Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Windows Api Hooking (https://forum.exetools.com/showthread.php?t=20326)

user1 11-01-2022 18:59
Windows Api Hooking
 
http://www.compile.ro/2018/06/24/interceptarea-functiilor-din-windows/
Credits to developer !
Code:
VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header) {
    //adauga permisiunea de scriere in primii 5 octeti de la inceputul functiei
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    //salveaza cei 5 octeti originali ai functiei
    CopyMemory(old_header, (LPVOID)old_func, 5);

    //calculeaza distanta dintre noua si vechea functie
    //  folosita ca parametru de JMP
    DWORD size = new_func - (old_func + 5);

    //construieste instructiunea JMP
    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    //scrie instuctiunea la inceputul functiei vechi
    CopyMemory((LPVOID)old_func, new_header, 5);
}
BYTE OH_GetVersion[5];
BYTE NH_GetVersion[5];
...
DetourSet((DWORD)GetVersion, (DWORD)D_GetVersion, OH_GetVersion, NH_GetVersion);
DWORD WINAPI D_GetVersion()
{
    //copiaza cei 5 octeti originali inapoi in GetVersion
    CopyMemory((LPVOID)GetVersion, OH_GetVersion, 5);

    //apeleaza GetVersion
    DWORD v = GetVersion();

    //coipiaza JMP-ul in GetVersion
    CopyMemory((LPVOID)GetVersion, NH_GetVersion, 5);

    //modifica si returneaza valoarea
    return v & 0xFFFF00FF | 0x0200;
}
#include <Windows.h>
#include <stdio.h>

#define DETOUR_DEFINE(F) BYTE OH_##F[5]; BYTE NH_##F[5];
#define DETOUR_SET(F) DetourSet((DWORD)F, (DWORD)D_##F, OH_##F, NH_##F)
#define DETOUR_EXEC(R, F, ...) { CopyMemory((LPVOID)F, OH_##F, 5); R = F(__VA_ARGS__); CopyMemory((LPVOID)F, NH_##F, 5); }

DETOUR_DEFINE(GetVersion);
DWORD WINAPI D_GetVersion()
{
    DWORD v;
    DETOUR_EXEC(v, GetVersion);
    return v & 0xFFFF00FF | 0x0200;
}

VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header)
{
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    CopyMemory(old_header, (LPVOID)old_func, 5);

    DWORD size = new_func - (old_func + 5);

    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    CopyMemory((LPVOID)old_func, new_header, 5);
}

int main() {
    DWORD v = GetVersion();
    printf("Inainte de redirectionare versiunea este: %d.%d (%d)\n", LOBYTE(LOWORD(v)), HIBYTE(LOWORD(v)), HIWORD(v));

    DETOUR_SET(GetVersion);
    v = GetVersion();
    printf("Dupa redirectionare versiunea este: %d.%d (%d)\n", LOBYTE(LOWORD(v)), HIBYTE(LOWORD(v)), HIWORD(v));

    getchar();
}

Fyyre 11-01-2022 20:26
Hurray for C macros?

user1 11-02-2022 02:08
1 Attachment(s)
@Fyyre

HTML Code:
https://reverseengineering.stackexchange.com/questions/15933/how-to-bypass-or-block-getsystemtime

A friend and I made this a long time ago, to bypass trial on a certain program (not naming it). It modifies the value that GetSystemTimeAsFileTime returned.

GetSystemTimeAsFileTime Hotpatch

http://fyyre.ru/dllmain.cpp
can please re upload it, very much interested.

Thanks !

MarcElBichon 11-02-2022 03:29
https://github.com/Fyyre/oldsite

Fyyre 11-03-2022 01:00
Hi there,

Today I made this method/project available via my Github. I hope you find it helpful:

https://github.com/Fyyre/proxy_dll

Quote:
Originally Posted by user1 (Post 126399)
@Fyyre

HTML Code:
https://reverseengineering.stackexchange.com/questions/15933/how-to-bypass-or-block-getsystemtime

A friend and I made this a long time ago, to bypass trial on a certain program (not naming it). It modifies the value that GetSystemTimeAsFileTime returned.

GetSystemTimeAsFileTime Hotpatch

http://fyyre.ru/dllmain.cpp
can please re upload it, very much interested.

Thanks !

user1 11-29-2022 22:36
This code only for x86 for x64 need changed

anyone can help with this?

Code:
#define DETOUR_DEFINE(F) BYTE OH_##F[5]; BYTE NH_##F[5];
#define DETOUR_SET(F) DetourSet((DWORD)F, (DWORD)D_##F, OH_##F, NH_##F)
#define DETOUR_EXEC(R, F, ...) { CopyMemory((LPVOID)F, OH_##F, 5); R = F(__VA_ARGS__); CopyMemory((LPVOID)F, NH_##F, 5); }

VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header)
{
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    CopyMemory(old_header, (LPVOID)old_func, 5);

    DWORD size = new_func - (old_func + 5);

    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    CopyMemory((LPVOID)old_func, new_header, 5);
}

h4sh3m 11-29-2022 23:34
Quote:
Originally Posted by user1 (Post 126566)
This code only for x86 for x64 need changed

anyone can help with this?

Code:
#define DETOUR_DEFINE(F) BYTE OH_##F[5]; BYTE NH_##F[5];
#define DETOUR_SET(F) DetourSet((DWORD)F, (DWORD)D_##F, OH_##F, NH_##F)
#define DETOUR_EXEC(R, F, ...) { CopyMemory((LPVOID)F, OH_##F, 5); R = F(__VA_ARGS__); CopyMemory((LPVOID)F, NH_##F, 5); }

VOID DetourSet(DWORD old_func, DWORD new_func, BYTE* old_header, BYTE* new_header)
{
    DWORD op;
    VirtualProtect((LPVOID)old_func, 5, PAGE_EXECUTE_READWRITE, &op);

    CopyMemory(old_header, (LPVOID)old_func, 5);

    DWORD size = new_func - (old_func + 5);

    new_header[0] = 0xE9;
    new_header[1] = size >> 0;
    new_header[2] = size >> 8;
    new_header[3] = size >> 16;
    new_header[4] = size >> 24;

    CopyMemory((LPVOID)old_func, new_header, 5);
}
Hi

Maybe you just need to change DWORD to UInt64 (old_func, new_func).
Also you might face error in some functions(size of instructions), you can't overwrite bytes blindly unless you don't have any plan to use original function anymore !!!

user1 11-30-2022 16:27
false in x64 different.

h4sh3m 11-30-2022 18:55
Can you describe your problem with sample code ?!

It's working for me :|
Following link contains sample source (in delphi) with compiled x86/x64 files:

https://mega.nz/file/TUw2TQqJ#CnR-YKixZMICNTQ8H7wFwAkKCfOR3l5OpJq26S-AWvM

user1 12-01-2022 01:11
I have solved with minhook, above code is only for x86 can not work correctly in x64 app, that;s why used minhook.

sendersu 12-01-2022 01:17
yeah, for x64 one need to use 8 byte addresses, means
DWORD -> QWORD, etc

user1 12-10-2022 15:27
can if have time post correct code. I don;t get it sorry. but if you know how to please.

other idea's of time hooks can find in github, some working as expected some not.

I think some app use to detect time check some windows / registry entry??? time for a created existing etc files because windows start in real system with real time and compare that file time with time stored in secure SL storage???

WillyTerra 12-24-2022 09:57
Thanks for this, I will learning API Hook use new way.


All times are GMT +8. The time now is 11:43.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX