Hot Patching hook (32bits)
- Kwai chang caine
- Always Here
- Posts: 5357
- Joined: Sun Nov 05, 2006 11:42 pm
- Location: Lyon - France
Re: Hot Patching hook (32bits)
Excuse me, but this super subject give to me an idea
Believe you it's possible to modify the behaviour of the OLE32.dll, with this great code ????
Believe you it's possible to modify the behaviour of the OLE32.dll, with this great code ????
The happiness is a road...
Not a destination
Not a destination
Re: Hot Patching hook (32bits)
Updated, as today even syscalls are hot-patchable.
Example:
Code: Select all
; Hot Patch Hooking
; --------------------------------------------------
; Place Hook
; $E9, $xx, $xx, $xx, $xx, $EB, $F9
; --------------------------------------------------
Procedure HotPatchHook(TargetFuncAddress.l, ProxyFuncAddress.l)
Protected.l Protection, JumpOffset = (ProxyFuncAddress - (TargetFuncAddress - 5)) - 5
VirtualProtect_(TargetFuncAddress - 5, 7, #PAGE_EXECUTE_READWRITE, @Protection)
PokeB(TargetFuncAddress - 5, $E9) ; Far Jump
PokeL(TargetFuncAddress - 4, JumpOffset)
PokeB(TargetFuncAddress + 0, $EB) ; Short Jump
PokeB(TargetFuncAddress + 1, $F9) ; -5
VirtualProtect_(TargetFuncAddress - 5, 7, Protection, @Protection)
EndProcedure
; --------------------------------------------------
; Remove Hook
; $CC, $CC, $CC, $CC, $CC, $8B, $FF
; --------------------------------------------------
Procedure RemoveHook(TargetFuncAddress.l)
Protected.l Protection
VirtualProtect_(TargetFuncAddress - 5, 7, #PAGE_EXECUTE_READWRITE, @Protection)
PokeB(TargetFuncAddress - 5, $CC)
PokeB(TargetFuncAddress - 4, $CC)
PokeB(TargetFuncAddress - 3, $CC)
PokeB(TargetFuncAddress - 2, $CC)
PokeB(TargetFuncAddress - 1, $CC)
PokeB(TargetFuncAddress + 0, $8B)
PokeB(TargetFuncAddress + 1, $FF)
VirtualProtect_(TargetFuncAddress - 5, 7, Protection, @Protection)
EndProcedure
; --------------------------------------------------
; Check If Function Is Hot Patchable
; --------------------------------------------------
Procedure.b IsHotPatchable(TargetFuncAddress.l)
Protected.q EntryPoint = PeekQ(TargetFuncAddress - 5)
If FindString(Hex(EntryPoint), "FF8BCCCCCCCCCC", 3)
ProcedureReturn #True
EndIf
ProcedureReturn #False
EndProcedure
Code: Select all
XIncludeFile "HotPatch.pbi"
Prototype.l ProtoMessageBox(hWnd.l, *lpText, *lpCaption, uType.l = 0)
Global CocoaMessageBox.ProtoMessageBox
; Hooked MessageBoxW
Procedure MsgBoxProxy(hWnd.l, *lpText, *lpCaption, uType.l = 0)
Debug "MessageBoxW => " + "Title: " + PeekS(*lpCaption) + " Body: " + PeekS(*lpText)
CocoaMessageBox(hWnd, *lpText, *lpCaption, uType)
EndProcedure
; Main
If OpenLibrary(0, "User32.dll")
Address.l = GetFunction(0, "MessageBoxW")
If IsHotPatchable(Address)
CocoaMessageBox = Address + 2
HotPatchHook(Address, @MsgBoxProxy())
CallFunction(0, "MessageBoxW", 0, @"Body", @"Title", 0)
CallFunction(0, "MessageBoxW", 0, @"bbbb", @"aaaa", 0)
CallFunction(0, "MessageBoxW", 0, @"2222", @"1111", 0)
RemoveHook(Address)
CallFunction(0, "MessageBoxW", 0, @"dddd", @"cccc", 0)
EndIf
EndIf
Re: Hot Patching hook (32bits)
Maybe it could stop false positives with virus-checkers? I will have to check this out.SFSxOI wrote:if you still need to declair a prototype of some sort and still call the API then why not just call the API in the first place instead of adding additional code that in the end does the same thing?
Re: Hot Patching hook (32bits)
This is often used to update a running program or to add in some logging functionality (statistics).BarryG wrote:Maybe it could stop false positives with virus-checkers? I will have to check this out.SFSxOI wrote:if you still need to declair a prototype of some sort and still call the API then why not just call the API in the first place instead of adding additional code that in the end does the same thing?
Hooks are also often used in the game modding scene or program automation.
With some minor changes the method shown here can be used to hook code without the need of pre existing 'spaces'.
Hooking itself will more likely increase false positives as it is also used in malware.
Re: Hot Patching hook (32bits)
@Opcode: IsHotPatchable() always returns 0 on my rig with Win7 x64 PB5.71(x86+x64) and WinXP x86 (VM) PB5.70(x86). Any ideas why?
Et cetera is my worst enemy
Re: Hot Patching hook (32bits)
From my personal experience, the best way to reduce false positives with PB compiled binary is to make sure you include version info (some antivirus scanners will flag it simply because it lacks version info) and then packing the binary with UPX (scrambles and masks signatures that antivirus scanners have flag otherwise). If I do neither, I'll get like 13/69 on VirusTotal. If I do both, depending on the code base I'm comping I can even achieve 0/69. I've noticed even just version info strings themselves can upset virus scanners. So you have to be creative and do a little trial and error.BarryG wrote:Maybe it could stop false positives with virus-checkers? I will have to check this out.SFSxOI wrote:if you still need to declair a prototype of some sort and still call the API then why not just call the API in the first place instead of adding additional code that in the end does the same thing?
I changed NOP to INT3 since on Windows 10 Pro x64 it wouldn't work (what's read on my machine shows "FF8BCCCCCCCCCC" instead of "FF8B9090909090").chi wrote:@Opcode: IsHotPatchable() always returns 0 on my rig with Win7 x64 PB5.71(x86+x64) and WinXP x86 (VM) PB5.70(x86). Any ideas why?
You could try going back to using NOP.
Code: Select all
If FindString(Hex(EntryPoint), "FF8B9090909090", 3)
Code: Select all
PokeB(TargetFuncAddress - 5, $90)
PokeB(TargetFuncAddress - 4, $90)
PokeB(TargetFuncAddress - 3, $90)
PokeB(TargetFuncAddress - 2, $90)
PokeB(TargetFuncAddress - 1, $90)
PokeB(TargetFuncAddress + 0, $8B)
PokeB(TargetFuncAddress + 1, $FF)
Re: Hot Patching hook (32bits)
@Opcode: Thanks, with "FF8B9090909090" I got it working on PB x86, but on PB x64 Hex(EntryPoint) returns "EC83489090909090". I think it's because the user32.dll doesn't load from "C:\Windows\System32\user32.dll" but from "C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.24524_none_2bdcf8519d2214ea\user32.dll" instead. Seems like MS patched the HotPatching feature?! The dll now contains "90 90 90 90 90 90 90 90 90 48 83 EC" instead of "90 90 90 90 90 8B FF"...
Et cetera is my worst enemy
Re: Hot Patching hook (32bits)
It seems there's a lot of variance between builds of Windows in regards to if they use NOP or INT3. I will stick to the inline method of hooking (using a trampoline) as it still works flawlessly.chi wrote:@Opcode: Thanks, with "FF8B9090909090" I got it working on PB x86, but on PB x64 Hex(EntryPoint) returns "EC83489090909090". I think it's because the user32.dll doesn't load from "C:\Windows\System32\user32.dll" but from "C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.24524_none_2bdcf8519d2214ea\user32.dll" instead. Seems like MS patched the HotPatching feature?! The dll now contains "90 90 90 90 90 90 90 90 90 48 83 EC" instead of "90 90 90 90 90 8B FF"...
I posted updated code in this topic if you're interested: viewtopic.php?p=543517#p543517
Re: Hot Patching hook (32bits)
Thanks, going to check it out...Opcode wrote:It seems there's a lot of variance between builds of Windows in regards to if they use NOP or INT3. I will stick to the inline method of hooking (using a trampoline) as it still works flawlessly.chi wrote:@Opcode: Thanks, with "FF8B9090909090" I got it working on PB x86, but on PB x64 Hex(EntryPoint) returns "EC83489090909090". I think it's because the user32.dll doesn't load from "C:\Windows\System32\user32.dll" but from "C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.24524_none_2bdcf8519d2214ea\user32.dll" instead. Seems like MS patched the HotPatching feature?! The dll now contains "90 90 90 90 90 90 90 90 90 48 83 EC" instead of "90 90 90 90 90 8B FF"...
I posted updated code in this topic if you're interested: viewtopic.php?p=543517#p543517
I was using Peyman's API_HookEngine Module for some time, but eventually switched to MinHook because it's much more reliable and has some unique features.
Et cetera is my worst enemy
Re: Hot Patching hook (32bits)
The easiest solution for a multiplatfom scenario is to hook the IAT instead of the function itself.chi wrote:@Opcode: Thanks, with "FF8B9090909090" I got it working on PB x86, but on PB x64 Hex(EntryPoint) returns "EC83489090909090". I think it's because the user32.dll doesn't load from "C:\Windows\System32\user32.dll" but from "C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.24524_none_2bdcf8519d2214ea\user32.dll" instead. Seems like MS patched the HotPatching feature?! The dll now contains "90 90 90 90 90 90 90 90 90 48 83 EC" instead of "90 90 90 90 90 8B FF"...