PDA

View Full Version : hooking fastcall function


Orkblutt
April 25th, 2008, 04:46

Hi,



i'm trying to hook a fastcall function... I'm patching to jmp into my hook and jumping back at the end to continue the normal execution flow...



here the function i'm trying to hook

<div style="margin:20px; margin-top:5px"><div class="smallfont" style="margin-bottom:2px">Code:</div><pre class="alt2" style="margin:0px; padding:6px; border:solid 1px; width:90%; height:80px; overflow:auto"><div dir="ltr" style="text-align:left;">

.text:010873F6 ; int __fastcall BlahBlahBlah(int,int,int,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)

.text:010873F6 ?BlahBlahBlah@@YGHPAXPBXKPAKPAU_OVERLAPPED@@@Z proc near

.text:010873F6                                         ; CODE XREF: sub_10948BC+1Cp

.text:010873F6

.text:010873F6 arg_0           = dword ptr  8

.text:010873F6 lpBuffer        = dword ptr  0Ch

.text:010873F6 nNumberOfBytesToWrite= dword ptr  10h

.text:010873F6 lpNumberOfBytesWritten= dword ptr  14h

.text:010873F6 lpOverlapped    = dword ptr  18h

.text:010873F6

.text:010873F6                 mov     edi, edi

.text:010873F8                 push    ebp             ; lpBuffer

.text:010873F9                 mov     ebp, esp

.text:010873FB                 push    esi             ; hFile

.text:010873FC                 push    edi

.text:010873FD                 push    [ebp+arg_0]

.text:01087400                 call    sub_10872FE

.text:01087405                 xor     esi, esi

....

....

.text:0108747A                 mov     esi, ds:__imp__WriteFile@20 ; WriteFile(x,x,x,x,x)

.text:01087480                 push    ebx

.text:01087481                 push    [ebp+lpOverlapped] ; lpOverlapped

.text:01087484                 mov     ecx, eax

.text:01087486                 and     ecx, 1

.text:01087489                 sub     eax, ecx

.text:0108748B                 shl     eax, 9

.text:0108748E                 push    edi             ; lpNumberOfBytesWritten

.text:0108748F                 mov     ebx, eax

.text:01087491                 push    ebx             ; nNumberOfBytesToWrite

.text:01087492                 push    [ebp+lpBuffer]  ; lpBuffer

.text:01087495                 push    hFile           ; hFile

.text:0108749B                 call    esi ; WriteFile(x,x,x,x,x) ; WriteFile(x,x,x,x,x)



</div></pre></div>



here my hooking code





BOOL PATCH_InsertJump (DWORD  Address,DWORD Destination, BYTE* origopcode, int len)

{

    DWORD OldProtect;

    if(!VirtualProtect((LPVOID)Address,5,PAGE_READWRITE,&amp;OldProtect))

        return false;

    memcpy(origopcode, (const void*)Address, len);

    *(BYTE*)(Address)     = 0xE9;

    *(DWORD*)(Address+1) = Destination - (Address + 5);



    return (BOOL)VirtualProtect((LPVOID)Address,5,OldProtect,NULL);

}



BOOL RestoreOriginalOpcodes(DWORD Address, BYTE* origopcode, int len)

{

    DWORD OldProtect;

    if(!VirtualProtect((LPVOID)Address,len,PAGE_READWRITE,&amp;OldProtect))

        return false;



    memcpy((void*)Address, (const void*)origopcode, len);



    return (BOOL)VirtualProtect((LPVOID)Address,len,OldProtect,NULL);



}



#define HOOK_OFFSET 0x1087484

#define PATCH_LEN 5



BYTE origopcode[PATCH_LEN] = {0};

DWORD Hook2Return, sEAX;

PVOID pBuffer;





__declspec(naked) void BlahBlahBlahHook()

{

    __asm

    {

        // storing eax value

        mov        sEAX, eax



        // getting the buffer from the stack

        mov        eax, [esp + 8]

        mov        pBuffer, eax



        // restoring eax...

        mov        eax, sEAX

        

        // overwritten code...

        mov     ecx, eax

        and     ecx, 1

    }

    

    __asm pushad



    debug.Write(&quot;%s&quot;, (char*)pBuffer);



    __asm popad;

    

    __asm jmp Hook2Return;

}







BOOL APIENTRY DllMain( HMODULE hModule,

                       DWORD  ul_reason_for_call,

                       LPVOID lpReserved

                     

{



    if (ul_reason_for_call == DLL_PROCESS_ATTACH)

    {



        PATCH_InsertJump(  HOOK_OFFSET ,(DWORD)&amp;VTI_WriteFileHook, (BYTE*)origopcode, PATCH_LEN);

        Hook2Return = HOOK_OFFSET + PATCH_LEN;

    }

    else if(ul_reason_for_call == DLL_PROCESS_DETACH)

    {

        RestoreOriginalOpcodes(HOOK_OFFSET, (BYTE*)origopcode, PATCH_LEN);

    }



    return TRUE;

}









now when i'm injecting that dll into my target, the target crash even before to call the Blahblahblah function...



<div style="margin:20px; margin-top:5px; "><div class="smallfont" style="margin-bottom:2px">Quote:</div><table cellpadding="6" cellspacing="0" border="1" width="90%"><tr><td class="alt2" style="border:1px inset"><i>Exception non gérée à 0x010871b1 dans target.exe : 0xC0000005: Access violation.</i></td></tr></table></div>



in debugger:

<div style="margin:20px; margin-top:5px"><div class="smallfont" style="margin-bottom:2px">Code:</div><pre class="alt2" style="margin:0px; padding:6px; border:solid 1px; width:90%; height:80px; overflow:auto"><div dir="ltr" style="text-align:left;">

OtherFunctionThanBlahblahblah:

010871B1  mov         edi,edi ; edi = 0x000000FF

010871B3  push        ebp  

010871B4  mov         ebp,esp 

010871B6  push        edi  

...



BlahBlahBlah

010873F6  mov         edi,edi 

010873F8  push        ebp  

010873F9  mov         ebp,esp 

010873FB  push        esi  

010873FC  push        edi  

010873FD  push        dword ptr [ebp+8] 

01087400  call        VTI_Init+0AEh (10872FEh) 

01087405  xor         esi,esi 

01087407  sub         eax,esi 

...

01087477  mov         edi,dword ptr [ebp+14h] 

0108747A  mov         esi,dword ptr [__imp__WriteFile@20 (1001250h)] 

01087480  push        ebx  

01087481  push        dword ptr [ebp+18h] 

01087484  jmp         BlahBlahBlahHook (12E1110h) 

01087489  sub         eax,ecx 

0108748B  shl         eax,9 

0108748E  push        edi  

0108748F  mov         ebx,eax 

01087491  push        ebx  

</div></pre></div>





Suggestions are welcome cause i can't find atm why this error....

I'm not sure i can write the real target name... can i?



regards,



orkblutt


evlncrn8
April 25th, 2008, 07:25
0xC0000005: Access violation.

hmm, code is marked as rwe ?

DOH - Execute!!!! PAGE_EXECUTE_READWRITE is what you need i think DEP is biting you in the ass

Orkblutt
April 25th, 2008, 07:39
lol... i'm an idiot

Thank you !!

naides
April 25th, 2008, 08:00
Quote:
[Originally Posted by evlncrn8;74216]0xC0000005: Access violation.



You mean one is supposed to read the error codes?
I've never thunk that! (In fact, they are usually so cryptic, I never do)

(Orkblutt: I mean no offense, I cannot let this one pass without a little joke).

Orkblutt
April 25th, 2008, 08:47
Quote:
Orkblutt: I mean no offense, I cannot let this one pass without a little joke

ehehe np... you can :-)