|
#1
|
|||
|
|||
Windows Api Hooking
http://www.compile.ro/2018/06/24/interceptarea-functiilor-din-windows/
Credits to developer ! Code:
VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header) { //adauga permisiunea de scriere in primii 5 octeti de la inceputul functiei DWORD op; VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op); //salveaza cei 5 octeti originali ai functiei CopyMemory(old_header, (LPVOID)old_func, 5); //calculeaza distanta dintre noua si vechea functie // folosita ca parametru de JMP DWORD size = new_func - (old_func + 5); //construieste instructiunea JMP new_header[0] = 0xE9; new_header[1] = size >> 0; new_header[2] = size >> 8; new_header[3] = size >> 16; new_header[4] = size >> 24; //scrie instuctiunea la inceputul functiei vechi CopyMemory((LPVOID)old_func, new_header, 5); } BYTE OH_GetVersion[5]; BYTE NH_GetVersion[5]; ... DetourSet((DWORD)GetVersion, (DWORD)D_GetVersion, OH_GetVersion, NH_GetVersion); DWORD WINAPI D_GetVersion() { //copiaza cei 5 octeti originali inapoi in GetVersion CopyMemory((LPVOID)GetVersion, OH_GetVersion, 5); //apeleaza GetVersion DWORD v = GetVersion(); //coipiaza JMP-ul in GetVersion CopyMemory((LPVOID)GetVersion, NH_GetVersion, 5); //modifica si returneaza valoarea return v & 0xFFFF00FF | 0x0200; } #include |
The Following 2 Users Say Thank You to user1 For This Useful Post: | ||
niculaita (11-02-2022) |
#2
|
||||
|
||||
Hurray for C macros?
__________________
Best Wishes, Fyyre -- https://github.com/Fyyre |
The Following User Says Thank You to Fyyre For This Useful Post: | ||
Stingered (12-24-2022) |
#3
|
|||
|
|||
@Fyyre
HTML Code:
https://reverseengineering.stackexchange.com/questions/15933/how-to-bypass-or-block-getsystemtime A friend and I made this a long time ago, to bypass trial on a certain program (not naming it). It modifies the value that GetSystemTimeAsFileTime returned. GetSystemTimeAsFileTime Hotpatch http://fyyre.ru/dllmain.cpp Thanks ! |
#4
|
||||
|
||||
Hi there,
Today I made this method/project available via my Github. I hope you find it helpful: https://github.com/Fyyre/proxy_dll Quote:
__________________
Best Wishes, Fyyre -- https://github.com/Fyyre |
The Following 6 Users Gave Reputation+1 to Fyyre For This Useful Post: | ||
chessgod101 (11-03-2022), copyleft (12-16-2022), MarcElBichon (11-03-2022), tonyweb (12-10-2022), user1 (11-29-2022), yoza (11-03-2022) |
The Following 14 Users Say Thank You to Fyyre For This Useful Post: | ||
besoeso (11-04-2022), chessgod101 (11-03-2022), copyleft (12-16-2022), FiNALSErAPH (11-06-2022), hp3 (11-03-2022), Mendax47 (11-03-2022), niculaita (11-03-2022), ontryit (12-03-2022), sh3dow (11-03-2022), Spiderz_Soft (12-16-2022), user1 (11-03-2022), user_hidden (11-03-2022), yoza (11-03-2022), zeuscane (11-03-2022) |
#5
|
|||
|
|||
This code only for x86 for x64 need changed
anyone can help with this? Code:
#define DETOUR_DEFINE(F) BYTE OH_##F[5]; BYTE NH_##F[5]; #define DETOUR_SET(F) DetourSet((DWORD)F, (DWORD)D_##F, OH_##F, NH_##F) #define DETOUR_EXEC(R, F, ...) { CopyMemory((LPVOID)F, OH_##F, 5); R = F(__VA_ARGS__); CopyMemory((LPVOID)F, NH_##F, 5); } VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header) { DWORD op; VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op); CopyMemory(old_header, (LPVOID)old_func, 5); DWORD size = new_func - (old_func + 5); new_header[0] = 0xE9; new_header[1] = size >> 0; new_header[2] = size >> 8; new_header[3] = size >> 16; new_header[4] = size >> 24; CopyMemory((LPVOID)old_func, new_header, 5); } |
#6
|
|||
|
|||
Quote:
Maybe you just need to change DWORD to UInt64 (old_func, new_func). Also you might face error in some functions(size of instructions), you can't overwrite bytes blindly unless you don't have any plan to use original function anymore !!! |
#8
|
|||
|
|||
Can you describe your problem with sample code ?!
It's working for me :| Following link contains sample source (in delphi) with compiled x86/x64 files: https://mega.nz/file/TUw2TQqJ#CnR-YKixZMICNTQ8H7wFwAkKCfOR3l5OpJq26S-AWvM |
The Following User Says Thank You to h4sh3m For This Useful Post: | ||
user1 (12-10-2022) |
#9
|
|||
|
|||
I have solved with minhook, above code is only for x86 can not work correctly in x64 app, that;s why used minhook.
|
#10
|
|||
|
|||
yeah, for x64 one need to use 8 byte addresses, means
DWORD -> QWORD, etc |
#11
|
|||
|
|||
can if have time post correct code. I don;t get it sorry. but if you know how to please.
other idea's of time hooks can find in github, some working as expected some not. I think some app use to detect time check some windows / registry entry??? time for a created existing etc files because windows start in real system with real time and compare that file time with time stored in secure SL storage??? |
#12
|
|||
|
|||
Thanks for this, I will learning API Hook use new way.
|
Tags |
windows api hooking |
Thread Tools | |
Display Modes | |
|
|