Hooking an API in own app

Ghirai · April 06, 2005, 08:08:00 PM

Hey,

The main idea is that i'd like to hook GetDlgItemInt in my own application.
What's the safest way to do it?

Thanks.

BoR0 · April 07, 2005, 11:33:33 AM

I've been playing with API hooks recently. This is how I disable ExitProcess (old, good EBFE ;-)

Code Select

;Thank you edcba :)

.data
mydll db "kernel32.dll", 0
myfnc db "ExitProcess", 0
blah  dd ?

.code
start:
invoke LoadLibrary, ADDR mydll
invoke GetProcAddress, eax, ADDR myfnc
push eax

invoke VirtualProtect, eax, 2, PAGE_READWRITE, ADDR blah

pop eax
mov word ptr [eax], 0FEEBh ; EBFE kicks ass :-)

invoke MessageBox,0,0,0,0 ; VOILA!!!

invoke ExitProcess, 0
end start

Good luck! :U

Ghirai · April 07, 2005, 04:04:17 PM

Thanks, i'll see what i can do :P

thomasantony · April 07, 2005, 04:22:58 PM

Hi,
I don't know much about hooking but I think it would be better to save the bytes replaced with EBFEh. BTW, does this work in Non NT OSes. Should I use WriteProcessMemory instead in 98Se?
And what is the ue of hooking an API?

Thomas

BoR0 · April 07, 2005, 05:01:48 PM

This should work for ANY Windows OS.

EBFEh is universal! ;-)

Good luck! :U

MichaelW · April 07, 2005, 05:09:13 PM

EBFE = JMP SHORT -2, effectively an endless loop. What's the point?

pbrennick · April 07, 2005, 05:19:21 PM

It looks like he is disabling ExitProcess by forcing a *hang*

Still, it still seems pretty pointless as you said, Michael.

Paul

thomasantony · April 08, 2005, 06:34:41 AM

Hi,
EBFE means jmp eip.What I wanted to know is whether windows 98 and similiar allows modification of the kernel memory

Thomas

BoR0 · April 09, 2005, 01:57:13 PM

I think you can edit kernel32's memory, yes.
Not sure though, I've tested on 2K only.

Quote from: pbrennick on April 07, 2005, 05:19:21 PM
It looks like he is disabling ExitProcess by forcing a *hang*

Still, it still seems pretty pointless as you said, Michael.

Paul

It's just an example of API hooking. And why should it be pointless? It disables ExitProcess :U

thomasantony · April 09, 2005, 04:07:20 PM

Hi,
I think a better way of disabling ExitProcess will be writing RET 4 (or whatever the total size of Parameters). I think that converts to C2 04 00 or as DWORD 0004C2h . BTW I tested and found it works in win98 too. But I think the point of hooking is not disabling an API but redirecting it through your code to detect where it i coming from or something like that.

Thomas

Brett Kuntz · April 09, 2005, 07:45:08 PM

I wrote up a basic hooking tutorial located here:

[link removed]

There's a few more examples in that section.

Kunt0r,
i have removed the link as your site deals with reverse engineering and cracking third party applications. I know there is no bad intent on your behalf, but we do have a standard to maintain.
That is not too mean that your tutorials should go to waste.... you should "clean" them a little to remove any potentially objectionable references to apps that are not your own, then post them here.
- sluggy

thomasantony · April 10, 2005, 01:02:10 AM

Hi,
I am working on a source generator which makes PROC frames for all teh functions in a DLL so that we can make a stub for system DLLs soo that all the calls pass through our code :bdg. I will complete the User33.dll after I get back from a tour.

Thomas

News:

Hooking an API in own app

BoR0

BoR0

pbrennick

BoR0