|
You last visited: Today at 21:59
Advertisement
Help with API Hooking
Discussion on Help with API Hooking within the C/C++ forum part of the Coders Den category.
01/26/2014, 18:30
|
#1
|
elite*gold: 0
Join Date: Apr 2011
Posts: 363
Received Thanks: 166
|
Help with API Hooking
Hi epvp i tried hooking the api CreateProcessA to change the parameters of the process to be loaded. But something is wrong cause the process Crashes
Here is the code:
Code:
#include <windows.h>
void* detourFunc(BYTE *src, const BYTE *dst, const int len)
{
BYTE *jmp = (BYTE*)malloc(len+5);
DWORD dwback;
VirtualProtect(src, len, PAGE_READWRITE, &dwback);
memcpy(jmp, src, len); jmp += len;
jmp[0] = 0xE9;
*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
src[0] = 0xE9;
*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
VirtualProtect(src, len, dwback, &dwback);
return (jmp-len);
}
typedef BOOL (__stdcall * CreateProcessA_t)(LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation);
CreateProcessA_t oCreateProcessA = NULL;
BOOL __stdcall hkCreateProcessA (LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation)
{
return oCreateProcessA(lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,bInheritHandles,
dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation);
}
void Hook()
{
//CreateProcessA hook
DWORD dwCreateProcess = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessA");
oCreateProcessA = (CreateProcessA_t)detourFunc((BYTE*)dwCreateProcess, (BYTE*)&hkCreateProcessA, 5);
}
DWORD WINAPI dwMainThread( LPVOID )
{
Hook();
return TRUE;
}
BOOL WINAPI DllMain( HINSTANCE hInstDLL,DWORD dwReason,LPVOID lpReserved )
{
if( dwReason==DLL_PROCESS_ATTACH )
CreateThread(0,0,dwMainThread,0,0,0);
return TRUE;
}
And here the images of the assembly code:
Original Call to CreateProcessA (without injected dll):
Mine CreateProcessA:
Looks like crap isn't it...
Some parameters aren't parsed. Why this happen?
Continue Execution:
Nice Crash detected
Can someone explain me whats wrong with my code
|
|
|
01/29/2014, 07:58
|
#2
|
elite*gold: 110
Join Date: Jun 2013
Posts: 599
Received Thanks: 510
|
Maybe because it's not CreateProcess?
I've found this on another website:
Code:
DWORD WINAPI CreateProcessInternal(
__in DWORD unknown1,
__in_opt LPCTSTR lpApplicationName,
__inout_opt LPTSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCTSTR lpCurrentDirectory,
__in LPSTARTUPINFO lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation,
__in DWORD unknown2
);
but if you want to use CreateProcess you can just hook the CreateProcessInternal Function and return CreateProcess() with your given parameters, it should work.
|
|
|
01/29/2014, 18:19
|
#3
|
elite*gold: 966
Join Date: Apr 2010
Posts: 1,105
Received Thanks: 681
|
Your trampolin (called "jmp" in your detourFunc) does not have execute rights. So when you call the (logical) original function, which begins with your trampolin, it will trigger an access violation at the first instruction of the trampolin.
Correct:
Code:
...
VirtualProtect(jmp, len + 5, PAGE_EXECUTE_READWRITE, &dwback); // this will make your trampolin executable
VirtualProtect(src, len, PAGE_READWRITE, &dwback);
...
With best regards
Jeoni
|
|
|
01/30/2014, 17:33
|
#4
|
elite*gold: 0
Join Date: Apr 2011
Posts: 363
Received Thanks: 166
|
Thanks for your replys guys i appreciate it, will try once again if it works . Thought the problem was Aclayers.dll that is called when the hook returns. Testing now...
|
|
|
|
Similar Threads
|
[Tutorial] Hooking API's using C#
08/17/2020 - Coding Tutorials - 6 Replies
Hello epvp, today i'm going to teach you how to hook MessageBox using C# ;)
Requirements & information ]
.NET framework 4
Visual Studio 20XX
EasyHook
MessageBox function(Windows)
Hooking - Wikipedia, the free encyclopedia
|
Hooking with D
02/20/2013 - CO2 Programming - 6 Replies
Comes with a homemade DLL injector although there's probably others that will do the job just as good.
If anyone's interested here's the tools I use
D compiler: Downloads - D Programming Language
IDE: Download - MonoDevelop
Mono-D (D support for MonoDevelop): Mono-D
|
[TUT]Hooking Dll to S4-league
06/30/2011 - S4 League Hacks, Bots, Cheats & Exploits - 21 Replies
Okay, so today i'm going to show you how you can hook dll to S4-league, because you may need it some day :P
First download this Stud_PE from the end of the thread
Okay now open Stud_PE.exe and it'll look like this:
http://i53.tinypic.com/nog3f7.jpg
Now press File ---> Open PE File ---> S4Client.exe / Patcher, etc...
Now go to section named "Functions" and it should look like this:
|
D3D Hooking Problem
03/01/2011 - General Coding - 1 Replies
Alloa,
ich habe mir das Tutorial von D3D9 Hooking - Wie code ich D3D Hacks? durchgelesen und dementsprechend auch versucht was eigenes zu konstruieren. Ich habe eine eigene DLL Hook Datei programmiert und sie mit einem fremden Injector verbunden. Klappt bisher prima.
Es ist mir gut gelungen, ein Rechteck zu zeichnen und ein bisschen Text darauf abzubilden. Sobald ich mein Spiel starte geht alles wie von Zauberhand.
Allerdings ist mir vor kurzem aufgefallen, dass mein "Hook"...
|
C++ D3D Hooking
08/24/2009 - C/C++ - 12 Replies
Hallo zusammen,
ich stehe gerade vor folgendem Problem:
ich habe eine DLL und einen Loader gecoded, jedoch will ich anstelle des Loader einen Injecter haben, sprich: das spiel, in das injected werden soll, soll schon laufen. Natürlich hab ich das ganze schon probiert, jedoch werden die D3D-funktionen nicht wirklich gehookt, da die DLL auf ein Direct3DCreate9 wartet. Da diese Funktion aber wahrscheinlich direkt beim Starten des "Opfer-Spiels" ausgeführt wird, werden deswegen die anderen...
|
All times are GMT +1. The time now is 21:59.
|
|