-
1 Attachment(s)
Api hooking Technique
Api hooking Technique
Hooking api is one of many ways we can control the way windows & 3rd party software behaves under certain circumstances. This technique shown here is a global api hook for the current process address space.
It works by putting together a buffer with machine code instructions that cause a jump to a place in memory when executed. So when we hook the specific api, we place this code inside of the exported function causing an unconditional jump when the export is called.
apihook.c
Code:
#include <windows.h>
#include <stdio.h>
DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsigned char *lpBackup);
BOOL UnHookFunction(LPCSTR lpModule, LPCSTR lpFuncName, unsigned char *lpBackup);
int MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
BYTE hook[6];
void WinMainCRTStartup()
{
HookFunction("user32.dll", "MessageBoxA", MyMessageBoxA, hook);
MessageBox(0, "HEY", "", MB_OK);
}
int MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
{
UnHookFunction("user32.dll", "MessageBoxA", hook);
char msg[strlen(lpText)];
sprintf(msg, "HOOKED!!nn%s", lpText);
int x = MessageBox(hWnd, msg, lpCaption, uType);
HookFunction("user32.dll", "MessageBoxA", MyMessageBoxA, hook);
return x;
}
DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsigned char *lpBackup)
{
DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName);
BYTE jmp[6] = { 0xe9, //jmp
0x00, 0x00, 0x00, 0x00, //address
0xc3
}; //retn
ReadProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0);
DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5); //((to)-(from)-5)
memcpy(&jmp[1], &dwCalc, 4); //build the jmp
WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, jmp, 6, 0);
return dwAddr;
}
BOOL UnHookFunction(LPCSTR lpModule, LPCSTR lpFuncName, unsigned char *lpBackup)
{
DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName);
if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0))
return TRUE;
return FALSE;
}
Author: ANUBIS
-
thanks, I wonder why that ex did not work with me, i got 2 errors
lnk1120
lnk2019
and another one with strlen
even with changing the character set
underVS2010
can you check it again?
-
Do you have sample what is working under 64 platform
-