اگه Hook گذاشتن رو بلد باشی دیگه این سوال را نمی کردی. ولی یک مقاله میذارم . بقیه کار با خودت.
Windows 9x API hooking – An Example
By OCY
Pre-requisties
1. Win32asm programming knowledge ( I use Masm32 here)
2. Win32 API reference – you die without it
3. Opcodes reference – you hang yourself in confusion without it, unless if you are a wizard in insanity.
4. A good debugger ( can it be anything other than SoftIce? ) – can you program without it?
5. A brilliant brain, you have it, don’t you?
Introduction
API hooking is interesting, but the resources on this matter on the internet which I can find is too limited. After crashing M$ Windoze 98 for not less than 50 times, I finally came up with this example: MsgBoxHack. I spent almost a month researching around the net, hoping to find something SMALL and SIMPLE: and that is the philosophy of this example. In the end, I found Y0da’s Invisibility.zip, my way of hooking API’s is based on his code, but with modifications. ( Y0da, you are a GREAT coder, cheers! Without you, I am still lost in the deep ocean of codes!)
Well, this example simply hooks the MessageBoxA function, and points it to our code. When the function is called, our code is executed first. In our code, what we do is adding a short message ( Romeo: "Can I date you sweetie? :P" ) at the end of the message box title. After that, we call the original MessageBoxA.
I heard some wizards out there screaming: “You idiot! I can do that with a simple proggie using EnumWindows and SendMessage!” Another group of semi-gods shouted: “Hey! There are SOOOO~~~~ many ways of doing that!” Well, of course I know! But I chose to hook MessageBoxA so that this example looks SIMPLE, since we coderz are so familiar with it. Besides, this proggie consumes less than 500 bytes of memory when run: can your proggie do that?
“Too much theories make Jack a dull programmer!” Now, before you dive into any jungle of code, let your imaginations fly. Think: “What COOL things I can do if I am able to hook APIs?” (tonnes!) “This example is LAME! Let me show that idiot OCY a better way!!” (come on!) “If I hook Winsock APIs…” (How can you do such a thing?! You ever heard of what privacy is?! It is so horrible! But I like it. I already coded such a proggie. Hei hei hei hei hei….)
Let your imaginations fly…… Imagination is the basis of inovation……
Boredom is the greatest SIN you can commit in programming……
A very rough idea on hooking the API
This is the most important part of API hooking: How are you going to intercept the API when it is called?
Well, what we do is put a jmp instruction ( Opcode E9h: look at your opcodes reference!) at the beginning of the API address. This instruction is 5 bytes long: so we also have to copy the original 5 bytes of instructions there and make a copy.
Important note: since we are going to patch the API with a 5 bytes long instruction, the API must at least 5 bytes long. But this is not a problem with most cases: Why on earth should you hook a 5 byte long API?
Now let’s look at the MessageBoxA API’s code (says SoftIce):
MessageBoxA:
push ebp
mov ebp,esp
push 00
push dword ptr [ebp+14h]
.
.
.
Obviously, the API is longer than 5 bytes… If we patch the instructions at the beginning of the API to a jmp instruction, it becomes: ( before that we must save the original ‘push ebp …’ instructions first! )
MessageBoxA:
jmp injected_code
.
.
.
injected_code:
pushfd
pushad
.
.
.
After we intercept the API, we modify the title of the MessageBoxA. Look up your API reference now and it says:
int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box <- LOOK HERE
UINT uType // style of message box
);
So, the third argument is the title, we make a copy of the title and append our string ‘Romeo: "Can I date you sweetie? :P"’ to the end of the title. When we decide to call the original API, we re-patch the instruction at MessageBoxA to it’s ORIGINAL code. Then the code becomes:
MessageBoxA:
push ebp <- this is the original code
mov ebp,esp
push 00
push dword ptr [ebp+14h]
. . .
When the call the the MessageBoxA finally returns, it returns to OUR code. From there, we must put the jmp injected_code at the API entry point again. So that the next call to MessageBoxA will come back to our hook code. Generally, the whole process above is like:
Patch with a
Jmp to our code
The code now
looks like:
some proggie
calls MessageBoxA
Return to the calling process
The way of hooking the API is simple, if you are still in a dizzy state of mind – not understanding what I have been talking about, make sure you digest EVERYTHING above before continuing any further, or else you will end up seeing a psychiatrist.
The reason I did not show how the injected code modifies the MessageBox’s title is: we cannot code the injected the USUAL way, like:
lea edx,[ myVar ]
or
Invoke MessageBox,NULL,addr MsgText,addr MsgTitle,MB_OK
Instead, we have to code the injected code the virus way, and this is another interesting thing about API hooking. And do you see why assembly language is that important now? ( High level languages are important too, but for other purposes.) If you have digested everything, you can go on to The Problem With Ring 3.
The Problem With Ring 3
Today, modern operating systems runs the CPU in protected mode ( Ring 3 in this case for Windoze ). The DLL codes are mapped into the memory called ‘shared area’ which only allow read access and executing, this means that you cannot modify the code area of the API functions when you are in Ring 3. If you still insists on modifying the code, that extra-ugly “This program has perform an illegal operation…” dialouge will come out and bury you alive. So, how on earth are we going to patch the API as discussed above? Going Ring 0? VXDs? Bad idea – I never did that before… ( the only documented way to go Ring 0 is using a vxd. )
The usual answer is: we have to modify the page attribute of the API code to allow write access in the code. Micro$oft never documented a way to do so. But some semi – gods managed to figure that Windoze uses the first ordinals of kernel32.dll to change page attributes. Hence the k32lib.lib is created (included in the zip file), all we have to do is to call VxDCall4. Read the ObtainWriteAccessInSharedArea.asm file for the details on how to do it. ( Y0da, sorry for ripping your proc off Invisiblity.zip! Credits go to you. )
A Little Bit of Assembly – The Unorthodox Way
Before I preach on hex and hardcoding assembly codes, let me tell you that you are going to suffer if you know nothing about virus programming. An explanation on why the virus way of programming is essential. One of our objectives of this MsgBoxHack.exe is to stay resident in memory after it exits. This means that before we exit, we have to copy the injected code to somewhere else. So we will be screwing up all the offset references by the instructions at the time the injected code is moved to somewhere in the deep desert of memory. For example:
Original After moving to other areas
:0100 lea dx,[MsgStr]
:0103 mov ah,9
:0105 int 21h
:0107 int 20h
MsgStr:
:0109 db “Hello World!$”
:0500 lea edx,[MsgStr] <-
:0503 mov ah,9
:0505 int 21h
:0507 int 20h
NewMsgStr:
:0509 db “Hello World!$”
The above the typical “Hello World” .COM program when you first learn assembly. Let’s say for some reasons that only the programmer knows, he moved the entire proggie from CS:0100h to somewhere:0500h and than exits. Now look at :0500, the lea edx,[MsgStr]actually points to CS:0109 instead of CS:0509. Then, those god-damn-brilliant code-gods during the DOS era comes up with an idea: “How if we use: mov ebp,400h
lea edx,[ebp + MsgStr]
int 21h
? Hey, it works!”
In this case the 400h is the distance in bytes (delta offset) between the moved code and the original code (500h – 100h = 400h). In the end, what they do is:
Call get_delta
Get_delta:pop ebp
sub ebp,offset Get_delta ;ebp = delta offset
So in our injected code, we use ebp to store the delta offset. Any references to offsets must be added to ebp. Read the injected code to understand this.
About the relative jump instruction…
We use the relative jump (opcode 0E9h) in the API to jump to our injected code. So we have to HARDCODE the instruction at the API entry point. Don’t let that scares you to death, that is only a scarecrow. The opcode reference says:
E9 cw JMP rel16 Jump near, relative, displacement relative to next instruction
How do we code the “displacement relative to next instruction” crap? Easy, use this formula:
Displacement = (offset new_code)-(offset old_code)-5
There is a ‘ – 5 ‘ because the instruction itself is 5 bytes long. Our code patch the API like this (in the proc: HookAPI_MessageBox):
;modify attributes of the 1st 5 bytes of the API, so that we can ;patch it later
Invoke ObtainWriteAccessInSharedArea,pMsgBox,num_bytes_to _patch
mov eax,[ pMsgBox ] ;eax = pointer to original
; API entry point
mov byte ptr [ eax ],jmp_opcode ;put the relative jump opcode
mov ecx,[ pInjectedCode ] ;ecx -> new API entry point
sub ecx,eax
sub ecx,5 ;ecx= relative offset between
; NEP & OEP
; minus 5 'cos the jmp xxxx is 5 bytes long
inc eax ;eax -> next byte after the
; jmp instruction
mov dword ptr [ eax ],ecx ;put the relative offset
About calling other APIs in the injected code
In the injected code, that is no way you can call an API using the usual Invoke which pampered us too much. Anyway, we can get the address of the API by using LoadLibrary and GetProcAddress.
Our problem is with the VxDCall4, GetProcAddress gives you an ugly error because VxDCall4 is NOT the function name in kernel32.dll. Instead, Windoze use some weird ways to locate it which is not known to me. Anyway, I overcome this problem after crashing Winbloze around 5 times… Here’s the code…
mov eax,offset VxDCall4 ;points to the jmp [ pointer ]
inc eax
inc eax ;points to [ pointer ]
mov eax,[eax] ;eax = pointer to offset of VxDCall4
mov eax,[eax] ;eax = offset of VxDCall4
mov lpVxDCall4,eax ;put it in injected code
The code deserves a good explanation: the offset VxDCall4 is actually a pointer to a jmp dword ptr [ xxxxxxxx ]instruction. The xxxxxxxx is the offset of a variable which contains the real address of VxDCall4. And the instruction is coded like this:
offset_VxDCall4:
Jmp dword ptr [ xxxxxxxx ]
FF CC xxxxxxxx
The code is self – explanatory if you understand how the CPU instructions are coded. And that is why you need SoftIce and the opcodes reference.
So, what now?
Read the code! Besides, you have to debug the code ( trace the code and see EXACTLY how it works ). This will take a lot of your time.
Afterthoughts
This is the end of this tute, and you may not have understand a byte of what the hell I was talking about. Anyway, this is common if you are new to assembly language ( I have been playing with assembly language for 3 years ). The virus way of programming actually started since .COM programs are still common. Who says that virus programming is bad?? Virus programming is always good unless you do harm with the knowledge. Today’s virii is polluted with rubbish, because some so called fake “virus – writers” trash others’ computers like terrorists. My philosophy is: virii should be set how to hide itself from detection as it’s prime goal although it occasionally shows its’ existence. Any virus which do harm should be called pests, since the term ‘virus’ is too holy to be related to such terrorist-proggies. ( Please note that I am NOT a virus writer! Everything I know about viruses is the crap I show in this simple example here… )
Other ideas for you to try out ( I did some of them, and am going to do others):
- Another proggie to UNHOOK the API (come on, that is VERY easy, you just need to replace the jmp injected_code with it’s original code).
- Ever heard of encryption? Try to encrypt the injected code. If you know nothing about this, read Assembly Language Journal issue no. 1 – SMC techniques by _mammon, the mag is at http://asmjournal.freeservers.com. Hey, this makes your proggie looks more and more like a virus… Encryption is good because it make life harder for antivirus people, and proves to the world that assembly language is GOD-DAMN-F@@KING important. ( Some today universities REMOVE assembly language from their academic syllabus – they give students the impression that assembly language is used during the Stone Age when computers were made from wood and rocks!) Fine, ask those people: “Can your C++ proggie do this?” and they are so scared that they shits and call us bad names like “VIRUS WRITERS” and even “HACKERS”. To them, we look like terrorists…
- A proggie which blocks access to certain websites, say www.micro$oft.com… Do you which Winsock32 API to hook? Sorry Gates, I am using your company products but I still don’t like you… Hey, this makes the computer user thinks that Micro$oft is so brankrupt that they have to shut down their website! Another very cruel idea is: when the user tries to go to www.micro$oft.com, you change the site to point some ugly porno sites instead… ( MsgBoxHack.exe already shows you how to modify arguments, right? ) Hei hei hei hei hei hei hei…… now the user thinks that Gate$ sold his company’s site name for some dirty fast cash!
- If you have noticed, that APIhook.dll is NOT NEEDED AT ALL! I created MsgBoxHack.exe and link it with a DLL just for fun… Anyway, DLLs are usually huge. Just make a proggie with the HookAPI_whatever as a subroutine and your proggie look cooler!
- Go wild! Come up with your own ideas… Why the hell are you copying my ideas? Did I say that copycat’ing and boredom is sinful in programming?
Last words
OCY says: “Hope this tute helps someone… so long… fly your imaginations to the wilds… Any comments are welcomed… don’t misuse and do harm with the info… read the readme.txt file first you try to distribute some ‘viruses’ which make use of the info here to do harm… if you get caught, don’t blame me… blame yourself for shattering others’ computers to pieces… in fact, if you do harm with all the info here and I caught you, I will slow bomb you… Anyway, happy programming!”
Credits
Y0da! – http://y0da.cjb.net
You are awesome! Without your example, nobody is going to read this crap…
Iczellion – http://win32asm.cjb.net
Credits goes to his excellent Win32asm tutorials and his website with loads of code to download…
Hutch –
For his excellent Masm32 package, of course.
Ewayne! –
For his great ( and FREE! ) AsmEdit editor! I currently develop all my proggies in AsmEdit!
and all the Code Warriors on the Win32asm message board… I learn a lot from there… and the list continues… it’s too looooooooooooooooong…
قوانین ایجاد تاپیک در تالار
پاسخ با نقل قول