flat assembler
Message board for the users of flat assembler.
Index
> Windows > My Windows API hooking partially work |
Author |
|
uu 16 Sep 2024, 06:34
I learned from this offensive security (red team) tutorial website ( https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++ ).
I have problem. The MessageBoxA API get redirected to "hooked" (the beginning of 0x402000 code section), but after restored / unhooked, it cannot return to main program. The 2nd message box (after unhooking) is not displayed. EDIT: Maybe I ask stupid question. Anyway, my intention is to keep the code on this forum as backup. The beep sound and the modified message box content, however, proved that the API had initially been successfully hooked. Please see the source code below: Code: format PE GUI at 0x400000 entry start include 'win32a.inc' section '.data' data readable writeable _id dd ? _message db "222",0 _caption db "111",0 _lib db "user32.dll",0 _proc db "MessageBoxA",0 _text db "Error",0 _addr dd ? _bytes rb 6 _patch db 0x68 ;"push" dd 0x402000 db 0xC3 ;"ret" section '.code' code readable executable .hooked: invoke Beep, 750, 300 invoke WriteProcessMemory, [_id], [_addr], _bytes, 6, 0 ;restore original bytes invoke MessageBox, HWND_DESKTOP, _lib, _proc, MB_OK, 0 ret ;how to return to main program? start: invoke LoadLibrary, _lib or eax, eax jz .error invoke GetProcAddress, eax, _proc or eax, eax jz .error mov [_addr], eax invoke GetCurrentProcess mov [_id], eax invoke ReadProcessMemory, [_id], [_addr], _bytes, 6, 0 or eax, eax jz .error invoke WriteProcessMemory, [_id], [_addr], _patch, 6, 0 ;patch first 6 bytes or eax, eax jz .exit invoke MessageBox, HWND_DESKTOP, _caption, _message, MB_OK, 0 ;after hooking invoke MessageBox, HWND_DESKTOP, _caption, _message, MB_OK, 0 ;after unhooking (not shown) jmp .exit .error: invoke MessageBox, HWND_DESKTOP, _text, _text, MB_OK, MB_ICONERROR .exit: invoke ExitProcess,0 section '.idata' import readable writable library kernel32, 'KERNEL32.DLL',\ user32,'USER32.DLL' import kernel32,\ WriteProcessMemory, 'WriteProcessMemory', \ ExitProcess,'ExitProcess', \ LoadLibrary, 'LoadLibraryA', \ GetProcAddress, 'GetProcAddress', \ GetCurrentProcess, 'GetCurrentProcess', \ ReadProcessMemory, 'ReadProcessMemory', \ Beep, 'Beep' import user32,\ MessageBox, 'MessageBoxA' And don't know how to get the hooked message box parameters, do I use stack pointer, there are 5 parameters, may be esp+16, esp+12, esp+8....? The hooked message box will not show any dialog box, instead it will just beep once. Then the code immediately unhook by restoring the first 6 bytes of MessageBoxA function code.
|
||||||||||||||||||||||||||||
16 Sep 2024, 06:34 |
|
uu 17 Sep 2024, 05:51
revolution wrote: You can use the instructions directly. No need to manually encode them yourself. Wow, this is the power of assembler... I didn't know that. |
|||
17 Sep 2024, 05:51 |
|
revolution 17 Sep 2024, 07:41
That is literally the whole purpose of the assembler: to convert human readable text into bytes.
|
|||
17 Sep 2024, 07:41 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.