Register for your free account! | Forgot your password?

Go Back   elitepvpers > Coders Den > General Coding
You last visited: Today at 11:35

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



Another way of Hooking -> PeterPan

Discussion on Another way of Hooking -> PeterPan within the General Coding forum part of the Coders Den category.

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Aug 2004
Posts: 106
Received Thanks: 7
Another way of Hooking -> PeterPan

Hi,
i wanted to share some ideas and looking for ideas/comments.

Some of you might already have read about Hooking code (Detours,etc).
PeterPan tries to install the Hook in a more generic&easier way.

The old approach
It works like this:
We take CreateFileA as an example. Looking at the disassembly you will see:
Code:
.text:77E48CA4                 mov     edi, edi
.text:77E48CA6                 push    ebp
.text:77E48CA7                 mov     ebp, esp
Mov has 2 bytes, Push has 1, so this makes a total of 5 Bytes for these 3 instructions.

Now, if we want to hook that routine, we have to get to our code, this is done by a jmp.
And looking at the jmp instruction we see that it has 5 bytes (0xE9 and 4 bytes for relative jump address)

Now the "mov edi,edi" makes sense! Microsoft has introduced this to pad the Preamble of a function from 3 to 5

bytes, so that we can hook functions more easily (Yes, no joke...).

Ok, so to hook the function we need to do the following:

Manually check the function, see how many bytes we need to save for later use.
Copy the bytes and put at the end a jump to the original function back (not directly to the function beginning, but

to the address that is after our evil jmp)
Put our jmp code at the beginning of the original function.

In the section where we jump to, do some stuff, and then jmp to our saved bytes.

Ok, let's do this at our example:
Code:
.text:77E48CA4                 mov     edi, edi
.text:77E48CA6                 push    ebp
.text:77E48CA7                 mov     ebp, esp
.text:77E48CA9                 push    [ebp+lpFileName]
.text:77E48CAC                 call    sub_77E48C56
.text:77E48CB1                 test    eax, eax
So, we copy 5 bytes + jmp back. This will look like this:

SavedFunction:
Code:
mov edi,edi
push ebp
mov ebp,esp
jmp 77E48CA9
Our original function will look like this:

Code:
.text:77E48CA4                 jmp ourEvilCode
.text:77E48CA9                 push    [ebp+lpFileName]
.text:77E48CAC                 call    sub_77E48C56
.text:77E48CB1                 test    eax, eax
And ourEvilCode can look like this:

Code:
bla
bla
bla
jmp SavedFunction

This works nicely, but what are the downsides?

You have to check every function, for the size you need to save.
For Windows API this is easy, since 99% have the 5 byte preambel...
Let's insert a nop (1 byte length) at the beginning:

Code:
nop
mov edi,edi
push ebp
mov ebp,esp
If you now copy 5 bytes, you will break the mov ebp,esp. And the jmp back would jmp into the 2nd byte of the mov..

This will give you a protection fault sooner or later.

The second thing is, if you want to hook more functions, you have to create a ourEvilCode for every function you're

hooking (Because you need to jmp to a different SavedFunction, and probably want to have a different Payload for

every function)


Here's my idea of PeterPan:
* We have a table that gives us the length of an opcode, with this we can analyze how many bytes we have to save,

and where to jmp back in the code
* instead of jmp ourEvilCode, we do a call ourEvilCode. This puts eip onto the stack. with pop eax, we now have the

eip of the calling code, so we can have a lookup table for which Payload we want to execute, and which SavedFunction

we need to call.





Some party of my code (i'm thinking about releasing the whole code, but i need to clean it up a little more first)
It's a proof-of-concept, so there's plenty of room for improvements and cleanups....


------------------ How it's used....
Code:
	HMODULE mylo=LoadLibrary("kernel32.dll");
	DWORD add=(DWORD)GetProcAddress(mylo,"CreateFileA");
	
	
	doHook(add,(DWORD)&payload);
--------------- Build the stuff we insert into targetFunction
Code:
	char *jmpcode=(char*)malloc(50);

	memset(jmpcode,0x90,50);

	jmpcode[0]=0xE8;			// call XX XX XX XX
	
	DWORD reljmp;
	reljmp= (DWORD)&myLoad-(targetFunction+5);
	
	memcpy(jmpcode+1,&reljmp,4);


	DWORD OLD;
	VirtualProtectEx(GetCurrentProcess(),(void*)targetFunction,50,PAGE_EXECUTE_READWRITE,&OLD); 
	memcpy((void*)targetFunction,jmpcode,copysize-1);
--------------- Calculate how many bytes we need to save
Code:
	int copysize=-1;

	for(int i=0;i<30;i++) {			// 30 bytes should be enough
		p=(char*)(targetFunction+i);

		DWORD in=(DWORD)*p;
		in=in & 0xFF;				
		
		if(step[in]!=-1) 		//in step[] we have the length of each opcode
		{
			i+=step[in];
		} else {
			return -1;		//Damn.... unknown opcode, let's fail :(
		}
		if(i>=4) { 			
			copysize=i+1; break;	//Ok, we have at least 5 bytes 
		}

	}
-------------------- this is the function we call from targetFunction
Code:
__declspec (naked) void myLoad() {
	__asm {		
			nop			// i like to have nops, easier to find code in disassembly :)
			
			pop eax			// get calling address & save it
			mov meax,eax

			push eax		// do we have a Payload?
			call getPay
			add esp,4

			cmp eax,0
			je rock_on
			call eax		// Call it...
rockon:


	
			mov eax,meax		// eax=Address of Caller
			push eax
			call getBack		// Get adress of backjump
			add esp,4
			
			mov eax,eax		// just ignore this line :) 
			jmp eax			
	}
}
pengpong is offline  
Old 03/20/2008, 15:19   #2
 
mr.rattlz's Avatar
 
elite*gold: 0
Join Date: Aug 2005
Posts: 896
Received Thanks: 334
What would happen if you had some position dependent code in the first 5 bytes, like a short jump ?
mr.rattlz is offline  
Old 03/20/2008, 16:17   #3
 
elite*gold: 0
Join Date: Aug 2004
Posts: 106
Received Thanks: 7
hehe yup, that gave me a short headache last night.
The Themida protected DLL i analyzed yesterday had exports that were like:
Code:
NOP
jmp somewhere
The solution:
The code that gets saved is analyzed again, and the jmp offsets are recalculated (currently only for 0xE8 and 0xE9)

Ugly Code:
Code:
//Handle address relocations...
	for(int i=0;i<copysize;i++) {
		char *p=(char*)(backtrump+i); //don't ask why it's called backtrump:D

		DWORD in=(DWORD)*p;
		in=in & 0xFF;				
		if(step[in]!=-1) 
		{

			if(in==0xE8 || in==0xE9) {				
				OutputDebugString("we have a relative address...");
				DWORD old;
				memcpy(&old,p+1,4);
				old-=relocationBase; //this is calculated somewhere else...  relocationBase=((DWORD)backtrump-targetFunction)+1;
				memcpy(p+1,&old,4);


			}
			
			i+=step[in];
		} else {			
			return -1;
		}

	}
pengpong is offline  
Old 03/20/2008, 16:47   #4
 
mr.rattlz's Avatar
 
elite*gold: 0
Join Date: Aug 2005
Posts: 896
Received Thanks: 334
Quote:
Originally Posted by pengpong View Post
hehe yup, that gave me a short headache last night.
The Themida protected DLL i analyzed yesterday had exports that were like:
Code:
NOP
jmp somewhere
The solution:
The code that gets saved is analyzed again, and the jmp offsets are recalculated (currently only for 0xE8 and 0xE9)
So you have still some way to go, maybe you want to take a look at hde (Hacker Disassembler Engine) by veacheslav patkov, which takes up an amazingly tiny amount of space:
mr.rattlz is offline  
Old 03/20/2008, 16:50   #5
 
elite*gold: 0
Join Date: Aug 2004
Posts: 106
Received Thanks: 7
wow ... the description of HDE sounds promising thx
pengpong is offline  
Old 03/20/2008, 22:12   #6
 
rEdoX's Avatar
 
elite*gold: 20
Join Date: Jan 2006
Posts: 539
Received Thanks: 228
Sorry to badly disappoint you, but uall did this like 3 years ago:

rEdoX is offline  
Old 03/21/2008, 12:31   #7
 
elite*gold: 0
Join Date: Aug 2004
Posts: 106
Received Thanks: 7
It's about learning, not if it has been done before.
So, i will gladly take a look at uall to see how they solved some problems.
pengpong is offline  
Reply


Similar Threads Similar Threads
d3d Hooking WarRock
07/11/2010 - General Coding - 12 Replies
hi liebe com, kann mir jemand vllt d3d oer no menue hack tut empfehlen geht auch aus diesen forum ich hab mich ein bisschen mit olly und ida pro auseinander gesetzt und möchte jetzt meinen ersten hack mit Visual c++ erstellen gebe thx! PS: C++ lerne ich grad
Text Hooking
07/09/2010 - General Coding - 5 Replies
Hallo Leute, ich wollte mal fragen ob jemand erfahrungen mit Texthooking hat? Ich und ein Team wollen eine Visual Novel übersetzen Das Problem: Wenn wir das mit den bisher herrausgefundenen Methoden machen müssen wir erst jedes Spiel 100% Durchspiel und das kostet einfach zu viel Zeit Mit OllyDbg hab ich es auch versucht nur leider ohne erfolg :/ Kann uns evtl. jemand helfen?
Account Hooking
03/30/2010 - AutoIt - 4 Replies
Hi, I would like to know how to hook an account with my bot, Example i play conquer online.I open my bot and it show my char name and i click hook,and then bot is connected to my account,how to hook the bot to the character, Thank you
C++ D3D Hooking
08/24/2009 - C/C++ - 12 Replies
Hallo zusammen, ich stehe gerade vor folgendem Problem: ich habe eine DLL und einen Loader gecoded, jedoch will ich anstelle des Loader einen Injecter haben, sprich: das spiel, in das injected werden soll, soll schon laufen. Natürlich hab ich das ganze schon probiert, jedoch werden die D3D-funktionen nicht wirklich gehookt, da die DLL auf ein Direct3DCreate9 wartet. Da diese Funktion aber wahrscheinlich direkt beim Starten des "Opfer-Spiels" ausgeführt wird, werden deswegen die anderen...
[BIETE] API Hooking
06/18/2006 - Tutorials - 2 Replies
http://xalonsspace.xa.funpic.de/api-hooking.html Viel Spaß,würde mich über Feedback freuen ;)



All times are GMT +1. The time now is 11:35.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2024 elitepvpers All Rights Reserved.