[Tut(C++)] Hooking Functions

tarafından **EMO** C.tesi Haz. 25, 2011 4:40 am

Hooking Functions

Requested Knowledge :
- Quite a bit of C++ Programming knowledge
- Debugging Knowledge
- Know how DLLs work and inject
- Knows what a function is.
- Can locate functions in a debugger

Required Tools :
- C++ Compiler(NOT DEV-C++,does't compile DLLs that work)
- OllyDbg(Or an alternative debugger)
- Detour.h\detour.cpp files (Download in attachments)
- DLL Injector
- TargetApplication.exe(Download In Attachments)

Whats is 'Hooking A Function"?

Hooking a function is simply replacing a function with yours, or having your function called
before\after the targeted function, you could also pass paramters to the targeted function when its called.

Step one, locating the function of our target.

Well, we can run the application and you will see that the text "Hello" pops up, and when you hit return, it adds another line with the text "Hello", eventually creating an array of lines with the text "Hello". Finding this function is quite easy to do, we could step through it and examine the program, or we could just search for the ASCII string "hello" in out hex dump. We will find it at 00401082. And a reference to it at 00401082. There you should see an array of pushes followed by a call.

401080 PUSH ESI
401081 PUSH EDI
401082 PUSH 004120B0
401087 PUSH 00413DF0
40108C CALL 00401AA0

and you can see that 00401080 is the start of our function, thus thats the one we need to hook.

Step Two, Creating the hook.

#include
#include "detours.h"
int (__stdcall* HelloFunction)(void);
void HookHelloFunction(void)
{
MessageBox(0, "You called the function : "Hello"", "Function Called", MB_OK);
return;
}

BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
HelloFunction = (int (__stdcall*)(void))DetourFunction((PBYTE)0x0040108 0, (PBYTE)HookHelloFunction);
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
DetourRemove((PBYTE)0x00401080, (PBYTE)HelloFunction); //Remove hook
break;
}
return TRUE;
}

A couple new things, first of all the :
int (__stdcall* HelloFunction)(void);
Thats basically the structure of our targeted function.

Then you see void HookHelloFunction(void), thats basically the function where hooking.
The rest should be quite strait forward.
DetourFunction(FunctionWithinProcess, FunctionToReplaceItWith)
and
DetourRemove(HookedFunction,HelloFunction)