this is a question about hook [Archive] - RCE Messageboard's Regroupment

View Full Version : this is a question about hook

dcskm4200

July 30th, 2006, 20:16

Hey,all

|----<-----------------
user process--->hook dll-->|
|-----<--kernel32.dll-

if myapi is as follow, while hooked, the user process will terminate.

;---------------------------
myApi proc any parameters
ret
endp
;---------------------------

regards

JMI

July 30th, 2006, 21:48

We have a Rule about you doing some of your OWN homework BEFORE you ask a question here. So tell us what YOU have done to attempt to find an answer to YOUR question, besides asking it
here.

And this is not an "Advanced" question and does not belong in that Forum.

And dcskm4200 you DO NOT get to use +Splaj's Avatar. Find one of your own!

Regards,

Woodmann

July 30th, 2006, 22:09

Howdy,

I see you have met JMI

Woodmann

Give us a little bit more to work with.

nikolatesla20

July 30th, 2006, 22:18

It terminates because you are failing to account for the state of the stack. Read more about what the stack does when a function gets called, and what happens to the stack during a RET instruction.

dcskm4200

July 31st, 2006, 00:48

Quote:

tell us what YOU have done to attempt to find an answer to YOUR question, besides asking it here. And this is not an "Advanced" question and does not belong in that Forum.

i would ask you:
1. which university has arranged the such homework?
2. where is using the hook technique?
3. if you know a bit hook, please show your code about hooking the zwOpenProcess.

you are really funny.

SiGiNT

July 31st, 2006, 01:35

I believe the University of Google offers extensive material on the subject matter - perusing the links at the bottom of the page might also be considered - of course you probaly haven't bothered to use the scroll function on your mouse - sometimes the search function at the top of the page is usefull - let us know what you learn at UoG.

SiGiNT

dcskm4200

July 31st, 2006, 02:04

about the game shell.
i'll try searching to find some helpful msg.

Silver

July 31st, 2006, 07:09

Am I the only one who doesn't have a clue what's going on here?

Kayaker

July 31st, 2006, 07:33

Quote:

[Originally Posted by Silver]Am I the only one who doesn't have a clue what's going on here?

No, I'd hazard a guess that's a pretty common feeling

dcskm4200, you need to try to explain your problems more clearly for anyone to try to help you. There are many examples of API hooking around that you should be able to find. If your hook isn't working you have to post some code or explain the method you're using, and you should also be able to debug your own code enough to be able to give some details as to where you think it's crashing.

Come back with more information after you've done some research if you're still having problems.

Kayaker

dcskm4200

July 31st, 2006, 07:36

Code:

HookAPI proc lpApplicationNameWORD,pCommandLine:LPTSTR,pProcessAttributesWORD,\				

		pThreadAttributesWORD,bInheritHandles:BOOL,dwCreationFlagsWORD,\

		pEnvironment:LPVOID,pCurrentDirectory:LPCTSTR,pStartupInfo:STARTUPINFO,lpProcessInformation:PROCESS_ INFORMATION

	

	invoke MessageBox, NULL,offset HookMsg, CommandLine, MB_YESNO	

	.if eax==IDYES							

		invoke WriteApi,hProcess,Api_addr, offset Api_Backup ,8  ;RESTORE

		invoke CreateProcess,lpApplicationName,pCommandLine,pProcessAttributes,\

				pThreadAttributes,bInheritHandles,dwCreationFlags,\

				pEnvironment,pCurrentDirectory,addr pStartupInfo,addr lpProcessInformation				

		invoke WriteApi,hProcess,Api_addr, offset HookCodeHex ,sizeof HookCodeHex ;HOOK AGAIN

		mov eax,TRUE

		ret 

	.else

		mov eax,FALSE

		add esp,4*10

		ret 4*10

	.endif

HookAPI endp

;=========================================================

the above code works fine while select IDNO.
while select IDYES, CALL kernel32.CreateProcessInternalA crashed.

Thank you for your response

EDIT KAYAKER: I edited your post, in the future try to use [code /code] tags (there's a button for that) instead of [quote /quote] tags when posting code.

Admiral

July 31st, 2006, 07:59

All's well that ends well, I guess

By the way, I love your sig, Silver

dcskm4200

July 31st, 2006, 08:15

Quote:

All's well that ends well, I guess

what?

naides

July 31st, 2006, 08:26

Quote:

[Originally Posted by dcskm4200]
Code:

invoke WriteApi,hProcess,Api_addr, offset HookCodeHex ,sizeof HookCodeHex ;HOOK AGAIN
mov eax,TRUE
ret ; Here you did not balance the stack
.else
mov eax,FALSE
add esp,4*10 ; While here you did. Also this is a somewhat redundant way to balance the stack: you add dec 10 dwords (because the proc takes 10 parameters) the to esp
ret 4*10; and do it again, undirectly, with the ret N instruction
.endif
HookAPI endp

In blue.

Now I does your assembler interprets 10 as decimal 10 or as hex 10 (==16)?
that is key also

dcskm4200

July 31st, 2006, 08:49

hello,naides
Thanks you for the answer.
i don't understand your answer.

the HookAPI is in user dll, Globe Hook.

i want to hook CreateProcessA. in IDYES, because i call CreateProcess, i didn't balance the stack; in IDNO, i don't call CreateProcess, so i need to balance the stack.

retn can't work.
please modify the code to works ok. i test.

best regards

Kayaker

July 31st, 2006, 10:32

I don't understand why you need to manually balance the stack at all. Normally the MASM proc/endp should do that for you. The most you should have to do is preserve ebx, edi, esi if you use them.

Wouldn't this syntax be sufficient?

Code:



MyProc proc blahWORD, blah2WORD



.if eax==IDYES

...

     mov eax,TRUE



.else

     mov eax,FALSE



.endif



ret



MyProc endp

As for the crash, if it's truly CreateProcessInternalA that's causing the crash, then you've either got a parameter wrong, or you've screwed something up in the mysterious WriteApi proc called before CreateProcess.

Kayaker

July 31st, 2006, 10:39

Quote:

[Originally Posted by dcskm4200]the HookAPI is in user dll, Globe Hook.

i want to hook CreateProcessA.

Huh? What are you trying to do exactly?

Kayaker

dcskm4200

July 31st, 2006, 10:54

hey,Kayaker
i can't explain the problem clearly. src send here.
please check the error.

p_1.exe control creating a process.(MSGBOX.EXE)
testhook_2.exe install hook (or uninstall in the hookdll_2.dll) in system.

best regards

sHice

July 31st, 2006, 12:21

Code:



;HookAPI proto WORD,:LPSTR,WORD,WORD,:BOOL,WORD,:LPVOID,:LPCTSTR,WORD,WORD

HookAPI proc lpApplicationNameWORD,pCommandLine:LPTSTR,pProcessAttributesWORD,\				

		pThreadAttributesWORD,bInheritHandles:BOOL,dwCreationFlagsWORD,\

		pEnvironment:LPVOID,pCurrentDirectory:LPCTSTR,pStartupInfoWORD,lpProcessInformationWORD

		

local a WORD

	

	pushad

	invoke MessageBox, NULL,offset HookMsg, CommandLine, MB_YESNO	

	.if eax==IDYES

		;int 3

		invoke WriteApi,hProcess,Api_addr, offset Api_Backup ,8  ;RESTORE

		invoke CreateProcess,lpApplicationName,pCommandLine,pProcessAttributes,\

				pThreadAttributes,bInheritHandles,dwCreationFlags,\

				pEnvironment,pCurrentDirectory,  pStartupInfo,  lpProcessInformation	

		mov a, eax			

		invoke WriteApi,hProcess,Api_addr, offset HookCodeHex ,sizeof HookCodeHex ;HOOK AGAIN

		popad

		mov eax, a

		ret 

	.else

	    popad

		mov eax,FALSE

		ret

	.endif

HookAPI endp

tested and working.the last 2 parameters of your CreateProcess were the problems you did not pass the proper pointer to the structures but created a new structure on the stack instead.the pushad and popad is not really necessary because the windows api wouldnt restore some of the registers after using them either but well...mov eax, a is for returning the proper return value of CreateProcess because it could fail and thus would return 0 and not 1.ask if you dont understand something about the code.

dcskm4200

July 31st, 2006, 13:12

Hey,sHice

That's all.

Thank you very much.