Hi,

let's presume an application makes a GetProcAddress() for MessageBoxA, then it saves the address in a DWORD, now I inject my DLL into that application and want to overwrite the location of MessageBoxA with the offset of my PROC.

I want to do this in pure ASM if possible :)
Posted on 2004-07-30 06:56:02 by flapper
please take a look at GVIHook
http://www.comrade64.com/sources/gvihook.zip
Posted on 2004-07-30 09:42:47 by comrade
I already did, but I don't really understand it :(

Could you give me some example code?

I inject my DLL, so I don't have to use WriteProcessMemory, right?
Posted on 2004-07-30 09:44:30 by flapper


option epilogue:none
option prologue:none
; IN ESI lpFunc
; IN EBP lpNewFunc
Rude_Hook proc
push edi
push eax
push esp
push PAGE_READWRITE
push 10
push esi
call VirtualProtect
pop eax
push esi
lea edi, oldBYTES
cld
mov ecx, 6
rep movsb
pop esi
mov byte ptr [esi], 68h ; push
mov dword ptr [esi+1], ebp ; lpNewFunc
mov byte ptr [esi+5], 0c3h ; ret
pop edi
ret
Rude_Hook endp
size_of_rh = $-Rude_Hook

code_to_alloc proc
mov eax, [esp+4]
assume eax: PTR SHFILEOPSTRUCT
cmp [eax].wFunc, FO_DELETE
jnz bye
; Place ur code here
nop
nop
nop
retn 4
bye:
code_to_alloc endp
goto_orig:
oldBYTES db 6 dup(0)
db 68h
orig dd 0
db 0c3h
size_of_code_to_alloc = $-Rude_Hook

use it like this:
push eax
push esp
push PAGE_READWRITE
push 12+200
push o oldBYTES
call VirtualProtect
pop eax
call @F
db "SHFileOperationW",0
@@:
call @F
db "shell32.dll",0
@@:
call GetModuleHandleA
push eax
call GetProcAddress
mov esi, eax
add eax, 6
mov [orig], eax
add ebp, size_of_rh
call Rude_Hook

Its peace of my source which hooks SHFileOperationW.

2comrade:
?????? ??????? :)
?? :)
Posted on 2004-07-30 11:42:04 by happyfly
Ouh yeah...
It must be buggy sometimes!
I guess that 99% of procedures u wanna hook has epilogue, which size is 6 bytes, but if there will be other instructions u can divide 1 instruction in 2 parts =(
So watch code of procedure u hook!
Posted on 2004-07-30 12:21:36 by happyfly
For example the code which hooks ExitProcess will be another:
.code
; I dont want to use default masm macros for prologue and epilogue
; so i do it myself
option epilogue:none
option prologue:none
; IN ESI lpFunc
; IN EBP lpNewFunc
Rude_Hook proc
; changes the attributes to PAGE_READWRITE
; of first bytes of function to hook
push eax
push esp
push PAGE_READWRITE
push 10
push esi
call VirtualProtect
pop eax
push esi
; copies first 10 bytes of function to buffer
lea edi, oldBYTES
movsd
movsd
movsw
pop esi
; rewrites the first 6 bytes of function
; with push lpNewFunc ret
mov byte ptr , 68h ; push
mov dword ptr , ebp ; lpNewFunc
mov byte ptr , 0c3h ; ret
ret
Rude_Hook endp
start:
; changes the attributes of code.
; now we can write in some page
; of code section
push eax
push esp
push PAGE_READWRITE
push 12+200
push o oldBYTES
call VirtualProtect
pop eax
; Look through ExitProcess
; i can use mov eax, ExitProcess
; but this code will be more independ ;)
call @F
db "ExitProcess",0
@@:
call @F
db "kernel32.dll",0
@@:
call GetModuleHandleA
push eax
call GetProcAddress
; Hooks the exitprocess
mov esi, eax
add eax, 10
; Address to jump is ExitProcess+10
mov , eax
mov ebp, o hey
call Rude_Hook
exit: push eax
call ExitProcess
hey:
; shows messagebox
xor eax, eax
push eax
push eax
call @F
db "GOTCHA",0
@@:
push eax
call MessageBoxA
; this code (its code!) is first instructions
; of function we hook plus push ExitProccess+10 et
oldBYTES db 10 dup(0)
db 68h
orig dd 0
db 0c3h
end start
Posted on 2004-07-30 12:59:10 by happyfly
I don't understand this code, isn't there a simpler way?
Posted on 2004-07-30 14:55:20 by flapper
ive just rewrite first 6 bytes of function to hook with
push ADDRESS_OF_NEW_FUNC
ret
...
thats all idea...
there is a better way - to change the import table, but its too complicated. I mean u need to hook GetProcAddress too. And there is some problems when u hook function in prog made by "bad" linker like Delphi which has lots of bugs... And nobodie garanties that there will not new bugs in future... So to dispatch all the ways u have to write large function ;)

Maybe u dont understand this because of my style? I can help u with this - show me the place u dont understand.
Posted on 2004-07-30 15:37:03 by happyfly
You asked for a solution in assembly language. If you want a simpler way, use C.
Posted on 2004-07-30 15:37:37 by SpooK
I'm already capable of API hooking in C++, but I'm writing this program in ASM now

First of all I should thank you R4DX :)

I'm not advanced in ASM, I would be grateful when you could comment your code a bit more, so a noob like me can understand it :)
Posted on 2004-07-30 15:48:55 by flapper
There's a much simpler way, the program I inject my DLL to uses GetProcAddress, then saves the pointer in a DWORD, I theoretically just would have to overwrite this DWORDwith a pointer to my function.

How would I do that in ASM? I don't want to use WriteProcessMemory.
Posted on 2004-07-30 16:04:19 by flapper
ure welcome :)
i commented the code of ExitProcess hook
and what about DWORD u talking about? Do u now its address? If u dont and this is the highlevel application complier can store this DWORD in register...
Tell me more about this. What function do u wanna hook (MessageBox?)?
Posted on 2004-07-31 01:39:05 by happyfly
Hi,

yes I know the address, it's a function from a selfmade DLL, no Windows DLL!

push edi
mov edi, ds:GetProcAddress
push offset aMyFunc
push eax
call edi
mov dword_500A4791, eax <--- I want to write my adress of the function in this DWORD, so the App. will call my func instead
Posted on 2004-07-31 11:55:24 by flapper
its simple.
just use
mov dword ptr [500A4791], new_func_address
thats all :)
Posted on 2004-08-01 04:15:51 by happyfly
But when do u inject ur code?
Do u sure that u hook this function before app call it?
May be u need to suspend the thread, which calls this function?
Posted on 2004-08-01 05:08:37 by happyfly
I start my APP, it does the GetProcAddress, saves the pointer, then I inject my DLL

The method you told me doesn't work :(

error A2048: nondigit in number
Posted on 2004-08-01 05:34:46 by flapper
Nevermind, it works now :) Thanks r4dx
Posted on 2004-08-01 06:47:56 by flapper
u had to write smtng like this
mov dword ptr [500A4791h], offset NEW_FUNC
;)
Posted on 2004-08-01 11:47:52 by happyfly