I've been trying to hook the MessageBoxA API so that i can stop a program I'm using from calling it. Reason being that it calls it like every 2 seconds and it gets very annoying!

I've hooked things before via IAT, but this program gets the API address from GetProcAddress, in several locations in the file. I realise i could use IAT hooking on GetProcAddress, however I'm trying this method purely so i know i can do it should the need arise at another time. So I'm thinking maybe hook the GetProcAddress API, and returning the address to my function instead when MessageBoxA is requested. I have my DLL loaded in the process, so i can do whatever needs done within the programs addressing space.

Anyway, to the point: i was looking at the detours example on from the FASM examples page, I understand almost everything, and how it works, but the following code i could understand how exactly it worked:
That's taken from line 185 of the detours example. How does this get the base address of the page? that's my only problem, i don't know how to get the base address to use with the VirtualAllocEx function. Other than that, i think im all set. Thanks for any help

Note: I'm not sure if this is the right place to post this, as it may not be related to windows programming (I'm not 100% sure! lol), could someone please move it if another section would be more appropriate? Thank you!



Edit: To save opening a new topic for what I'm sure is something logical: I was looking at Vid's libc in ASM example and was wondering what the point of making wrapper things for the API functions, just jumping to their address like follows:
I've seen a few programs do it, however this is the first time I've seen it in source code. What is the reason behind doing this kind of thing instead of just calling the functions from those memory locations directly? AKA: Call [imp_printf] instead of Call printf. I've noticed that OLLY even notices that the calls to that kind of function thing are just jumps to API calls, so im thinking it may be a fairly common thing to do, I just cant seem to think of any logical reason on my own

Edit #2: Read post #3! thanks to TheLord, i realised i went completly stupid with my idea of hooking GetProcAddress when all that was needed was a hook on MessageBoxA!

It does not answer to the image base address stuff, but :

If you just have to hook MessageBoxA in a specific process, why dont you rewrite the first bytes ? seeing the function, it start with 5 bytes prologues :

7E4507AA > 8BFF MOV EDI,EDI ; ntdll.7C910208
7E4507AC 55 PUSH EBP
7E4507AD 8BEC MOV EBP,ESP


you could replace them by a relative jmp which would be 5 bytes too (counting the dest addr).

You can save the old_bytes and "call" them within your hook function if you need to truely call the messagebox ?

imo it's simpler than hooking via the IAT (in your case)

of coarse lol i clearly was not thinking strait when i said hook GetProcAddress to return a different value. However my problem is still the same.

Where the MessageBoxA API resides in memory that does not allow write access, so i must use VirtualProtect to give me write access so i can apply the patch (jmp to my code).

The problem is that VirtualProtect requires the base address of the memory page, i dont know how to find this base address without hard-coding it which is always a bad idea

btw: Hooking via IAT i thought was the most simple form possible: change a pointer in the process' memory to point to your function instead of the API function - which is not possible in this case as the GetProcAddress is used in several locations to get the address of MessageBoxA API, i just thought WAY too much into it before and came up with my stupid idea of hooking GetProcAddress when that is unnecessary

Edit: I've just found a function called VirtualQuery. from reading the msdn description (http://msdn.microsoft.com/en-us/library/aa366902.aspx), i think this returns the value i need in a structure, i'll post back with test results another time, for now im tired and going to sleep

I think you can get the process base address by using VirtualQueryEx() within MEMORY_BASIC_INFORMATION structure

EDIT : too late :p

i couldnt sleep

I found that VirtualQuery was returning 0 and my structure was not being filled.
... So MessageBoxA is a kernel-mode pointer? sounds wrong to me (although i dont really know a great deal on this topic)... Anyone have any ideas?

You have the answer to getting the base address in your first post it zeros out the lower 12 bits to give the 4k page base address.

I can't believe it's that simple Thats what i didn't quite understand, thanks for explaining it

Edit: Yay it works thanks for your help TheLord and Revolution!

5 bytes jump?
what if you alloc memory out of range of signed int? you cant address all 32 bits, just 31, its 2147483648b (2 gigabytes.) If VirtualAllocEx returns adres 2Gb+ program will crash.

You can use 2 optionS:

7 bytes:
mov edx,addr
jmp edx


or 6 bytes:
push addr
ret

i prefer hooking at the end of function, usually its retn XX nop nop nop nop nop.

im not using virtualAllocEx to put my code into the process, im using a dll injected into it, regular dll's should not be loaded in addresses over what can be referenced by an signed integer, those spaces are reserved for OS dll's aren't they?

Actually it shouldn't be possible for a user-mode executable to allocate 2GB+ memory address space but even if it could there is no problem at all, remember that arithmetic is modular here.

what do you mean "that arithmetic is modular here"?

http://en.wikipedia.org/wiki/Modular_arithmetic

So, provided that the page that holds the jump is writable the following code should work