Why i can't hook API function FindFirstFileA in kernel32.dll. To test this prog use any filemanager, because hook doesn't work with explorer(why?)?.
Posted on 2002-08-30 23:12:06 by vhasm
You can't change access right with VirtualProtect in system space.
It always returns NULL if you try to touch system.

Go here:
http://mitglied.lycos.de/yoda2k/codesnippets.htm

and download DumpShield.zip (masm32)
http://mitglied.lycos.de/yoda2k/snippets/DumpShield.zip

It hooks ReadProcessMemory from ring0, but win9x only.
You can simply adapt it to your need.

Then go:
http://www.anticracking.sk/EliCZ/export.htm

And download ApiHooks:
http://www.anticracking.sk/EliCZ/export/AH56.ZIP

You'll find there all you want and much more.
Posted on 2002-08-31 04:36:19 by Four-F
But VirtualProtect returns TRUE (my OS-XP Home Edition), and filemanager shows an error=>hook works, but with any error!!!
Check my example, plz.
Posted on 2002-08-31 10:14:21 by vhasm
vhasm,

i checked your code. the problem seens to be in VirtualProtect() - you cant de-protect a system dll memory.

the stosb, at line 58 of svhv1.asm, should cause a protection error.

as your code is for w2k, i dont know the solution. i coded, some years ago, a similar code for w98 - its in iczelion's or in my page, and its called hideproc.zip

ancev
Posted on 2002-08-31 11:58:29 by ancev
But VirtualProtect returns TRUE


Are you 100% shure?
I mean are you really sure that page you try to make writeable really gets writeable?
I guess it can't be true.
And your code inside dll should cause GPF, as ancev mentioned above.

You'll find something interesting on topic at links below:

Intercept a windows API function

??????? ????????? ??????? API ????????? Win32

API Spying Techniques for Windows 9x, NT and 2000

API Hooking Methods

And i strongly suggest you take a look at ApiHooks by EliCZ (see link in my previous post above).
It offers universal hooking method. Works os-wide. Unfortunatelly it goes without source.
The source code (masm btw) was available till version 2.2b.
I hope you will be able to find it. If not, mail me, i'll send it to you.
Posted on 2002-09-01 05:22:57 by Four-F
Hi, ancev!

...a similar code for w98 - its in iczelion's or in my page...


And where is your home page?
Posted on 2002-09-01 05:43:31 by Four-F
vhasm, i've tested you code under XP.
Should say that I was mistaken. It works.

And all that I spoke above correctly only for 9x clone.
Had no hooking experience on NT clone before ;-(

Your problem i think is that you install not system-wide hook.
And your hook works only in your process.

I hope you already has read all info about hooks
and could find something usefull for you.
If still have problems mail me.
Posted on 2002-09-02 03:32:58 by Four-F
WRONG, Four-F. My hook is system-wide.
Your links helps me, thanks. But...i partially misunderstood...
See my second example, plz.
Posted on 2002-09-02 06:13:20 by vhasm
P. S.
Apihook2 uses MessageBoxIndirectA in user32.dll and here is no an error! Why? 1 argument?
Posted on 2002-09-02 06:18:14 by vhasm

P. S.
Apihook2 uses MessageBoxIndirectA in user32.dll and here is no an error! Why? 1 argument?


I think it's because User32 is not considered as a "system protected" dll. To deprotect such system dll in NT your app would require the "SeDebugPrivilege".
Posted on 2002-09-02 11:37:00 by Axial
guys,

in none of these cases you are changing the DLL systemwide... you are just changing the DLL in your process

ancev
Posted on 2002-09-02 15:40:14 by ancev
I had a closer view of your svhv1.dll.
But under w2k. Have currently no access to XP.
You were right again. Your api-hook is system-wide:
invoke SetWindowsHookEx, WH_GETMESSAGE, addr HP, hInstance, NULL

I changed hook to DeleteFileW and added some lines to have comfortable log in vkdebug window.
If you haven't any i added it to attachment with changed svhv1.asm. It' simple to use.

i've added loging code in three places.
1. where hook is installed
2. where hook is uninstalled
3. where hook works

I've ran mhook.exe and installed hook,
then switched to Explorer and cleared my C:\Documents and Settings\none\Recent folder.
Below is log from vkdebug.

eax = API hook DeleteFileW installed in mhook.exe
eax = API hook DeleteFileW installed in Explorer.EXE
eax = API hook DeleteFileW installed in dbgwin.exe
eax = Deleting (169 1 1 1).wav.lnk by process Explorer.EXE
eax = Deleting 1.htm.lnk by process Explorer.EXE
. . . . . . . . . . . . . s k i p p e d . . . . . . . . . .
eax = Deleting ToDo.txt.lnk by process Explorer.EXE
eax = Deleting Win32.hlp (2).lnk by process Explorer.EXE
eax = API hook DeleteFileW uninstalled in dbgwin.exe
eax = API hook DeleteFileW uninstalled in Explorer.EXE
eax = API hook DeleteFileW uninstalled in mhook.exe

As you can see it works. At least for me under w2k.

And now i completely misunderstand what we are talking about ;)
Your first problem was "...hook doesn't work with explorer(why?)?."
As i can see it works.
Second. "VirtualProtect returns TRUE under NT."
OK. It's true.
Third. "WRONG, Four-F. My hook is system-wide."
OK. It's system-wide.
And now "Apihook2 uses MessageBoxIndirectA in user32.dll and here is no an error! Why? 1 argument?"
Here i misunderstand a bit what you mean.
1. Your hook works with functions from user32.dll, but doesn't work with kernel32.dll?
2. You get error trying to hook kernel32.dll, and no error hooking user32.dll?
3. You can hook functions only with one param?
So, explain your current problem.

And last. As i said, i tested it only under w2k.
If you have troubles only under XP or can't test under w2k, let me know.
I'll test it under XP tomorrow.
Posted on 2002-09-03 05:07:09 by Four-F
Forgot to add some notes.
Your hooking method is not safe.

To install/uninstall hook you need two assembler instructions
and your thread can be interrupted at any time in between -> crash.
When your hook works it has temporary to restore original function to have possibility to call it.
At this point your thread also can be interrupted and you miss some hooked function calls.

AFAIK, at the moment the best system-wide hooking method under NT, at least for Native API in NTDLL, is to trap int 2E.
From ring0 of course. Offered by Russinovich & Cogswell.
http://www.sysinternals.com/
"Windows NT System Call Hooking," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, January 1997

This method was improved by Sven Schreiber.
http://www.orgon.com/w2k_internals/index.html
You can find there complete source code.
http://www.orgon.com/w2k_internals/cd.html
Posted on 2002-09-03 06:49:45 by Four-F
Four-F,
i have seen your APIHOOK_2+.zip. It works on my XP. But...
Try to hook FindFirstFileA. There are 2 problems:
1) Why explorer shows directory's contents-it doesn't use FindFileFirstA? Which function uses here?
2) Use standart MASM32v7's example to call FindFirstFileA - it doesn't work!!! I think because more than 1 argument.
Posted on 2002-09-04 06:19:19 by vhasm
OK. Now i understand. Your problem is that you don't know that NT uses UNICODE everywhere!
So, system itself doesn't call XxxxxxxxxxA functions.
Sorry, i didn't see it with half an eye. My mistake.

Explorer uses FindFirstFileW/FindFirstFileExW, FindNextFileW to show directory contents.

I'll try to hook it, but only tomorrow. Have no time now.
Also i have some more to say. See you tomorrow.
Posted on 2002-09-04 08:14:09 by Four-F
1) Why explorer shows directory's contents-it doesn't use FindFileFirstA? Which function uses here?

Misunderstood a bit. explorer is a process, listview.exe is another process.
When listview.exe fills directory list there is no relationship with explorer.
Explorer itself doesn't call XxxxxxxxxxA functions, so if you try hook FindFirstFileA in explorer itself it will not work.
If you want to hook FindFirstFileA form process that calls it, and you know it for shure, it should work.

2) Use standart MASM32v7's example to call FindFirstFileA - it doesn't work!!! I think because more than 1 argument.

i've took a look at listview.zip and it works with your very first apihook.
I can see MesageBox when i choose GetDirectory from menu of LISTVIEW.EXE.
It appears two times.

Anyway i'll take closer look at all this stuff tomorrow.
Posted on 2002-09-04 09:11:24 by Four-F
Hey, vhasm! We could avoid all that flame if you has not mixed parameters passed to FindFirstFileA! :grin:

H_FFFA proc [B][color=red]P0[/color][/B]:DWORD,[B][color=red]P1[/color][/B]:DWORD

. . .
push [B][color=red]P0[/color][/B] ; should be P1
push [B][color=red]P1[/color][/B] ; should be P0
call FUNCTIONADDR_FINDFIRSTFILEA
. . .
H_FFFA endp
Posted on 2002-09-05 00:36:16 by Four-F
YESSS!!!! Four-F, THANKS!!!!!!!!!!!!! This is STUPID error!!!!!!!!
Posted on 2002-09-06 10:21:45 by vhasm
wow, old thread


bringing back some questions:

wouldn't this method only work on processes that uses messages? like wndprocs, etc., since the hook is a WH_GETMESSAGE hook?

Best Regards,

Drocon
Posted on 2003-11-07 22:37:18 by Drocon
Hi, Drocon.
I haven't been following this thread, but it appears to be about API hooks, not message hooks. It is an entirely different matter. (Unless of course I got it all wrong, or they're using message hooks as a way to inject a dll into the target's memory space. In that case you would be 100% right since it's impossible to install a message hook on a thread that has no message queue).
Posted on 2003-11-08 08:14:16 by QvasiModo