Re: intercept API
Posted: Sat Jun 26, 2010 10:31 am
write in PureBasic...Thorium wrote: sorry english is not my nativ language.
Page 2 of 3
Re: intercept API
Posted: Sat Jun 26, 2010 1:43 pm
I think I get it now, thanks for the explanation. 6 Bytes are not enough if you want to 'copy and paste' the instruction elsewhere, to be able to call the original procedure.Thorium wrote:I hope thats better understandable, sorry english is not my nativ language.
But it would be enough for a simple backup (in case you don't care about calling the original procedure when the hook is set).
Just by curiosity, where would you write the backuped bytes. In a new allocated memory area, or right at the beginning of the hook procedure?
In the later case, how do you reserve some space to write the 6 (or more) bytes at the beginning of the hook procedure?
Also, I wonder, when you say "If you hook API functions", what is the hooking method you're talking about?Thorium wrote:If you hook API functions you can just put the parameter in the hook procedure as normal parameters. No assembler needed, if it's StdCall.
Is it a different method that doesn't rely on patching the executable in memory?
Re: intercept API
Posted: Sat Jun 26, 2010 3:04 pm
There are different methods, like altering the import table, but thats not what i meant. I said API functions, because they use the SdtCall call convention which PB procedurs use, so they are compatible. If you jump (not call) right from the start of the API function to the PB function you dont need to care about the parameters, because they are on the stack the same way if the procedure would have called normal. If you use a call you mess up the stack because it pushes the return address to the stack.Jihugen wrote:Also, I wonder, when you say "If you hook API functions", what is the hooking method you're talking about?Thorium wrote:If you hook API functions you can just put the parameter in the hook procedure as normal parameters. No assembler needed, if it's StdCall.
Is it a different method that doesn't rely on patching the executable in memory?
Well, i think i just write a little example code.
Re: intercept API
Posted: Sat Jun 26, 2010 3:12 pm
Cleanest way would be to allocate a memory block and change access rights to #PAGE_EXECUTE_READWRITE.Jihugen wrote: Just by curiosity, where would you write the backuped bytes. In a new allocated memory area, or right at the beginning of the hook procedure?
In the later case, how do you reserve some space to write the 6 (or more) bytes at the beginning of the hook procedure?
But you also can reserve memory in a procedure and patch it in there.
In case you need it, it's very easy, just use the NOP instruction. It does excactly nothing if it executes so it's a perfect space holder. 1 NOP = 1 Byte
Code: Select all
code
code
code
code
ReservedSpace:
!nop
!nop
!nop
!nop
!nop
!nop
!nop
!nop
!nop
code
code
code
code
Re: intercept API
Posted: Sat Jun 26, 2010 5:00 pm
Arg, we need another disassembler engine, the current disassembler engine of the onerror lib is useless, it cant disassemble very basic code. I wonder why they have changed it, the engine of the old onerror lib worked fine. 
So the code is practicaly ready but i need a _working_ disassembler engine first.
So the code is practicaly ready but i need a _working_ disassembler engine first.
Re: intercept API
Posted: Sat Jun 26, 2010 5:48 pm
I don't know what wrong for you with the onerror lib.
The supplied little example works like a charm, and I've already used it for other simple stuff without trouble...
Otherwise, there is Olly.dll, see this thread:
http://www.purebasic.fr/english/viewtop ... =5&t=42527
Or this one, but it's looking a bit harsh for me:
http://www.purebasic.fr/english/viewtop ... 27&t=42510
But it will probably be quite long before having something usable.
Oh, and the !nop trick to reserve empty space in the procedure seems very acceptable, thanks. The simpler, the most I like it...
The supplied little example works like a charm, and I've already used it for other simple stuff without trouble...
Otherwise, there is Olly.dll, see this thread:
http://www.purebasic.fr/english/viewtop ... =5&t=42527
Or this one, but it's looking a bit harsh for me:
http://www.purebasic.fr/english/viewtop ... 27&t=42510
But it will probably be quite long before having something usable.
Oh, and the !nop trick to reserve empty space in the procedure seems very acceptable, thanks. The simpler, the most I like it...
Re: intercept API
Posted: Sat Jun 26, 2010 6:43 pm
Well I've done a hooking-code which works on Windows 7 x64 compiled with 64bit and 32bit. It is basic hooking and uses the disassembler of purebasic, which sometimes really works wrong. And you can't call the old method at the moment.
http://www.bradan.eu/files/hook.zip (Your antivirus will recognize it as a virus, sorry)
And it doesn't use the E9 JMP. It uses
on 64bit systems and
on 32bit systems.
And I've got an idea on how to call the old method and remove the disassembler. The only limitation would be that it can't be called parallel anymore.
http://www.bradan.eu/files/hook.zip (Your antivirus will recognize it as a virus, sorry)
And it doesn't use the E9 JMP. It uses
Code: Select all
MOV rax, address
JMP raxCode: Select all
MOV eax, address
JMP eaxAnd I've got an idea on how to call the old method and remove the disassembler. The only limitation would be that it can't be called parallel anymore.
Re: intercept API
Posted: Sat Jun 26, 2010 7:07 pm
Try to disassemble MessageBoxA. Right on the first instruction the result is "invalid".Jihugen wrote:I don't know what wrong for you with the onerror lib.
Code: Select all
DisableDebugger ; do not disassemble any debugger related instructions
Code_Start:
; Place code to be disassembled here
!mov edi, edi
Code_End:
Text$ = "Disassembled code: " + Chr(13)
If ExamineAssembly(?Code_Start, ?Code_End)
While NextInstruction()
Text$ + RSet(Hex(InstructionAddress()), SizeOf(Integer)*2, "0")
Text$ + " " + InstructionString() + Chr(13)
Wend
EndIf
MessageRequester("Result", Text$)
Re: intercept API
Posted: Sat Jun 26, 2010 7:11 pm
Another way i used to fool detection isDarkDragon wrote: And it doesn't use the E9 JMP. It useson 64bit systems andCode: Select all
MOV rax, address JMP raxon 32bit systems.Code: Select all
MOV eax, address JMP eax
Code: Select all
!push const
!ret
Re: intercept API
Posted: Sat Jun 26, 2010 7:19 pm
very good job.....DarkDragon wrote: http://www.bradan.eu/files/hook.zip
Re: intercept API
Posted: Sat Aug 21, 2010 4:35 pm
Fool detection by what?Thorium wrote: Another way i used to fool detection isCode: Select all
!push const !ret
Good job on this by the way.DarkDragon wrote: http://www.bradan.eu/files/hook.zip
Re: intercept API
Posted: Sat Aug 21, 2010 9:37 pm
By the code you quoted.SFSxOI wrote:Fool detection by what?Thorium wrote: Another way i used to fool detection isCode: Select all
!push const !ret
It's a jump without a jmp instruction and some detections will not detect that as a jump.
Re: intercept API
Posted: Sun Sep 12, 2010 5:29 pm
@Daniel :
grandiose job !!!
is it allowed to use it in (or in collaboration with) a close-source?
my project would become a more multifaceted usage with your hook.
grandiose job !!!
is it allowed to use it in (or in collaboration with) a close-source?
my project would become a more multifaceted usage with your hook.
Re: intercept API
Posted: Sun Sep 12, 2010 6:13 pm
Do whatever you want to do with ituweb wrote:@Daniel :
grandiose job !!!
is it allowed to use it in (or in collaboration with) a close-source?
my project would become a more multifaceted usage with your hook.
.Re: intercept API
Posted: Sun Sep 12, 2010 7:20 pm
thank you double !