flat assembler
Message board for the users of flat assembler.

Index > Windows > from C to FASM (API Hook Function)

Author
Thread Post new topic Reply to topic
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
im still too new to do this, but i thought i might get some help understanding how it all works.
its the worest port u will ever see lol
here it is
Code:
format PE GUI 4.0

include 'c:\fasm\include\win32ax.inc'

.data
 testvar db "test starin", 0
 oldMessageBox  dd 0
 calc           dd 0
 addrs          dd 0
 tjmp           db 233, 0, 0 , 0, 0, 195


.code

proc HookGeneralFunction, Dll, FuncName, Function, backup

        invoke  GetModuleHandle, [Dll]
        invoke  GetProcAddress, eax, addr FuncName
       ; BYTE tjmp[6] = { 0xe9,                   //jmp
        ;        0x00, 0x00, 0x00, 0x00,         //address
         ;       0xc3 };                         //retn

        invoke  GetCurrentProcess
        invoke  ReadProcessMemory, eax, addr addrs, [backup], 6, 0


        mov     [calc], 0
        mov     eax, [Function]
        mov     [calc], eax
        mov     eax, [addrs]
        sub     [calc], eax
        sub     [calc], 5         ; //((to)-(from)-5)

      ;  memcpy(&jmp[1], &calc, 4); //build the jmp
        invoke  GetCurrentProcess
        invoke  WriteProcessMemory, eax, addr addrs, tjmp, 6, 0

        mov eax, addrs
endp

proc newMessageBox, hWnd, lpText, lpCaption, uType


endp


start:

  stdcall       HookGeneralFunction, "user32.dll", "MessageBoxA", newMessageBox,oldMessageBox
.end start    



and the C code
Code:
//this will hook a process and all of it`s modules (loaded DLLs)
//by writting to kernel`s area
DWORD HookGeneralFunction(const char *Dll, const char *FuncName, void *Function, unsigned char *backup)
{
 DWORD addr = (DWORD)GetProcAddress(GetModuleHandle(Dll), FuncName);
 BYTE jmp[6] = { 0xe9,                      //jmp
               0x00, 0x00, 0x00, 0x00,         //address
           0xc3 };                                            //retn

  ReadProcessMemory(GetCurrentProcess(), (void*)addr, backup, 6, 0);
    DWORD calc = ((DWORD)Function - addr - 5); //((to)-(from)-5)
      memcpy(&jmp[1], &calc, 4); //build the jmp
  WriteProcessMemory(GetCurrentProcess(), (void*)addr, jmp, 6, 0);

        return addr;
}    


i hope someone have the time to help
Post 02 Sep 2010, 17:39
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
Nameless,

You must first verify that there is nop×5; mov edi, edi trampoline placeholder at the addresses that you're trying to overwrite.

Second, stdcall calling conventions specify that callee is responsible for clearing stack from its arguments (thus simple ret overwriting function entry point can disturb caller's stack).

Third, how do you expect to get control? ret can't automagically transfer it to the address you've specified as a target for direct near jump. Something more creative should be used (like jmp short $-5).

Read on detours, it's all about this.
Post 02 Sep 2010, 18:29
View user's profile Send private message Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
looks like im way over my head :S

i dont really understand most of what u said, cause im not that good with asm words yet

can u fix it for me so i can see what ur talking about?
sorry im just still new to all this stuff
Post 02 Sep 2010, 20:01
View user's profile Send private message Reply with quote
coconut



Joined: 02 Apr 2004
Posts: 326
Location: usa
coconut
there is also a sample detours project by RedGhost on the FASM examples page: http://flatassembler.net/examples.php

third one down from the top
Post 02 Sep 2010, 20:39
View user's profile Send private message Reply with quote
Nameless



Joined: 30 Apr 2010
Posts: 95
Nameless
well im gonna read much more then get back to this example
its a long way to go Smile

offtopic: can anyone here tell me how long they been doing asm? just asking Very Happy
Post 02 Sep 2010, 22:44
View user's profile Send private message Reply with quote
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
http://www.codeproject.com/KB/system/change_drive_sn.aspx
I've stuppid look to this program and not see how this app get access to volume?!
Where is api like open disk write disk etc. Very Happy ? Only MsgBox and printf Rolling Eyes

// write boot sector
if (!disk.WriteSector(0, Sector))
How to apps has known it?

(MSVC++ horrible language)
Post 16 Sep 2010, 23:02
View user's profile Send private message ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.