flat assembler
Message board for the users of flat assembler.

Index > Windows > WH_KEYBOARD_LL doesnt work

Author
Thread Post new topic Reply to topic
zxcv
Guest




zxcv 15 Dec 2007, 00:26
im writing a hook program, and WH_KEYBOARD work as it should.
Why WH_KEYBOARD_LL doesnt work? I have no idea. After loading this lib, windows works slower.
Code:
Format PE CONSOLE 4.0 DLL
entry main
include 'C:\FASM\INCLUDE\WIN32A.INC'
section '.code' code readable writeable executable
hookproc:
push 0
push 0
push 0
push 0
call [mb]
ret
main:
pop ebx
pop edx
pop eax
cmp eax, 1
jne return
push 0
push edx
push hookproc
push WH_KEYBOARD_LL
call [hook]
push eax
push f
call [printf]
return:
push ebx
ret
f db '%i',13,10,0
section '.import' import readable
library msvcrt, 'msvcrt.dll', u32, 'user32.dll'
import msvcrt, printf, 'printf'
import u32, mb, 'MessageBoxA', hook, 'SetWindowsHookExA'
section '.reloc' data fixups readable discardable    

and i use loadlibrary to load it.
Post 15 Dec 2007, 00:26
Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 15 Dec 2007, 00:39
I have seen you did this several times so I must warn you: procs/funcs that adhere to stdcall, fastcall, pascal, and cdecl mandates that only EAX, ECX and EDX registers can be modified, others must be preserved at return (with the exception of ESP that depending of the convention it must be adjusted to release the stack space occupied by the parameters).

Also, better install the hook outside main, perhaps DLL_PROCESS_ATTACH occurs every time the DLL is attached to a new program so you would install many times the same hook. You also forgot to pass the call to the next hook with CallNextHook (or function with similar name).

PS: And yes, the dll entry point is stdcall so you are doing wrong at destroying EBX.
Post 15 Dec 2007, 00:39
View user's profile Send private message Reply with quote
zxcv
Guest




zxcv 15 Dec 2007, 00:55
okay...
so i can use only eax, ecx, edx.

how about 'normal' programs?

I read many times namual about hooks and CallNextHook, but i cant understand why i must pass it, and when/how.

Quote:
perhaps DLL_PROCESS_ATTACH occurs every time the DLL is attached to a new program so you would install many times the same hook.

This library will be loaded only once, im sure about it.
Post 15 Dec 2007, 00:55
Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 15 Dec 2007, 02:00
Quote:
This library will be loaded only once, im sure about it.


But are you sure that Windows doesn't send a DLL_PROCESS_ATTACH on processes created AFTER hook installation? Remember that conceptually LoadLibrary("your_library") is called on every process on your system when the hook is installed globally (i.e. no thread id is specified to SetWindowsHookEx).

About registers you can use ALL of them, but before returning you must restore their original values of the ones that are not volatile (EBX, ESI, EDI, EBP, ESP). I'm unsure about FPU/MMX registers and SSE registers on 32-bit land, perhaps you are allowed to destroy some of them too (but probably not all).

About CallNextHook, you can call it before or after your processing, you must check the documentation for the keyboard hook scenario. The variable where you hold the hook id (returned in EAX register by SetWindowsHookEx) must reside inside the DLL to make it available on all the hooked processes.
Post 15 Dec 2007, 02:00
View user's profile Send private message Reply with quote
coconut



Joined: 02 Apr 2004
Posts: 326
Location: US
coconut 15 Dec 2007, 03:16
Post 15 Dec 2007, 03:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20339
Location: In your JS exploiting you and your system
revolution 15 Dec 2007, 04:00
LocoDelAssembly wrote:
About registers you can use ALL of them, but before returning you must restore their original values of the ones that are not volatile (EBX, ESI, EDI, EBP, ESP)
Also the DF flag must be restored and must be cleared before calling a system function.
LocoDelAssembly wrote:
I'm unsure about FPU/MMX registers and SSE registers on 32-bit land, perhaps you are allowed to destroy some of them too
In 32bit Windows no system calls officially preserve the FPU or SSE registers. All are considered as "no need to restore previous contents". But for one's own internal code use it can be desirable to make one's own FPU call standard and set the top half to "must be preserved" and the lower half to "can be clobbered".

Anyone care to comment on 64bit Windows ... LINUX ... other OS call standards ... C .. PASCAL ... VB ... other language call standards ...
Post 15 Dec 2007, 04:00
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 15 Dec 2007, 04:23
Remember to change "return" to "ret" and remove "enter" since in the current win32 headers are not required anymore and will fail to compile.

coconut, I saw that you marked shareable not only the section where you store the global variables but also other ones. Do you know what happens if by some reason the DLL can't be loaded at the same base address on all processes? AFAIK the DLL could not be loaded to the process at the very same moment it is created and before any other modules are loaded, so it would be possible that when Windows will load the DLL will need to relocate again. So, how this situation is solved? Windows takes the shareable attribute as a hint and discards it when is no longer possible to sustain or what?
Post 15 Dec 2007, 04:23
View user's profile Send private message Reply with quote
zxcv
Guest




zxcv 15 Dec 2007, 04:27


thanks, it helped a lot.
But its hard to understand this high-level code :/
Post 15 Dec 2007, 04:27
Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.