intercept API

Just starting out? Need help? Post your questions and find answers here.
registrymechanic22
Enthusiast
Enthusiast
Posts: 176
Joined: Sun Jun 28, 2009 7:07 pm
Location: RUS

Re: intercept API

Post by registrymechanic22 »

Thorium wrote: sorry english is not my nativ language.
write in PureBasic... :wink: :)
Jihugen
User
User
Posts: 45
Joined: Mon Jun 07, 2010 11:36 pm
Location: Normandy, France

Re: intercept API

Post by Jihugen »

Thorium wrote:I hope thats better understandable, sorry english is not my nativ language.
I think I get it now, thanks for the explanation. 6 Bytes are not enough if you want to 'copy and paste' the instruction elsewhere, to be able to call the original procedure.
But it would be enough for a simple backup (in case you don't care about calling the original procedure when the hook is set).

Just by curiosity, where would you write the backuped bytes. In a new allocated memory area, or right at the beginning of the hook procedure?
In the later case, how do you reserve some space to write the 6 (or more) bytes at the beginning of the hook procedure?

Thorium wrote:If you hook API functions you can just put the parameter in the hook procedure as normal parameters. No assembler needed, if it's StdCall.
Also, I wonder, when you say "If you hook API functions", what is the hooking method you're talking about?
Is it a different method that doesn't rely on patching the executable in memory?
Thorium
Addict
Addict
Posts: 1271
Joined: Sat Aug 15, 2009 6:59 pm

Re: intercept API

Post by Thorium »

Jihugen wrote:
Thorium wrote:If you hook API functions you can just put the parameter in the hook procedure as normal parameters. No assembler needed, if it's StdCall.
Also, I wonder, when you say "If you hook API functions", what is the hooking method you're talking about?
Is it a different method that doesn't rely on patching the executable in memory?
There are different methods, like altering the import table, but thats not what i meant. I said API functions, because they use the SdtCall call convention which PB procedurs use, so they are compatible. If you jump (not call) right from the start of the API function to the PB function you dont need to care about the parameters, because they are on the stack the same way if the procedure would have called normal. If you use a call you mess up the stack because it pushes the return address to the stack.

Well, i think i just write a little example code.
Thorium
Addict
Addict
Posts: 1271
Joined: Sat Aug 15, 2009 6:59 pm

Re: intercept API

Post by Thorium »

Jihugen wrote: Just by curiosity, where would you write the backuped bytes. In a new allocated memory area, or right at the beginning of the hook procedure?
In the later case, how do you reserve some space to write the 6 (or more) bytes at the beginning of the hook procedure?
Cleanest way would be to allocate a memory block and change access rights to #PAGE_EXECUTE_READWRITE.

But you also can reserve memory in a procedure and patch it in there.
In case you need it, it's very easy, just use the NOP instruction. It does excactly nothing if it executes so it's a perfect space holder. 1 NOP = 1 Byte

Code: Select all

code
code
code
code

ReservedSpace:
!nop
!nop
!nop
!nop
!nop
!nop
!nop
!nop
!nop

code
code
code
code
Thorium
Addict
Addict
Posts: 1271
Joined: Sat Aug 15, 2009 6:59 pm

Re: intercept API

Post by Thorium »

Arg, we need another disassembler engine, the current disassembler engine of the onerror lib is useless, it cant disassemble very basic code. I wonder why they have changed it, the engine of the old onerror lib worked fine. :cry:

So the code is practicaly ready but i need a _working_ disassembler engine first.
Jihugen
User
User
Posts: 45
Joined: Mon Jun 07, 2010 11:36 pm
Location: Normandy, France

Re: intercept API

Post by Jihugen »

I don't know what wrong for you with the onerror lib.
The supplied little example works like a charm, and I've already used it for other simple stuff without trouble...

Otherwise, there is Olly.dll, see this thread:
http://www.purebasic.fr/english/viewtop ... =5&t=42527
Or this one, but it's looking a bit harsh for me:
http://www.purebasic.fr/english/viewtop ... 27&t=42510
But it will probably be quite long before having something usable. :|


Oh, and the !nop trick to reserve empty space in the procedure seems very acceptable, thanks. The simpler, the most I like it... :)
DarkDragon
Addict
Addict
Posts: 2218
Joined: Mon Jun 02, 2003 9:16 am
Location: Germany
Contact:

Re: intercept API

Post by DarkDragon »

Well I've done a hooking-code which works on Windows 7 x64 compiled with 64bit and 32bit. It is basic hooking and uses the disassembler of purebasic, which sometimes really works wrong. And you can't call the old method at the moment.

http://www.bradan.eu/files/hook.zip (Your antivirus will recognize it as a virus, sorry)

And it doesn't use the E9 JMP. It uses

Code: Select all

MOV rax, address
JMP rax
on 64bit systems and

Code: Select all

MOV eax, address
JMP eax
on 32bit systems.

And I've got an idea on how to call the old method and remove the disassembler. The only limitation would be that it can't be called parallel anymore.
bye,
Daniel
Thorium
Addict
Addict
Posts: 1271
Joined: Sat Aug 15, 2009 6:59 pm

Re: intercept API

Post by Thorium »

Jihugen wrote:I don't know what wrong for you with the onerror lib.
Try to disassemble MessageBoxA. Right on the first instruction the result is "invalid". :shock:

Code: Select all

  DisableDebugger ; do not disassemble any debugger related instructions
  
  Code_Start:
    ; Place code to be disassembled here
  !mov edi, edi
  Code_End:
  
  Text$ = "Disassembled code: " + Chr(13)  
  If ExamineAssembly(?Code_Start, ?Code_End)
    While NextInstruction()
      Text$ + RSet(Hex(InstructionAddress()), SizeOf(Integer)*2, "0")
      Text$ + " " + InstructionString() + Chr(13)
    Wend
  EndIf
  
  MessageRequester("Result", Text$)
I know the instruction is stupid but it is the first in many Windows API functions.
Last edited by Thorium on Sat Jun 26, 2010 7:18 pm, edited 1 time in total.
Thorium
Addict
Addict
Posts: 1271
Joined: Sat Aug 15, 2009 6:59 pm

Re: intercept API

Post by Thorium »

DarkDragon wrote: And it doesn't use the E9 JMP. It uses

Code: Select all

MOV rax, address
JMP rax
on 64bit systems and

Code: Select all

MOV eax, address
JMP eax
on 32bit systems.
Another way i used to fool detection is

Code: Select all

!push const
!ret
registrymechanic22
Enthusiast
Enthusiast
Posts: 176
Joined: Sun Jun 28, 2009 7:07 pm
Location: RUS

Re: intercept API

Post by registrymechanic22 »

very good job.....
SFSxOI
Addict
Addict
Posts: 2970
Joined: Sat Dec 31, 2005 5:24 pm
Location: Where ya would never look.....

Re: intercept API

Post by SFSxOI »

Thorium wrote: Another way i used to fool detection is

Code: Select all

!push const
!ret
Fool detection by what?

Good job on this by the way.
The advantage of a 64 bit operating system over a 32 bit operating system comes down to only being twice the headache.
Thorium
Addict
Addict
Posts: 1271
Joined: Sat Aug 15, 2009 6:59 pm

Re: intercept API

Post by Thorium »

SFSxOI wrote:
Thorium wrote: Another way i used to fool detection is

Code: Select all

!push const
!ret
Fool detection by what?
By the code you quoted. :?:

It's a jump without a jmp instruction and some detections will not detect that as a jump.
uweb
User
User
Posts: 98
Joined: Wed Mar 15, 2006 9:40 am
Location: Germany

Re: intercept API

Post by uweb »

@Daniel :
grandiose job !!!
is it allowed to use it in (or in collaboration with) a close-source?
my project would become a more multifaceted usage with your hook.
Please pardon my English, my native tongue is German.
DarkDragon
Addict
Addict
Posts: 2218
Joined: Mon Jun 02, 2003 9:16 am
Location: Germany
Contact:

Re: intercept API

Post by DarkDragon »

uweb wrote:@Daniel :
grandiose job !!!
is it allowed to use it in (or in collaboration with) a close-source?
my project would become a more multifaceted usage with your hook.
Do whatever you want to do with it ;-) .
bye,
Daniel
uweb
User
User
Posts: 98
Joined: Wed Mar 15, 2006 9:40 am
Location: Germany

Re: intercept API

Post by uweb »

thank you double !
Please pardon my English, my native tongue is German.
Post Reply