[C/C++] Hooking Tutorial

tarafından **EMO** C.tesi Haz. 25, 2011 4:50 am

Requirements:

Knowledge of C/C++
MSDetours Version 1.5

Extra note: If don't know anything about any of the above.
I highly recommend you learn before trying tutorial.

Summary of Learning:

Simple hooking

When i was learning gamehacking i didn't see many Hooking tutorials out there so i thought
i'll make one and describe the logic behind it.

What is hooking?
You can hook APIs, Functions and alter the way the function works.
Example:
Code:

void Test(bool Status); Original
void Hooked_Test(bool Status); Hook

in our hook we add extra code like
Code:

void Hooked_Test(bool Status)
{
if (Status)
// custom shit

return Test; // return the original
}

This could be useful for removing arguements from function you dont want.
So e.g. on a game we

Ok the code with some comments:
Code:

#include
#include "detours.h"

// Typedef for the original API
typedef BOOL (APIENTRY *tGetOpenFileNameW)(LPOPENFILENAMEW);
tGetOpenFileNameW oGetOpenFileNameW;

// Our hook
BOOL APIENTRY hGetOpenFileNameW(LPOPENFILENAMEW lpofn)
{
// Custom Code
MessageBoxA(NULL, "Executing code before GetOpenFileNameW", "Hook", MB_OK);
// Original API
return oGetOpenFileNameW(lpofn);
}

int WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
if ( dwReason == DLL_PROCESS_ATTACH )
{
// Install Hook
oGetOpenFileNameW = (tGetOpenFileNameW)DetourFunction((PBYTE)GetOpenFileNameW, (PBYTE) hGetOpenFileNameW);
}
return true;
}

Ok now inject the dll into notepad or process that uses GetOpenFileNameW when its called you will see our MessageBox appear Smile

Notes: MSDetours only works for x86 programs and these hooks are easily to detect to i'd recommend you do NOT use this
method on protected games.

Any questions or problems feel free to ask.

Uploaded MSDetours 1.5 for people to download since it's not on microsoft website anymore:
http://www.darkhook.net/downloads/MSDetours_1.5.zip

tarafından **EMO** C.tesi Haz. 25, 2011 4:51 am

tofurocks Wrote: Code:

int * address;
&address = 0x00
address = 10

Don't want to sound like a flamer but I can understand what your trying to do but that would not compile ideally you would want to use something like.
Code:

*(datatype*)(0xyouraddress) =

For example:
Code:

*(DWORD*)(0xDEADBEEF) = 12345;

You need to be careful of writing to invalid addresses i think there is an function for checking for valid pointers but think it's obsolete now? Maybe someone can confirm that but yeah you could setup SEH or VEH for handling invalid address.

Page permission so making it writeable using VirtualProtect then flushing CPU cache FlushInstructionCache but yeah starting to get off topic as what you stated isn't hooking but is writing a value to an address.

(05-09-2011 08:34 PM)Psycho Wrote: How vague, may I ask you to go into more detail or are you going to make an excuse? Yes, I am genuinely interested.

I'll expand on hooking for you. Not too sure what you wanting to know but here more detail hopefully you will find interesting or useful.

How hooking works?
So let's use say we want to hook "MessageBoxA" which is located in user32.dll if your unsure you can check
MSDN:
http://msdn.microsoft.com/en-us/library/...85%29.aspx

Where the table at bottom displays the DLL the exported function is in.
If your trying to hook a exported function that's not windows you could check EAT of the loaded DLL's within the application you want to hook. (I recommend LordPE for this).
The EAT may be encrypted and be using a fake EAT, EAT as loader you could use OllyDbg or IDA PRO to find runtime exports etc etc but yeah there so many method.

So here is MessageBoxA in dissambler:
Code:

USER32.dll+6FD1E - 8B FF - mov edi,edi

So this line of code will be replaced with your JMP to your code (or any sort of method you want to use to get to your code that you allocated within the process other method could be like PUSH

then RET and various other ).
USER32.dll+6FD1E - E9 DD02A991 - jmp 07E70000

0x07E70000 Contains your code.

So now hopefully you'll understand what happens behind the scenes.

What it's useful for?
Malicious use:

Hiding content from a process (Usually used in r3 rootkits etc)
Evading some sort of protection such as anti-cheats etc

Good use:

Adding functionally or fixing problems within a program
Preventing or limiting some APIs being used for malicious use. (For example my lastest project is highly complexed Sandbox that hooks certain APIs and lets you grant permission to certain resources. If your interesting i'll show some screenshot and explain in more depth.)

Little more on the hooks the self.

So we can modify the content of the arguments.
Code:

int WINAPI hMesssageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
{
strcpy(lpText, "Hi-jacked messagebox's message.");

return oMessageBoxA(hWnd, lpText, lpCaption, uType);
}

We could just something completety different than what the API is intended for:
Code:

int WINAPI hMesssageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
{
// Some code
return 0; // any return you want
}

You can execute code before or after API etc etc.

[C/C++] Hooking Tutorial

[C/C++] Hooking Tutorial

Geri: [C/C++] Hooking Tutorial