nice tut there, with masm source code and proc to get write permission to some address... What are you trying to make with it? Import resolver?

I cant seem to attach the file :/ If you still need this pm me bro

Last edited by nikola; 03-24-2005 at 03:07.
Reply With Quote
  #8  
Old 03-24-2005, 16:03
nerst
 
Posts: n/a
Quote:
Originally Posted by MaRKuS-DJM
hi bro's,

i'm searching for a way to hook API's for a simple protected application (won't name protector )

i heard something of an undocumented API with ordinal 1 that should be able to unprotect this memory. anybody knows about this?
or any suggestions?
Here is an example on Delphi from different public sources & articles.

Code:
//------------------------------------------------------------------------------

function ProtectAddress( Address, Flag : DWORD ): Boolean; stdcall;
var
//fa      : DWORD;  // FirstAddress
  fp,np   : DWORD;  // FirstPage / numPages
  VXDCall : Pointer;

begin
  Result  := False;

  try

// fa := Address;
   fp := 1;//Address div 4096;
   np := 1;
// DEC( fa, fa mod 4096 );
// Result := not IsBadWritePtr( Pointer(fa), np*4096 );
   if not Result then
   begin
     // Get undocumented VxDCall procedure
     VXDCall := GetProcAddress_(GetModuleHandle(kernel32), 1);
     if @VXDCall = nil then Exit;
     asm
//     push 020060000h           // PC_WRITEABLE | PC_USER | PC_STATIC
       push Flag
       push 0FFFFFFFFh           // Keep all previous bits
       push DWORD PTR [np]       // dword ptr [mbi+0Ch] # of pages
       push DWORD PTR [fp]       // dword ptr [ped] page #
       push 1000Dh               // _PageModifyPermissions (win32_service_table #)
       call DWORD PTR [VXDCall]  // VxDCall0
     end;
//   Result := not IsBadWritePtr( Pointer(fa), np*4096 );
     Result := True;
   end;

  except
  end;
end;

//------------------------------------------------------------------------------

function SetWriteAccess( Address, Size : DWORD ) : Boolean;
var
  OldProtect : DWORD;

begin
  Result     := False;

  If IsNT then
  begin

    if VirtualProtect( Pointer(Address), Size, PAGE_EXECUTE_READWRITE, OldProtect ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) = False);

  end else
  begin

    If ProtectAddress( Address, PC_USER OR PC_STATIC OR PC_WRITEABLE ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) = False);

  end;

end;

//------------------------------------------------------------------------------

function SetReadAccess( Address, Size : DWORD ) : Boolean;
var
  OldProtect : DWORD;

begin
  Result     := False;

  If IsNT then
  begin

    if VirtualProtect( Pointer(Address), Size, PAGE_EXECUTE_READ, OldProtect ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) );

  end else
  begin

    If ProtectAddress( Address, PC_USER OR PC_STATIC ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) );

  end;

end;
br, nerst
Reply With Quote
  #9  
Old 03-24-2005, 17:10
JuneMouse
 
Posts: n/a
i dont know if i am right but the standalone program ollyghost
was doing some thing of that kind for a single session
it enabled putting a break point on api calls in system dlls in w98 series
if you are looking for that kind of functionality try searching biws old forum there is a copy in one of attachments
Reply With Quote
  #10  
Old 03-24-2005, 18:44
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
Quote:
Originally Posted by nikola
Afaik VirtualProtectEx should finish the job for you.
i tried this, but you aren't able to do this for Win 95 / 98 / Me kernel because it won't remove it's protection. i want to make it generic for every win OS.

@nikola
i don't want to make an import resolver, the thing i'm trying to make is generic protection inline-patcher through API-hooking. it works through a hook of CreateFileA (backup-file) or optional hook of CreateFileMappingA (writing old bytes back) or ReadFile (also write old bytes back). then GetModuleHandleA is also hooked because it's near OEP for most programs. from there the real inline-patch is done.
this should all work through a in-memory patch of kernel32 export table or an external dll hooked for all processes. i don't think direct API patching is good idea because you will have trouble then getting back to the next API-commands.
the idea comes from DZA-patcher or dUP, but these inline-patches don't work for applications like arma or ASPr. i successful inline-patched some ASPr-targets (any version) this way without problems.
Reply With Quote
  #11  
Old 03-24-2005, 22:55
nikola nikola is offline
Friend
 
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
Bro, i trying to do same thing I done patching the file but now i need to hook GetModuleFileNameW to return program name. I made a loader. My target was anydvd, so i made loader, but anydvd checks program name.

btw, nerst, thanks millions times I was wondering how to call VxDCall from delphi. I done my with VirtualProtect, but i made it work even without that. I... dont it different way

If someone has some experiance with Debug API, can you tell me, how do i load program so that it loads dlls from import table? I load with createproccess with DEBUG creation flag, but when i do that only exe header gets loaded to memory. I want dlls to load too so i can put a BP on them, or hook them

Last edited by nikola; 03-24-2005 at 22:58.
Reply With Quote
  #12  
Old 03-25-2005, 13:27
NimDa2k's Avatar
NimDa2k NimDa2k is offline
Friend
 
Join Date: Jan 2005
Posts: 123
Rept. Given: 3
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 1
Thanks Rcvd at 5 Times in 4 Posts
NimDa2k Reputation: 3
Thumbs up Hooking Windows API - Technics of hooking API functions onWindows

This Document is about hooking API functions on OS Windows. All examples here completely works on Windows systems
based on NT technology version NT 4.0 and higher (Windows NT 4.0, Windows 2000, Windows XP). Probably
will also work on others Windows systems.You should be familiar with processes on Windows, assembler, PE files
structure and some API functions to understand whole text. When using term Hooking API here, I mean the
full change of API. So, when calling hooked API, our code is run immediately. I do not deal with cases of API
monitoring only. I will write about complete hooking.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hooking WMI (.NET Application) aldente General Discussion 12 08-07-2012 01:32
API Hooking thomasantony General Discussion 5 04-22-2005 11:44
C++ Help (Hooking a function) Peter[Pan] General Discussion 8 08-31-2004 20:37


All times are GMT +8. The time now is 11:12.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )