flat assembler
Message board for the users of flat assembler.

Index > Windows > My Windows API hooking partially work

Author
Thread Post new topic Reply to topic
uu



Joined: 20 Jul 2024
Posts: 44
uu 16 Sep 2024, 06:34
I learned from this offensive security (red team) tutorial website ( https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++ ).

I have problem. The MessageBoxA API get redirected to "hooked" (the beginning of 0x402000 code section), but after restored / unhooked, it cannot return to main program. The 2nd message box (after unhooking) is not displayed.
EDIT: Maybe I ask stupid question. Anyway, my intention is to keep the code on this forum as backup.

The beep sound and the modified message box content, however, proved that the API had initially been successfully hooked.

Please see the source code below:

Code:
format PE GUI at 0x400000
entry start

include 'win32a.inc'

section '.data' data readable writeable

_id             dd      ?
_message        db      "222",0
_caption        db      "111",0
_lib            db      "user32.dll",0
_proc           db      "MessageBoxA",0
_text           db      "Error",0
_addr           dd      ?
_bytes          rb      6
_patch          db      0x68    ;"push"
                dd      0x402000
                db      0xC3    ;"ret"

section '.code' code readable executable

.hooked:
        invoke  Beep, 750, 300
        invoke  WriteProcessMemory, [_id], [_addr], _bytes, 6, 0   ;restore original bytes
        invoke  MessageBox, HWND_DESKTOP, _lib, _proc, MB_OK, 0
        ret           ;how to return to main program?

start:
        invoke  LoadLibrary, _lib
        or      eax, eax
        jz      .error
        invoke  GetProcAddress, eax, _proc
        or      eax, eax
        jz      .error
        mov     [_addr], eax
        invoke  GetCurrentProcess
        mov     [_id], eax
        invoke  ReadProcessMemory, [_id], [_addr], _bytes, 6, 0
        or      eax, eax
        jz      .error
        invoke  WriteProcessMemory, [_id], [_addr], _patch, 6, 0  ;patch first 6 bytes
        or      eax, eax
        jz      .exit
        invoke  MessageBox, HWND_DESKTOP, _caption, _message, MB_OK, 0   ;after hooking
        invoke  MessageBox, HWND_DESKTOP, _caption, _message, MB_OK, 0   ;after unhooking (not shown)
        jmp     .exit
.error:
        invoke  MessageBox, HWND_DESKTOP, _text, _text, MB_OK, MB_ICONERROR
.exit:
        invoke  ExitProcess,0

section '.idata' import readable writable

 library kernel32, 'KERNEL32.DLL',\
         user32,'USER32.DLL'

 import kernel32,\
        WriteProcessMemory, 'WriteProcessMemory', \
        ExitProcess,'ExitProcess', \
        LoadLibrary, 'LoadLibraryA', \
        GetProcAddress, 'GetProcAddress', \
        GetCurrentProcess, 'GetCurrentProcess', \
        ReadProcessMemory, 'ReadProcessMemory', \
        Beep, 'Beep'


 import user32,\
        MessageBox, 'MessageBoxA'
    


And don't know how to get the hooked message box parameters, do I use stack pointer, there are 5 parameters, may be esp+16, esp+12, esp+8....?

The hooked message box will not show any dialog box, instead it will just beep once. Then the code immediately unhook by restoring the first 6 bytes of MessageBoxA function code.


Description: Before hooking (the original 6 bytes)
Filesize: 51.76 KB
Viewed: 455 Time(s)

4.PNG


Description: After hooking at MessageBoxA
Filesize: 54.85 KB
Viewed: 455 Time(s)

6.PNG


Description: GetProcAddress returns 0x76010b40
Filesize: 150.33 KB
Viewed: 455 Time(s)

2.PNG


Post 16 Sep 2024, 06:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20356
Location: In your JS exploiting you and your system
revolution 16 Sep 2024, 13:21
You can use the instructions directly. No need to manually encode them yourself.
Code:
_patch        push  0x402000 ; Also, you don't need a fixed value here. You can use a symbolic value like "push my_label"
              ret    
Post 16 Sep 2024, 13:21
View user's profile Send private message Visit poster's website Reply with quote
uu



Joined: 20 Jul 2024
Posts: 44
uu 17 Sep 2024, 05:51
revolution wrote:
You can use the instructions directly. No need to manually encode them yourself.
Code:
_patch        push  0x402000 ; Also, you don't need a fixed value here. You can use a symbolic value like "push my_label"
              ret    


Wow, this is the power of assembler... I didn't know that.
Post 17 Sep 2024, 05:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20356
Location: In your JS exploiting you and your system
revolution 17 Sep 2024, 07:41
That is literally the whole purpose of the assembler: to convert human readable text into bytes.
Post 17 Sep 2024, 07:41
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.