intercept API

[registrymechanic22]

sorry english is not my nativ language.

write in PureBasic...

[Jihugen]

I hope thats better understandable, sorry english is not my nativ language.

I think I get it now, thanks for the explanation. 6 Bytes are not enough if you want to 'copy and paste' the instruction elsewhere, to be able to call the original procedure.
But it would be enough for a simple backup (in case you don't care about calling the original procedure when the hook is set).

Just by curiosity, where would you write the backuped bytes. In a new allocated memory area, or right at the beginning of the hook procedure?
In the later case, how do you reserve some space to write the 6 (or more) bytes at the beginning of the hook procedure?

If you hook API functions you can just put the parameter in the hook procedure as normal parameters. No assembler needed, if it's StdCall.

Also, I wonder, when you say "If you hook API functions", what is the hooking method you're talking about?
Is it a different method that doesn't rely on patching the executable in memory?

[Thorium]

If you hook API functions you can just put the parameter in the hook procedure as normal parameters. No assembler needed, if it's StdCall.

Also, I wonder, when you say "If you hook API functions", what is the hooking method you're talking about?
Is it a different method that doesn't rely on patching the executable in memory?

There are different methods, like altering the import table, but thats not what i meant. I said API functions, because they use the SdtCall call convention which PB procedurs use, so they are compatible. If you jump (not call) right from the start of the API function to the PB function you dont need to care about the parameters, because they are on the stack the same way if the procedure would have called normal. If you use a call you mess up the stack because it pushes the return address to the stack.

Well, i think i just write a little example code.

[Thorium]

Just by curiosity, where would you write the backuped bytes. In a new allocated memory area, or right at the beginning of the hook procedure?
In the later case, how do you reserve some space to write the 6 (or more) bytes at the beginning of the hook procedure?

Cleanest way would be to allocate a memory block and change access rights to #PAGE_EXECUTE_READWRITE.

But you also can reserve memory in a procedure and patch it in there.
In case you need it, it's very easy, just use the NOP instruction. It does excactly nothing if it executes so it's a perfect space holder. 1 NOP = 1 Byte

Code: Select all

code
code
code
code

ReservedSpace:
!nop
!nop
!nop
!nop
!nop
!nop
!nop
!nop
!nop

code
code
code
code

[Thorium]

Arg, we need another disassembler engine, the current disassembler engine of the onerror lib is useless, it cant disassemble very basic code. I wonder why they have changed it, the engine of the old onerror lib worked fine.

So the code is practicaly ready but i need a _working_ disassembler engine first.

[Jihugen]

I don't know what wrong for you with the onerror lib.
The supplied little example works like a charm, and I've already used it for other simple stuff without trouble...

Otherwise, there is Olly.dll, see this thread:
http://www.purebasic.fr/english/viewtop ... =5&t=42527
Or this one, but it's looking a bit harsh for me:
http://www.purebasic.fr/english/viewtop ... 27&t=42510
But it will probably be quite long before having something usable.


Oh, and the !nop trick to reserve empty space in the procedure seems very acceptable, thanks. The simpler, the most I like it...

[DarkDragon]

Well I've done a hooking-code which works on Windows 7 x64 compiled with 64bit and 32bit. It is basic hooking and uses the disassembler of purebasic, which sometimes really works wrong. And you can't call the old method at the moment.

http://www.bradan.eu/files/hook.zip (Your antivirus will recognize it as a virus, sorry)

And it doesn't use the E9 JMP. It uses

Code: Select all

MOV rax, address
JMP rax

on 64bit systems and

Code: Select all

MOV eax, address
JMP eax

on 32bit systems.

And I've got an idea on how to call the old method and remove the disassembler. The only limitation would be that it can't be called parallel anymore.

[Thorium]

I don't know what wrong for you with the onerror lib.

Try to disassemble MessageBoxA. Right on the first instruction the result is "invalid".

Code: Select all

  DisableDebugger ; do not disassemble any debugger related instructions
  
  Code_Start:
    ; Place code to be disassembled here
  !mov edi, edi
  Code_End:
  
  Text$ = "Disassembled code: " + Chr(13)  
  If ExamineAssembly(?Code_Start, ?Code_End)
    While NextInstruction()
      Text$ + RSet(Hex(InstructionAddress()), SizeOf(Integer)*2, "0")
      Text$ + " " + InstructionString() + Chr(13)
    Wend
  EndIf
  
  MessageRequester("Result", Text$)

I know the instruction is stupid but it is the first in many Windows API functions.

[Thorium]

And it doesn't use the E9 JMP. It uses

Code: Select all

MOV rax, address
JMP rax

on 64bit systems and

Code: Select all

MOV eax, address
JMP eax

on 32bit systems.

Another way i used to fool detection is

Code: Select all

!push const
!ret

[registrymechanic22]

http://www.bradan.eu/files/hook.zip

very good job.....

[SFSxOI]

Another way i used to fool detection is

Code: Select all

!push const
!ret

Fool detection by what?

http://www.bradan.eu/files/hook.zip

Good job on this by the way.

[Thorium]

Another way i used to fool detection is

Code: Select all

!push const
!ret

Fool detection by what?

By the code you quoted.

It's a jump without a jmp instruction and some detections will not detect that as a jump.

[uweb]

@Daniel :
grandiose job !!!
is it allowed to use it in (or in collaboration with) a close-source?
my project would become a more multifaceted usage with your hook.

[DarkDragon]

@Daniel :
grandiose job !!!
is it allowed to use it in (or in collaboration with) a close-source?
my project would become a more multifaceted usage with your hook.

Do whatever you want to do with it .

[uweb]

thank you double !