Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-01-2022, 18:59
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,060
Rept. Given: 586
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 732
Thanks Rcvd at 588 Times in 349 Posts
user1 Reputation: 41
Exclamation Windows Api Hooking

http://www.compile.ro/2018/06/24/interceptarea-functiilor-din-windows/
Credits to developer !
Code:
VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header) {
    //adauga permisiunea de scriere in primii 5 octeti de la inceputul functiei
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    //salveaza cei 5 octeti originali ai functiei
    CopyMemory(old_header, (LPVOID)old_func, 5);

    //calculeaza distanta dintre noua si vechea functie
    //  folosita ca parametru de JMP
    DWORD size = new_func - (old_func + 5);

    //construieste instructiunea JMP
    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    //scrie instuctiunea la inceputul functiei vechi
    CopyMemory((LPVOID)old_func, new_header, 5);
}
BYTE OH_GetVersion[5];
BYTE NH_GetVersion[5];
...
DetourSet((DWORD)GetVersion, (DWORD)D_GetVersion, OH_GetVersion, NH_GetVersion);
DWORD WINAPI D_GetVersion()
{
    //copiaza cei 5 octeti originali inapoi in GetVersion
    CopyMemory((LPVOID)GetVersion, OH_GetVersion, 5);

    //apeleaza GetVersion
    DWORD v = GetVersion();

    //coipiaza JMP-ul in GetVersion
    CopyMemory((LPVOID)GetVersion, NH_GetVersion, 5);

    //modifica si returneaza valoarea
    return v & 0xFFFF00FF | 0x0200;
}
#include 
#include 

#define DETOUR_DEFINE(F) BYTE OH_##F[5]; BYTE NH_##F[5];
#define DETOUR_SET(F) DetourSet((DWORD)F, (DWORD)D_##F, OH_##F, NH_##F)
#define DETOUR_EXEC(R, F, ...) { CopyMemory((LPVOID)F, OH_##F, 5); R = F(__VA_ARGS__); CopyMemory((LPVOID)F, NH_##F, 5); }

DETOUR_DEFINE(GetVersion);
DWORD WINAPI D_GetVersion()
{
    DWORD v;
    DETOUR_EXEC(v, GetVersion);
    return v & 0xFFFF00FF | 0x0200;
}

VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header)
{
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    CopyMemory(old_header, (LPVOID)old_func, 5);

    DWORD size = new_func - (old_func + 5);

    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    CopyMemory((LPVOID)old_func, new_header, 5);
}

int main() {
    DWORD v = GetVersion();
    printf("Inainte de redirectionare versiunea este: %d.%d (%d)\n", LOBYTE(LOWORD(v)), HIBYTE(LOWORD(v)), HIWORD(v));

    DETOUR_SET(GetVersion);
    v = GetVersion();
    printf("Dupa redirectionare versiunea este: %d.%d (%d)\n", LOBYTE(LOWORD(v)), HIBYTE(LOWORD(v)), HIWORD(v));

    getchar();
}
Reply With Quote
The Following 2 Users Say Thank You to user1 For This Useful Post:
niculaita (11-02-2022)
  #2  
Old 11-01-2022, 20:26
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 273
Rept. Given: 89
Rept. Rcvd 86 Times in 39 Posts
Thanks Given: 167
Thanks Rcvd at 340 Times in 118 Posts
Fyyre Reputation: 86
Hurray for C macros?
__________________
Best Wishes,

Fyyre

--

https://github.com/Fyyre
Reply With Quote
The Following User Says Thank You to Fyyre For This Useful Post:
Stingered (12-24-2022)
  #3  
Old 11-02-2022, 02:08
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,060
Rept. Given: 586
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 732
Thanks Rcvd at 588 Times in 349 Posts
user1 Reputation: 41
Post

@Fyyre

HTML Code:
https://reverseengineering.stackexchange.com/questions/15933/how-to-bypass-or-block-getsystemtime

A friend and I made this a long time ago, to bypass trial on a certain program (not naming it). It modifies the value that GetSystemTimeAsFileTime returned.

GetSystemTimeAsFileTime Hotpatch

http://fyyre.ru/dllmain.cpp
can please re upload it, very much interested.

Thanks !
Attached Images
File Type: jpg Capture.JPG (39.7 KB, 17 views)
Reply With Quote
  #4  
Old 11-03-2022, 01:00
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 273
Rept. Given: 89
Rept. Rcvd 86 Times in 39 Posts
Thanks Given: 167
Thanks Rcvd at 340 Times in 118 Posts
Fyyre Reputation: 86
Hi there,

Today I made this method/project available via my Github. I hope you find it helpful:

https://github.com/Fyyre/proxy_dll

Quote:
Originally Posted by user1 View Post
@Fyyre

HTML Code:
https://reverseengineering.stackexchange.com/questions/15933/how-to-bypass-or-block-getsystemtime

A friend and I made this a long time ago, to bypass trial on a certain program (not naming it). It modifies the value that GetSystemTimeAsFileTime returned.

GetSystemTimeAsFileTime Hotpatch

http://fyyre.ru/dllmain.cpp
can please re upload it, very much interested.

Thanks !
__________________
Best Wishes,

Fyyre

--

https://github.com/Fyyre
Reply With Quote
The Following 6 Users Gave Reputation+1 to Fyyre For This Useful Post:
chessgod101 (11-03-2022), copyleft (12-16-2022), MarcElBichon (11-03-2022), tonyweb (12-10-2022), user1 (11-29-2022), yoza (11-03-2022)
The Following 14 Users Say Thank You to Fyyre For This Useful Post:
besoeso (11-04-2022), chessgod101 (11-03-2022), copyleft (12-16-2022), FiNALSErAPH (11-06-2022), hp3 (11-03-2022), Mendax47 (11-03-2022), niculaita (11-03-2022), ontryit (12-03-2022), sh3dow (11-03-2022), Spiderz_Soft (12-16-2022), user1 (11-03-2022), user_hidden (11-03-2022), yoza (11-03-2022), zeuscane (11-03-2022)
  #5  
Old 11-29-2022, 22:36
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,060
Rept. Given: 586
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 732
Thanks Rcvd at 588 Times in 349 Posts
user1 Reputation: 41
Question

This code only for x86 for x64 need changed

anyone can help with this?

Code:
#define DETOUR_DEFINE(F) BYTE OH_##F[5]; BYTE NH_##F[5];
#define DETOUR_SET(F) DetourSet((DWORD)F, (DWORD)D_##F, OH_##F, NH_##F)
#define DETOUR_EXEC(R, F, ...) { CopyMemory((LPVOID)F, OH_##F, 5); R = F(__VA_ARGS__); CopyMemory((LPVOID)F, NH_##F, 5); }

VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header)
{
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    CopyMemory(old_header, (LPVOID)old_func, 5);

    DWORD size = new_func - (old_func + 5);

    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    CopyMemory((LPVOID)old_func, new_header, 5);
}
Reply With Quote
  #6  
Old 11-29-2022, 23:34
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 59
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 53
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
Quote:
Originally Posted by user1 View Post
This code only for x86 for x64 need changed

anyone can help with this?

Code:
#define DETOUR_DEFINE(F) BYTE OH_##F[5]; BYTE NH_##F[5];
#define DETOUR_SET(F) DetourSet((DWORD)F, (DWORD)D_##F, OH_##F, NH_##F)
#define DETOUR_EXEC(R, F, ...) { CopyMemory((LPVOID)F, OH_##F, 5); R = F(__VA_ARGS__); CopyMemory((LPVOID)F, NH_##F, 5); }

VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header)
{
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    CopyMemory(old_header, (LPVOID)old_func, 5);

    DWORD size = new_func - (old_func + 5);

    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    CopyMemory((LPVOID)old_func, new_header, 5);
}
Hi

Maybe you just need to change DWORD to UInt64 (old_func, new_func).
Also you might face error in some functions(size of instructions), you can't overwrite bytes blindly unless you don't have any plan to use original function anymore !!!
Reply With Quote
  #7  
Old 11-02-2022, 03:29
MarcElBichon MarcElBichon is offline
VIP
 
Join Date: Jan 2002
Posts: 272
Rept. Given: 377
Rept. Rcvd 151 Times in 57 Posts
Thanks Given: 301
Thanks Rcvd at 274 Times in 90 Posts
MarcElBichon Reputation: 100-199 MarcElBichon Reputation: 100-199
https://github.com/Fyyre/oldsite
Reply With Quote
The Following User Gave Reputation+1 to MarcElBichon For This Useful Post:
user1 (11-02-2022)
The Following 3 Users Say Thank You to MarcElBichon For This Useful Post:
Mendax47 (11-03-2022), sh3dow (11-02-2022), user1 (11-02-2022)
  #8  
Old 11-30-2022, 18:55
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 59
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 53
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
Can you describe your problem with sample code ?!

It's working for me :|
Following link contains sample source (in delphi) with compiled x86/x64 files:

https://mega.nz/file/TUw2TQqJ#CnR-YKixZMICNTQ8H7wFwAkKCfOR3l5OpJq26S-AWvM
Reply With Quote
The Following User Says Thank You to h4sh3m For This Useful Post:
user1 (12-10-2022)
  #9  
Old 12-01-2022, 01:11
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,060
Rept. Given: 586
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 732
Thanks Rcvd at 588 Times in 349 Posts
user1 Reputation: 41
I have solved with minhook, above code is only for x86 can not work correctly in x64 app, that;s why used minhook.
Reply With Quote
  #10  
Old 12-01-2022, 01:17
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,136
Rept. Given: 334
Rept. Rcvd 229 Times in 120 Posts
Thanks Given: 272
Thanks Rcvd at 542 Times in 302 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
yeah, for x64 one need to use 8 byte addresses, means
DWORD -> QWORD, etc
Reply With Quote
  #11  
Old 12-10-2022, 15:27
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,060
Rept. Given: 586
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 732
Thanks Rcvd at 588 Times in 349 Posts
user1 Reputation: 41
can if have time post correct code. I don;t get it sorry. but if you know how to please.

other idea's of time hooks can find in github, some working as expected some not.

I think some app use to detect time check some windows / registry entry??? time for a created existing etc files because windows start in real system with real time and compare that file time with time stored in secure SL storage???
Reply With Quote
  #12  
Old 12-24-2022, 09:57
WillyTerra WillyTerra is offline
Friend
 
Join Date: May 2021
Location: Mars
Posts: 12
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 62
Thanks Rcvd at 10 Times in 4 Posts
WillyTerra Reputation: 0
Thanks for this, I will learning API Hook use new way.
Reply With Quote
Reply

Tags
windows api hooking

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 11:04.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )