flat assembler
Message board for the users of flat assembler.
Index
> Windows > Interesting Time Problem Goto page 1, 2, 3 Next |
Author |
|
LocoDelAssembly 18 Jun 2009, 19:46
r22, if you already managed to get the DLL work into the foreign process then I suggest you NOT try to lookup GetSystemTime/whatever, just import it and let Windows fill the import table with the precious address for you.
|
|||
18 Jun 2009, 19:46 |
|
asmcoder 18 Jun 2009, 19:55
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:50; edited 1 time in total |
|||
18 Jun 2009, 19:55 |
|
r22 18 Jun 2009, 20:46
@*
Another interesting note, according to the SDK documentation on CreateRemoteThread I shouldn't be able to create a remote thread in a process from another session/user (which the aspnet_wp and w3wp exe's are because they run under another account), but yet I'm able to. Possibly because I'm creating the thread at the address of LoadLibraryA. @asmcoder I'd have to do more research and actually decompile the EXE before I could try your suggestion (I didn't really want to go through the trouble of all of that), but it might be necessary. @LocoDel LocoDelAssembly wrote: r22, if you already managed to get the DLL work into the foreign process then I suggest you NOT try to lookup GetSystemTime/whatever, just import it and let Windows fill the import table with the precious address for you. So something like... Code: mov ebx,[GetSystemTime] invoke VirtualProtect ??;;; add write access mov byte[ebx],JUMP_OPCODE mov dword[ebx+1],Patched_GetSystemTime |
|||
18 Jun 2009, 20:46 |
|
Borsuc 18 Jun 2009, 20:46
asmcoder wrote: first of all you CANT hook anything on windows. _________________ Previously known as The_Grey_Beast |
|||
18 Jun 2009, 20:46 |
|
asmcoder 18 Jun 2009, 21:06
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:50; edited 1 time in total |
|||
18 Jun 2009, 21:06 |
|
Borsuc 18 Jun 2009, 21:38
asmcoder wrote: no u cant! (ok maybe, i will look into debug apis). I gave you an example program, search for it. Or search for the "madhook" dll library (I think JauntePE is based on it). If you're saying it does something else than hooking Windows APIs for a specific application, then tell me how it manages to hook the registry APIs and some special filesystem APIs (like the "Special Folders" you know, Application Data, My Documents, crap like that). Don't tell me "no u cant" because I use it everyday. Or at least tell me why what it does isn't 'hooking' by your definitions? _________________ Previously known as The_Grey_Beast |
|||
18 Jun 2009, 21:38 |
|
LocoDelAssembly 18 Jun 2009, 21:44
Quote:
Code: proc hook_GetSystemTime uses ebx local oldProtect: DWORD virtual jmp $-5 load .jmp_op word from $$ end virtual mov ebx, [GetSystemTime] cmp word [ebx], $FF8B ; "mov edi, edi" but not encoded as FASM do jne .unhookable ; (Trivially) invoke VirtualProtect, addr ebx-5, 7, PAGE_EXECUTE_READWRITE, addr oldProtect test eax, eax jz .protFail mov byte [ebx-5], $E9 mov eax, hook sub eax, ebx mov [ebx-4], eax mov word [ebx], .jmp_op invoke VirtualProtect, addr ebx-5, 7, [oldProtect], addr oldProtect mov eax, TRUE ; In case VirtualProtect failed .return: ret .unhookable: .protFail: mov eax, FALSE jmp .return endp |
|||
18 Jun 2009, 21:44 |
|
asmcoder 18 Jun 2009, 22:45
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:50; edited 1 time in total |
|||
18 Jun 2009, 22:45 |
|
arigity 18 Jun 2009, 22:47
http://flatassembler.net/examples/detour_example.zip fasm windows hooking example....
also, theres an API for it (SetWindowsHook) |
|||
18 Jun 2009, 22:47 |
|
r22 18 Jun 2009, 23:04
The exciting conclusion tomorrow (time pending) I give it a test.
-I'll patch GetSystemTime and GetLocalTime -Have them return some hard coded time (if all goes well I'll have the dll read the time I'd like from a file that can be edited easily) -Make an asp.net page that just displays DateTime.Now.ToString() -See if the hack overrides it or not. Should be ifun. |
|||
18 Jun 2009, 23:04 |
|
LocoDelAssembly 18 Jun 2009, 23:24
r22, I've just coded a C# program and debugged under OllyDbg. I've set breakpoints on the APIs you mention but nothing happened. The one that was caught by a breakpoint was GetSystemTimeAsFileTime.
The code: Code: using System; namespace TestsPad { class Program { static void Main(string[] args) { for (; ; ) { Console.WriteLine(DateTime.Now.ToString()); System.Threading.Thread.Sleep(1000); } } } } OllyDbg was interrupting the execution of the program above every second after the breakpoint was set. |
|||
18 Jun 2009, 23:24 |
|
r22 19 Jun 2009, 14:44
It works! (using GetSystemTimeAsFileTime).
I've done it locally using the aspnet_wp exe, once I get it to a more generic/customizable implementation I'll test on a server which uses w3wp.exe instead. For completeness here's the updated DLL code. Code: format PE GUI 4.0 DLL entry DLLMain include 'win32ax.inc' section '.text' code readable executable DLLMain: push ebp mov ebp,esp push ebx esi edi mov eax,[ebp+12];;;reason cmp eax,DLL_PROCESS_DETACH je .detach cmp eax,DLL_PROCESS_ATTACH je .attach .finish: invoke CreateFile,<'c:/usertest/return.txt',0>,GENERIC_READ + GENERIC_WRITE,FILE_SHARE_READ,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 invoke CloseHandle,eax mov eax,TRUE pop edi esi ebx mov esp,ebp pop ebp ret 12 .detach: invoke CreateFile,<'c:/usertest/detached.txt',0>,GENERIC_READ + GENERIC_WRITE,FILE_SHARE_READ,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 invoke CloseHandle,eax jmp .finish ;;;ATTCH HOOK .jmp_op: jmp $-5 .attach: mov ebx,[GetSystemTimeAsFileTime] lea esi,[ebx-5] cmp word [ebx], $FF8B ; "mov edi, edi" but not encoded as FASM do jne .fail ; (Trivially) invoke VirtualProtect,esi,7,PAGE_EXECUTE_READWRITE,oldProtect test eax, eax jz .fail mov byte [ebx-5], $E9 mov eax,GetSystemTimeAsFileTime_patch sub eax, ebx mov [ebx-4], eax mov di,word[.jmp_op] mov word [ebx],di invoke VirtualProtect,esi,7,[oldProtect],oldProtect test eax, eax jz .fail jmp .finish .fail: invoke CreateFile,<'c:/usertest/fail.txt',0>,GENERIC_READ + GENERIC_WRITE,FILE_SHARE_READ,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 invoke CloseHandle,eax jmp .finish GetSystemTimeAsFileTime_patch: mov eax,[esp+4] mov dword[eax],555555 mov dword[eax+4],555555 ret 4 Complete: ret 4 section '.data' data readable writeable oldProtect dd 0 section '.idata' import data readable writeable library kernel32,'KERNEL32.DLL',\ user32,'USER32.DLL',\ gdi32,'GDI32.DLL',\ advapi32,'ADVAPI32.DLL' include 'API/kernel32.inc' include 'API/user32.inc' include 'API/gdi32.inc' include 'API/advapi32.inc' section '.edata' export data readable export 'HOOK.DLL',\ Complete,'Complete' section '.reloc' fixups data discardable For those curious the time displayed with the above is 7/24/1608 12:17:35 PM I appreciate all the help, especially LocoDel actually researching the correct API for me (I was just guessing ). This should make testing and QA much more efficient. This would be a good addition for the examples section... |
|||
19 Jun 2009, 14:44 |
|
LocoDelAssembly 19 Jun 2009, 15:19
Just some minor "corrections":
* "jne .fail ; (Trivially)" should be changed to "jne .fail" (the comment made sense with the .unhookable label but now not ). * Why haven't you used the virtual block this time? It makes both the source and executable smaller. asmcoder, I believe you think this way of hooking can't work at times due to multi-tasking? Could you comment the particular scenario it will fail? (Besides that only one hook over the same API will be available rather than a chain of several hooks but without crashing the app in any moment). |
|||
19 Jun 2009, 15:19 |
|
asmcoder 19 Jun 2009, 16:03
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:50; edited 1 time in total |
|||
19 Jun 2009, 16:03 |
|
LocoDelAssembly 19 Jun 2009, 16:40
Quote:
Remember that the injected DLL also imports the DLL that contains the function you want to hook so the target app should call FreeLibrary more times to unload than it is supposed to do (and windows really allows to unload a DLL even though it is imported by some DLL rather than just loaded via LoadLibrary?). I don't get the next hook part, if N injectors compete for the hook, only one will succeed. The rest will not crash but won't never get their hook executed. Even some of them will detect earlier their failure (because they couldn't find "mov edi, edi"). Quote:
In your explanation you are assuming that the jmp will overwrite "mov ebp, esp", etc. This is not how the hooking is working. There is a jump inserted five bytes BEFORE the entry point of the function, and after that modification has been done the next thing is to replace "mov edi, edi" by the jmp instruction ("jmp $-5") which has exactly the same size than "mov edi, edi" (2 bytes, i.e. a word). |
|||
19 Jun 2009, 16:40 |
|
asmcoder 19 Jun 2009, 19:12
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:50; edited 1 time in total |
|||
19 Jun 2009, 19:12 |
|
asmcoder 19 Jun 2009, 19:16
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:50; edited 1 time in total |
|||
19 Jun 2009, 19:16 |
|
arigity 19 Jun 2009, 19:49
asmcoder wrote: i checked krenel32 and i must admit my mistake, there ARE 5 nops and alignemt if nessecary. however smp issue still exist, 1 core wont finish mov edi,edi and another one start and end writing jmp there. and what about multiple hooks? 1 will overwrite another. the whole point of the mov edi, edi and the 5 nops at the start is that so the function could be hooked for hot-patching, it should be present in most standard windows dlls. you can do multiple hooks if your hook function ends up jumping back to the original code and so long as you end up correctly executing modified instructions before doing so. i don't think its very likely your hooking procedure will over-write the instructions at the exact same time another processor is trying to execute them. |
|||
19 Jun 2009, 19:49 |
|
asmcoder 19 Jun 2009, 20:06
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:50; edited 1 time in total |
|||
19 Jun 2009, 20:06 |
|
Goto page 1, 2, 3 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.