It is currently Sat Dec 14, 2019 12:12 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 32 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject: Re: intercept API
PostPosted: Sat Jun 26, 2010 10:31 am 
Offline
Enthusiast
Enthusiast

Joined: Sun Jun 28, 2009 7:07 pm
Posts: 176
Location: RUS
Thorium wrote:
sorry english is not my nativ language.

write in PureBasic... :wink: :)


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Jun 26, 2010 1:43 pm 
Offline
User
User
User avatar

Joined: Mon Jun 07, 2010 11:36 pm
Posts: 45
Location: Normandy, France
Thorium wrote:
I hope thats better understandable, sorry english is not my nativ language.

I think I get it now, thanks for the explanation. 6 Bytes are not enough if you want to 'copy and paste' the instruction elsewhere, to be able to call the original procedure.
But it would be enough for a simple backup (in case you don't care about calling the original procedure when the hook is set).

Just by curiosity, where would you write the backuped bytes. In a new allocated memory area, or right at the beginning of the hook procedure?
In the later case, how do you reserve some space to write the 6 (or more) bytes at the beginning of the hook procedure?


Thorium wrote:
If you hook API functions you can just put the parameter in the hook procedure as normal parameters. No assembler needed, if it's StdCall.

Also, I wonder, when you say "If you hook API functions", what is the hooking method you're talking about?
Is it a different method that doesn't rely on patching the executable in memory?


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Jun 26, 2010 3:04 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Aug 15, 2009 6:59 pm
Posts: 1252
Jihugen wrote:
Thorium wrote:
If you hook API functions you can just put the parameter in the hook procedure as normal parameters. No assembler needed, if it's StdCall.

Also, I wonder, when you say "If you hook API functions", what is the hooking method you're talking about?
Is it a different method that doesn't rely on patching the executable in memory?

There are different methods, like altering the import table, but thats not what i meant. I said API functions, because they use the SdtCall call convention which PB procedurs use, so they are compatible. If you jump (not call) right from the start of the API function to the PB function you dont need to care about the parameters, because they are on the stack the same way if the procedure would have called normal. If you use a call you mess up the stack because it pushes the return address to the stack.

Well, i think i just write a little example code.


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Jun 26, 2010 3:12 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Aug 15, 2009 6:59 pm
Posts: 1252
Jihugen wrote:
Just by curiosity, where would you write the backuped bytes. In a new allocated memory area, or right at the beginning of the hook procedure?
In the later case, how do you reserve some space to write the 6 (or more) bytes at the beginning of the hook procedure?

Cleanest way would be to allocate a memory block and change access rights to #PAGE_EXECUTE_READWRITE.

But you also can reserve memory in a procedure and patch it in there.
In case you need it, it's very easy, just use the NOP instruction. It does excactly nothing if it executes so it's a perfect space holder. 1 NOP = 1 Byte

Code:
code
code
code
code

ReservedSpace:
!nop
!nop
!nop
!nop
!nop
!nop
!nop
!nop
!nop

code
code
code
code


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Jun 26, 2010 5:00 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Aug 15, 2009 6:59 pm
Posts: 1252
Arg, we need another disassembler engine, the current disassembler engine of the onerror lib is useless, it cant disassemble very basic code. I wonder why they have changed it, the engine of the old onerror lib worked fine. :cry:

So the code is practicaly ready but i need a _working_ disassembler engine first.


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Jun 26, 2010 5:48 pm 
Offline
User
User
User avatar

Joined: Mon Jun 07, 2010 11:36 pm
Posts: 45
Location: Normandy, France
I don't know what wrong for you with the onerror lib.
The supplied little example works like a charm, and I've already used it for other simple stuff without trouble...

Otherwise, there is Olly.dll, see this thread:
viewtopic.php?f=5&t=42527
Or this one, but it's looking a bit harsh for me:
viewtopic.php?f=27&t=42510
But it will probably be quite long before having something usable. :|


Oh, and the !nop trick to reserve empty space in the procedure seems very acceptable, thanks. The simpler, the most I like it... :)


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Jun 26, 2010 6:43 pm 
Offline
Addict
Addict
User avatar

Joined: Mon Jun 02, 2003 9:16 am
Posts: 2093
Location: Germany
Well I've done a hooking-code which works on Windows 7 x64 compiled with 64bit and 32bit. It is basic hooking and uses the disassembler of purebasic, which sometimes really works wrong. And you can't call the old method at the moment.

http://www.bradan.eu/files/hook.zip (Your antivirus will recognize it as a virus, sorry)

And it doesn't use the E9 JMP. It uses
Code:
MOV rax, address
JMP rax

on 64bit systems and
Code:
MOV eax, address
JMP eax

on 32bit systems.

And I've got an idea on how to call the old method and remove the disassembler. The only limitation would be that it can't be called parallel anymore.

_________________
bye,
Daniel


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Jun 26, 2010 7:07 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Aug 15, 2009 6:59 pm
Posts: 1252
Jihugen wrote:
I don't know what wrong for you with the onerror lib.

Try to disassemble MessageBoxA. Right on the first instruction the result is "invalid". :shock:

Code:
  DisableDebugger ; do not disassemble any debugger related instructions
 
  Code_Start:
    ; Place code to be disassembled here
  !mov edi, edi
  Code_End:
 
  Text$ = "Disassembled code: " + Chr(13) 
  If ExamineAssembly(?Code_Start, ?Code_End)
    While NextInstruction()
      Text$ + RSet(Hex(InstructionAddress()), SizeOf(Integer)*2, "0")
      Text$ + " " + InstructionString() + Chr(13)
    Wend
  EndIf
 
  MessageRequester("Result", Text$)

I know the instruction is stupid but it is the first in many Windows API functions.


Last edited by Thorium on Sat Jun 26, 2010 7:18 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Jun 26, 2010 7:11 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Aug 15, 2009 6:59 pm
Posts: 1252
DarkDragon wrote:
And it doesn't use the E9 JMP. It uses
Code:
MOV rax, address
JMP rax

on 64bit systems and
Code:
MOV eax, address
JMP eax

on 32bit systems.

Another way i used to fool detection is
Code:
!push const
!ret


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Jun 26, 2010 7:19 pm 
Offline
Enthusiast
Enthusiast

Joined: Sun Jun 28, 2009 7:07 pm
Posts: 176
Location: RUS
DarkDragon wrote:

very good job.....


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Aug 21, 2010 4:35 pm 
Offline
Addict
Addict

Joined: Sat Dec 31, 2005 5:24 pm
Posts: 2970
Location: Where ya would never look.....
Thorium wrote:
Another way i used to fool detection is
Code:
!push const
!ret


Fool detection by what?


DarkDragon wrote:


Good job on this by the way.

_________________
The advantage of a 64 bit operating system over a 32 bit operating system comes down to only being twice the headache.


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sat Aug 21, 2010 9:37 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Aug 15, 2009 6:59 pm
Posts: 1252
SFSxOI wrote:
Thorium wrote:
Another way i used to fool detection is
Code:
!push const
!ret


Fool detection by what?

By the code you quoted. :?:

It's a jump without a jmp instruction and some detections will not detect that as a jump.


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sun Sep 12, 2010 5:29 pm 
Offline
User
User
User avatar

Joined: Wed Mar 15, 2006 9:40 am
Posts: 98
Location: Germany
@Daniel :
grandiose job !!!
is it allowed to use it in (or in collaboration with) a close-source?
my project would become a more multifaceted usage with your hook.

_________________
Please pardon my English, my native tongue is German.


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sun Sep 12, 2010 6:13 pm 
Offline
Addict
Addict
User avatar

Joined: Mon Jun 02, 2003 9:16 am
Posts: 2093
Location: Germany
uweb wrote:
@Daniel :
grandiose job !!!
is it allowed to use it in (or in collaboration with) a close-source?
my project would become a more multifaceted usage with your hook.


Do whatever you want to do with it ;-) .

_________________
bye,
Daniel


Top
 Profile  
Reply with quote  
 Post subject: Re: intercept API
PostPosted: Sun Sep 12, 2010 7:20 pm 
Offline
User
User
User avatar

Joined: Wed Mar 15, 2006 9:40 am
Posts: 98
Location: Germany
thank you double !

_________________
Please pardon my English, my native tongue is German.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 32 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 15 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

 


Powered by phpBB © 2008 phpBB Group
subSilver+ theme by Canver Software, sponsor Sanal Modifiye