Log in

View Full Version : Inline


Jo_ti
September 18th, 2009, 09:41
Hi,

I want to hook an api via Inline patch, because i am very bad in coding part

I tried to search couple of tut over it. But they are without target so its hard to understand what is actually going on. If anyone can share any info about it, just a little idea not a detailed thing how actually it happens. That would be enough for me. I will try to put some more effort over it.

Jo_Ti

BanMe
September 18th, 2009, 12:10
the idea is pretty simple..especially if you are doing a inline 'patching' approach..

Code:

push Parameter1
push Parameter2
Call API


in asm terms it looks like this essentially...
Code:

push DWORD
push DWORD
call DWORD


now lets say you have the hooking code already done,something that is patched to some address in the 'target' permanently.

you should not modify the stack in the hooking code unless you are not returning to the called function..Call DWORD..in which case you should clean the stack yourself of the unused parameters..but I wont go over that..

so in order to avoid modifying the stack code similar to this should be used..
Code:

pushad

..actual code that performs filtering of denial of service or bypass or w/e...

popad
jmp to_original_funtion


so now that you know what trampoline hook 'should' look like this does not mean that it has to look like this..but w/e.. so where the first line of the hooking code starts, is the address of the hook you want to jmp to..

so that after the hooking is done the example from above looks like this..
Code:

push DWORD
push DWORD
jmp hook


I hope this helps

It prolly doesn't..so..

Code:

wtf:
00401080 55 push ebp
00401081 8B EC mov ebp,esp
00401083 6A 01 push 1
00401085 6A FF push 0FFFFFFFFh
00401087 FF 15 F8 60 40 00 call dword ptr [__imp__SleepEx@8 (4060F8h)]
0040108D 5D pop ebp
0040108E C3 ret
--- No source file -------------------------------------------------------------
0040108F CC int 3


say this is the target funtion we want to hook with our inline patch..
and say 004013040 is the address of the 'patch'..the code above should look like this after hooking
Code:

wtf:
00401080 E9 BB1FC103 jmp 04013040
00401085 6A FF push 0FFFFFFFFh
00401087 FF 15 F8 60 40 00 call dword ptr [__imp__SleepEx@8 (4060F8h)]
0040108D 5D pop ebp
0040108E C3 ret
--- No source file -------------------------------------------------------------
0040108F CC int 3

regards BanMe

Jo_ti
September 19th, 2009, 04:11
Thanks for the info Banme, but it simple inline patching

its not hooking api calls. I want to hook api like this suppose this:

7C80B529 > 8BFF MOV EDI,EDI
7C80B52B 55 PUSH EBP
7C80B52C 8BEC MOV EBP,ESP
7C80B52E 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
7C80B532 74 18 JE SHORT kernel32.7C80B54C
7C80B534 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C80B537 E8 682D0000 CALL kernel32.7C80E2A4
7C80B53C 85C0 TEST EAX,EAX
7C80B53E 74 08 JE SHORT kernel32.7C80B548
7C80B540 FF70 04 PUSH DWORD PTR DS:[EAX+4]
7C80B543 E8 F4300000 CALL kernel32.GetModuleHandleW
7C80B548 5D POP EBP
7C80B549 C2 0400 RETN 4


GetModuleHandleA api call, now i want to add a hook 7C80B52C at this point I will add an jmp to free space and a compare before my code so that whenever EAX reach to that specific value any call to get module handle should run through my code. if the eax value is not equal to that then getmodulehandle api call work as normal. Basically i want to hook some data which i can only when a call pass through getmodulehandle. In exe code unable to find out that data so that is the best place for me to make patch. But its an api call. So having some trouble. Thats why just want a clean inline patch to hook this api.

anom
September 19th, 2009, 07:49
Create a new section in the target to be inlined where you can store your code. Then, do a VirtualProtect on GetModuleHandleA API to retrieve write access. Then do sth similar to this (pseudo):

Code:
; ebx contains GetModuleHandleA addr
mov byte ptr [ebp + 3], 0e9h
mov dword ptr [ebp + 4], hook - (ebp + 4) - 5

hook:
; do your eax thing here
; following: execute code you overwrote with your jmp
mov ebp, esp
cmp dword ptr ss:[ebp+8], 0
jmp 7c80b532 ; <- better: jmp dword ptr [where_to_return_to], since that addr will change on different OSs

Jo_ti
September 20th, 2009, 03:06
Hi,

Nice to see that someone got info about it. I never tried this one "virtualProtect on GetModuleHandleA API to retrieve write access" Can you give me some example how to do this. Then i think i can make my inline easily there.

BanMe
September 20th, 2009, 09:46
All that is a prequisite of the info I gave..I thought maybe you might know that, or had already picked up some of that...needless to say, you should've dug deeper...
http://www.woodmann.com/forum/showthread.php?t=12931

also placing a 'hook' or 'inline patch' at the location 7C80B52C is not the most optimal solution as it leave a extra byte..even though that extra byte is 00 that will not always be the case..

there is a stark difference between 'dynamic hooking' and 'static patching' these 'small' things could help us and me in providing of 'correct' info..but I didnt ask that to begin with so thats partially my fault..

BanMe

Jo_ti
September 20th, 2009, 10:02
BOOL VirtualProtect(

LPVOID lpvAddress, // address of region of committed pages
DWORD cbSize, // size of the region
DWORD fdwNewProtect, // desired access protection
PDWORD pfdwOldProtect // address of variable to get old protection

Thanks banme, i just read that one and i also did my search too. So finally i got the parameters and now i know how to work over it. But there is only and only one thing is remaining. i am just not able to figure out this

PDWORD pfdwOldProtect // address of variable to get old protection

How to get this one.

BanMe
September 20th, 2009, 10:12
Code:

DWORD oProtect = 0;
DWORD ooProtect = 0;
VirtualProtect(...,&oProtect);


this will or 'should' be the Old Protection and 'should' be used in the subsequent call to reprotect memory..
Code:

VirtualProtect(...,oProtect,&ooProtect);


also a small bit of programming info anything that has a P in front of some normal type be it ULONG DWORD WORD or some structure is expecting a reference to the type..

BanMe

Jo_ti
September 20th, 2009, 11:26
in simple words. How to get that one, so that i can use it in my patching because that push is necessary. I know this one resides in ebx or eax but how to get the actual value dont know. Might this value is related to that one, which i am going to replace but i also checked that address its not belong to that address which i am going to replace.

BanMe
September 20th, 2009, 17:50
Code:

lea eax,ebp
add eax,0x4
push eax

that might be it..I kinda didnt understand what you where saying.

BanMe

Jo_ti
September 21st, 2009, 03:28
This is small message box. Can you change the message "Hello World" to Hi Banme by using virtual protect ? Dont change strings just use virtual protect to do the job. I will try to learn from that.

http://rapidshare.com/files/282940469/A.exe.html

disavowed
September 21st, 2009, 08:16
Why not use Microsoft Detours? (http://research.microsoft.com/en-us/projects/detours/)
It's open-source and free for non-commercial / non-production use.

BanMe
September 21st, 2009, 09:31
disavowed is being light hearted, i see..

VirtualProtect Cannot do that by itself...Jo_ti you need a deeper understanding of what virtualprotect does and how it can be used in hooking..I second you look into detours,but I dont suggest using it..I suggest you read over the source code and get a grasp of how it works interanally to accomplish the detouring..

also it is very easy to change that using various method..directly patch the string,dynamicly patch string,hook MessageBox and rearrange the stack..so on and so forth..

but I think that info might be falling on deaf ears atm, so I strongly suggest more research and testing,because having it come to you,is far better then me explaining it..

BanMe