flat assembler
Message board for the users of flat assembler.

Index > Windows > hook my code into another process without dll hooking?

Author
Thread Post new topic Reply to topic
sleepsleep



Joined: 05 Oct 2006
Posts: 12738
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 24 Mar 2009, 20:45
hi,
i face one problem here,
i could gain another process window handle and process id.
is there possibility to hook my code on that particular process without using dll hooking?

i preffer simple and easy solution.
Post 24 Mar 2009, 20:45
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 24 Mar 2009, 20:47
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total
Post 24 Mar 2009, 20:47
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12738
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 24 Mar 2009, 20:55
Quote:

solution is very simple

why not share a little bit idea, thank you.
Post 24 Mar 2009, 20:55
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 24 Mar 2009, 20:56
WriteProcessMemory+CreateRemoteThread will probably do it but, what do you want to do with that hook?
Post 24 Mar 2009, 20:56
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 24 Mar 2009, 21:07
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total
Post 24 Mar 2009, 21:07
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12738
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 24 Mar 2009, 21:15
there is an application that somebody sell to my client, but a button inside that application doesn't work as expected (actually, it is not working at all), so, i need to hack this application and provide that function when the user press that button.
Post 24 Mar 2009, 21:15
View user's profile Send private message Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 24 Mar 2009, 21:35
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total
Post 24 Mar 2009, 21:35
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12738
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 24 Mar 2009, 22:20
thanks for info. but i still have no solid idea yet on how to do it Sad

if let say, my dll autorun through registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\sleeping.dll"

i am confuse here, if i start the brokenapp.exe, it would auto link with my sleeping.dll, and if i start another patchapp.exe, it would link with sleeping.dll too, so, could i now subclass the brokenapp.exe from my patchapp.exe through sleeping.dll?

must the SetWindowsLong will be coded inside the dll? or it could be coded inside patchapp.exe ?

i am confused Sad
Post 24 Mar 2009, 22:20
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 25 Mar 2009, 00:35
VirtualAllocEx, WriteProcessMemory some code that calls LoadLibrary, CreateRemoteThread to execute the code. That'll get your DLL into the process, and the DLL can then be coded normally, without having to use hooks, without delta-tricks, and can use imports etc.
Post 25 Mar 2009, 00:35
View user's profile Send private message Visit poster's website Reply with quote
Pinecone_



Joined: 28 Apr 2008
Posts: 180
Pinecone_ 25 Mar 2009, 02:19
sleepsleep wrote:
must the SetWindowsLong will be coded inside the dll? or it could be coded inside patchapp.exe ?


SetWindowLong can be used from patchapp.exe as long as patchapp.exe knows the address of the procedure inside your dll in the address space of brokenapp.exe (base address could be found through EnumProcessModules then you could add the static offset)

I think you should make a loader or patch the import table to load your dll instead of using that registry key to avoid unnecessary overhead of your dll being loaded into every process.

sleepsleep wrote:
i preffer simple and easy solution.

If you dont mind the overhead, maybe try a system wide CBT hook, your dll will be loaded into every process and will be notified whenever any window is created, you could change the wndproc of the window you want then, and the hook will already be in the right addressing space, no need to muck around with VirtualAlloc, WriteProcessMemory or anything other than SetWindowsHookEx.

Still, a loader or modified import table would avoid having to have patchapp.exe running all the time and avoid the dll being loaded in every process.
Post 25 Mar 2009, 02:19
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12738
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 25 Mar 2009, 03:43
sigh, oh men, my idea doesn't work Sad
error 5 during SetWindowLong, ERROR_ACCESS_DENIED

but shouldn't it works... men.. i code the SetWindowLong inside the dll...arghhh not working Sad

i put an OutputDebugString on DLL_PROCESS_ATTACH, and i could see the brokenapp.exe attached to my dll. but why i still get such error? isn't it weird.
Post 25 Mar 2009, 03:43
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 25 Mar 2009, 06:04
Can you share out the relevant part of the code?
Post 25 Mar 2009, 06:04
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12738
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 25 Mar 2009, 07:42
Quote:

Can you share out the relevant part of the code?

no problem at all, sharing full source here Smile
i change the brokenapp.exe to notepad.exe Wink

i use this on.reg file to on and off the AppInit_DLLs inside vm.

on.reg
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\auto.dll"
    


off.reg
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
    


on and off require a reboot in test machine, i do it inside vm.

i use debugview.exe /c /s
currently, the output i could get from debugview is like below:

steps
------
1. link up the debugview.exe /c /s
2. start c:\caller.exe
3. start notepad.exe

Debugview wrote:

[588] C:\caller.exe
[604] C:\WINDOWS\system32\notepad.exe
[588] ------ UM_FINDTARGETWINDOW called
[588] RegisterTargetHandle a0220
[588] Error 5, Failed SetWindowLong


Description: constant.txt
Download
Filename: constant.txt
Filesize: 99 Bytes
Downloaded: 150 Time(s)

Description: caller.exe
Download
Filename: caller.txt
Filesize: 2.96 KB
Downloaded: 152 Time(s)

Description: auto.dll
Download
Filename: auto.txt
Filesize: 3.73 KB
Downloaded: 146 Time(s)

Post 25 Mar 2009, 07:42
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12738
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 25 Mar 2009, 14:25
sigh,
i tried using the old method, cbthook on dll.
and to my surprise, i get
Error 5, Failed SetWindowLong too!!.... ???
ERROR_ACCESS_DENIED
i don't know what is going on.

full source attached,

win32hook.txt = cbthook inside dll
patch.txt = generic window application to install the hook.

i reduced all the code to bare minimum to just produce the result of setting hook and SetWindowLong to subclass.


Description: patch.txt
generic win32 application

Download
Filename: patch.txt
Filesize: 2.07 KB
Downloaded: 189 Time(s)

Description: win32hook.txt
cbthook code inside

Download
Filename: win32hook.txt
Filesize: 4 KB
Downloaded: 191 Time(s)

Post 25 Mar 2009, 14:25
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12738
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 25 Mar 2009, 17:48
after hours, i think i discover the one whole truth ...
u guys tries figure out Wink
Post 25 Mar 2009, 17:48
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 25 Mar 2009, 18:49
Processes at diffrent integrity levels? UIPI?
Post 25 Mar 2009, 18:49
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12738
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 25 Mar 2009, 19:05
... i let out the tips,
the problem is here, looks normal, but this is where the problem lies.

Code:
proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
        push    [hinstDLL]
  pop     [instH]

 cmp     [fdwReason],DLL_PROCESS_ATTACH
      je      .attach
     cmp     [fdwReason],DLL_PROCESS_DETACH
      je      .detach

.exit:
   mov     eax,TRUE
    ret

.attach:
     stdcall Trim_To_Last
        jmp     .exit

.detach:
   jmp     .exit

endp
    

amazing, this cost me few hours to detect. learn something costly..
Post 25 Mar 2009, 19:05
View user's profile Send private message Reply with quote
Pinecone_



Joined: 28 Apr 2008
Posts: 180
Pinecone_ 28 Mar 2009, 10:06
i've learned that one the hard way too... several times Smile
Post 28 Mar 2009, 10:06
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 29 Mar 2009, 03:07
So whats the problem?
Post 29 Mar 2009, 03:07
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12738
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 29 Mar 2009, 10:36
Quote:

push [hinstDLL]
pop [instH]

their value will change.
and when using SetWindowHookEx api, we might not be using the valid hinstDLL value. and thus, ERROR_ACCESS_DENIED
Post 29 Mar 2009, 10:36
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.