flat assembler
Message board for the users of flat assembler.

Index > Windows > API hooking example question.

Author
Thread Post new topic Reply to topic
Pinecone_



Joined: 28 Apr 2008
Posts: 180
Pinecone_
I've been trying to hook the MessageBoxA API so that i can stop a program I'm using from calling it. Reason being that it calls it like every 2 seconds and it gets very annoying!

I've hooked things before via IAT, but this program gets the API address from GetProcAddress, in several locations in the file. I realise i could use IAT hooking on GetProcAddress, however I'm trying this method purely so i know i can do it should the need arise at another time. So I'm thinking maybe hook the GetProcAddress API, and returning the address to my function instead when MessageBoxA is requested. I have my DLL loaded in the process, so i can do whatever needs done within the programs addressing space.

Anyway, to the point: i was looking at the detours example on from the FASM examples page, I understand almost everything, and how it works, but the following code i could understand how exactly it worked:
Code:
    ; get page base
    mov   ebp, esi
    and   ebp, $FFFFF000    
That's taken from line 185 of the detours example. How does this get the base address of the page? that's my only problem, i don't know how to get the base address to use with the VirtualAllocEx function. Other than that, i think im all set. Thanks for any help Smile

Note: I'm not sure if this is the right place to post this, as it may not be related to windows programming (I'm not 100% sure! lol), could someone please move it if another section would be more appropriate? Thank you!



Edit: To save opening a new topic for what I'm sure is something logical: I was looking at Vid's libc in ASM example and was wondering what the point of making wrapper things for the API functions, just jumping to their address like follows:
Code:
; wrappers for imported functions from libc
printf: jmp    [imp_printf]
puts:  jmp    [imp_puts]
scanf: jmp    [imp_scanf]
exit: jmp    [imp_exit]    
I've seen a few programs do it, however this is the first time I've seen it in source code. What is the reason behind doing this kind of thing instead of just calling the functions from those memory locations directly? AKA: Call [imp_printf] instead of Call printf. I've noticed that OLLY even notices that the calls to that kind of function thing are just jumps to API calls, so im thinking it may be a fairly common thing to do, I just cant seem to think of any logical reason on my own Wink

Edit #2: Read post #3! thanks to TheLord, i realised i went completly stupid with my idea of hooking GetProcAddress when all that was needed was a hook on MessageBoxA!


Last edited by Pinecone_ on 19 May 2008, 14:14; edited 1 time in total
Post 19 May 2008, 12:32
View user's profile Send private message Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord
It does not answer to the image base address stuff, but :

If you just have to hook MessageBoxA in a specific process, why dont you rewrite the first bytes ? seeing the function, it start with 5 bytes prologues :

7E4507AA > 8BFF MOV EDI,EDI ; ntdll.7C910208
7E4507AC 55 PUSH EBP
7E4507AD 8BEC MOV EBP,ESP


you could replace them by a relative jmp which would be 5 bytes too (counting the dest addr).

You can save the old_bytes and "call" them within your hook function if you need to truely call the messagebox ?

imo it's simpler than hooking via the IAT (in your case)
Post 19 May 2008, 13:52
View user's profile Send private message Reply with quote
Pinecone_



Joined: 28 Apr 2008
Posts: 180
Pinecone_
of coarse lol i clearly was not thinking strait when i said hook GetProcAddress to return a different value. However my problem is still the same.

Where the MessageBoxA API resides in memory that does not allow write access, so i must use VirtualProtect to give me write access so i can apply the patch (jmp to my code).

The problem is that VirtualProtect requires the base address of the memory page, i dont know how to find this base address without hard-coding it which is always a bad idea Razz

btw: Hooking via IAT i thought was the most simple form possible: change a pointer in the process' memory to point to your function instead of the API function - which is not possible in this case as the GetProcAddress is used in several locations to get the address of MessageBoxA API, i just thought WAY too much into it before and came up with my stupid idea of hooking GetProcAddress when that is unnecessary Embarassed

Edit: I've just found a function called VirtualQuery. from reading the msdn description (http://msdn.microsoft.com/en-us/library/aa366902.aspx), i think this returns the value i need in a structure, i'll post back with test results another time, for now im tired and going to sleep Smile
Post 19 May 2008, 14:01
View user's profile Send private message Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord
I think you can get the process base address by using VirtualQueryEx() within MEMORY_BASIC_INFORMATION structure

EDIT : too late :p
Post 19 May 2008, 14:39
View user's profile Send private message Reply with quote
Pinecone_



Joined: 28 Apr 2008
Posts: 180
Pinecone_
i couldnt sleep Razz

I found that VirtualQuery was returning 0 and my structure was not being filled.
Passing a kernel-mode pointer to this function can result in no information being returned, due to security issues. In this case, the return value is zero.
... So MessageBoxA is a kernel-mode pointer? sounds wrong to me (although i dont really know a great deal on this topic)... Anyone have any ideas?
Post 19 May 2008, 14:57
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
You have the answer to getting the base address in your first post
Code:
and   reg, $FFFFF000    
it zeros out the lower 12 bits to give the 4k page base address.
Post 19 May 2008, 15:06
View user's profile Send private message Visit poster's website Reply with quote
Pinecone_



Joined: 28 Apr 2008
Posts: 180
Pinecone_
I can't believe it's that simple Smile Thats what i didn't quite understand, thanks for explaining it

Edit: Yay it works Smile thanks for your help TheLord and Revolution!
Post 19 May 2008, 20:55
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
5 bytes jump?
what if you alloc memory out of range of signed int? you cant address all 32 bits, just 31, its 2147483648b (2 gigabytes.) If VirtualAllocEx returns adres 2Gb+ program will crash.

You can use 2 optionS:

7 bytes:
mov edx,addr
jmp edx


or 6 bytes:
push addr
ret

i prefer hooking at the end of function, usually its retn XX nop nop nop nop nop.
Post 19 May 2008, 23:05
View user's profile Send private message Reply with quote
Pinecone_



Joined: 28 Apr 2008
Posts: 180
Pinecone_
im not using virtualAllocEx to put my code into the process, im using a dll injected into it, regular dll's should not be loaded in addresses over what can be referenced by an signed integer, those spaces are reserved for OS dll's aren't they?
Post 20 May 2008, 00:25
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
asmrox wrote:
5 bytes jump?
what if you alloc memory out of range of signed int? you cant address all 32 bits, just 31, its 2147483648b (2 gigabytes.) If VirtualAllocEx returns adres 2Gb+ program will crash.


Actually it shouldn't be possible for a user-mode executable to allocate 2GB+ memory address space but even if it could there is no problem at all, remember that arithmetic is modular here.
Post 20 May 2008, 01:36
View user's profile Send private message Reply with quote
Pinecone_



Joined: 28 Apr 2008
Posts: 180
Pinecone_
what do you mean "that arithmetic is modular here"?
Post 20 May 2008, 13:41
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
http://en.wikipedia.org/wiki/Modular_arithmetic

So, provided that the page that holds the jump is writable the following code should work
Code:
; EAX = VirtualAlloc* result
lea eax, [eax-jmp_to_patch-5]
mov [jmp_to_patch+1], eax
.
.
.
jmp_to_patch:
  jmp $DEADBEEF    
Post 22 May 2008, 01:33
View user's profile Send private message Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo
Pinecone_ wrote:

thanks to TheLord


Laughing Laughing
Post 24 May 2008, 21:14
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.