|
|
#1
08-09-2005, 07:23
|
|||
|
|||
|
Programming Hookin(?) Question
Hello friends here is what i want to do...
There's an app(.exe) say notepad I want to be able to call another program/procedure or function when I click the Bold Button. In plain terms I think I'm asking how to reprogrammed a button that's in an .exe I think this is called Hooking or something along those lines. Thank you for any help SOLAR 
|
|
#2
08-09-2005, 09:05
|
||||
|
||||
|
Hooking usually involves intercepting a programs function and redirecting it to your own function. Often used to redirect functions that cannot be patched. ex: kernel32.dll or a program with internal integrity checks.
If your program is not protected or integral to windows. You should be able to simply redirect to a code cave and execute your functions from there. This of course depends on how your program manages user input. But often times you can find your programs window message handler. Basicaly the message handler handles all messages; keydown, keypress, mousemove. Stuff like that. You can usually find it by simply choosing the about dialog and working backwards. For example. I chose the about dialog in Notepad. I pause execution in Olly and then look at the call stack: Code:
Call stack of main thread Address Stack Procedure Called from Frame 0006FAEC 77E32DD5 USER32.WaitMessage USER32.77E32DD0 0006FB1C 0006FB20 77E340CE USER32.77E32CEB USER32.77E340C9 0006FB1C 0006FB44 77E3410F USER32.77E34014 USER32.77E3410A 0006FB40 0006FB64 77E291C6 USER32.DialogBoxIndirectParamAorW USER32.77E291C1 0006FB60 0006FB88 7CFB0DCB USER32.DialogBoxParamW SHELL32.7CFB0DC5 0006FB84 0006FBB0 01001EF8 SHELL32.ShellAboutW NOTEPAD.01001EF2 0006FBAC 0006FE1C 010028BD NOTEPAD.01001AE3 NOTEPAD.010028B8 0006FE18 0006FE3C 77E4158F NOTEPAD.0100248F USER32.77E4158C 0006FE38 0006FE5C 77E41DC9 USER32.77E41577 USER32.77E41DC4 0006FE58 0006FEE8 77E41E7E USER32.77E41CBF USER32.77E41E79 0006FEE4 0006FEF4 01002A64 USER32.DispatchMessageW NOTEPAD.01002A5E 0006FF24 0006FF28 01006576 ? NOTEPAD.0100299E NOTEPAD.01006571 0006FF24 0006FFC4 7C598989 Includes NOTEPAD.01006576 KERNEL32.7C598986 0006FFC0 This loop runs continuosly when the program is running monitoring for input. Once input is recieved it translates it and dispatches it. DispatchMessageW processed the input and returns execution to Notepad here: NOTEPAD.0100248F. Looking up the call stack further we find that the about dialog is called from NOTEPAD.01001EF2. Go there in Olly and you find yourself in a switch case. Code:
01001ED2 |> 6A 02 PUSH 2 ; /RsrcName = 2.; Case B of switch 01001B11
01001ED4 |. FF35 988C0001 PUSH DWORD PTR DS:[1008C98] ; |hInst = 01000000
01001EDA |. FF15 00120001 CALL NEAR DWORD PTR DS:[<&USER32.LoadIconW>] ; \LoadIconW
01001EE0 |. 50 PUSH EAX ; /hIcon
01001EE1 |. 68 98130001 PUSH NOTEPAD.01001398 ; |OtherStuff = ""
01001EE6 |. FF35 50800001 PUSH DWORD PTR DS:[1008050] ; |Title = "Notepad"
01001EEC |. FF35 D0870001 PUSH DWORD PTR DS:[10087D0] ; |hWnd = 001F0486 ('Untitled - Notepad',class='Notepad')
01001EF2 |. FF15 9C110001 CALL NEAR DWORD PTR DS:[<&SHELL32.ShellAboutW>] ; \ShellAboutW
01001EF8 |. E9 95020000 JMP NOTEPAD.01002192
01001EFD |> BF E08B0001 MOV EDI,NOTEPAD.01008BE0 ; Case 20 of switch 01001B11
The input (or lack thereof) is then translated and sent to another function that determines what kind of input it was keydown, mousedown, etc... Once the input type is determined the program takes the value of the input. (Each menu item has a value assigned, mouse moves have coordinates assigned, etc...) Notepad then calls a function according to the input values, to do so it uses a switch with a case for each value. Like the one we are in right now.  Now that we know where our messages are handled we can easily redirect the case for the "About" value to become something else. I decided to change it to be the Save command. Code:
01001ED2 ^\E9 75FEFFFF JMP NOTEPAD.01001D4C 01001ED7 90 NOP 01001ED8 90 NOP 01001ED9 90 NOP 01001EDA |. FF15 00120001 CALL NEAR DWORD PTR DS:[<&USER32.LoadIconW>] ; \LoadIconW 01001EE0 |. 50 PUSH EAX ; /hIcon In your case you could instead redirect the case to your own cave and execute whatever code you desire.
__________________
-=RETIRED=--=http://cracking.accessroot.com=--=RETIRED=-
Last edited by gabri3l; 08-09-2005 at 14:13.
|
|
#3
08-09-2005, 09:14
|
|||
|
|||
|
In this example I "reprogrammed" the "C"-Button of Microsofts Calculator:
http://home.scarlet.be/~il095280/hijacking_ms-calc.zip (Should start in scientific mode, otherwise it will not work, has to be improved) This works completely without hooks (as hooks are quite ugly) and WITHOUT touching the orignal app, so you are even legally allowed to "extend" other apps like this. It just creates a form, sets the other app (calc.exe) as the parent, and draws its button over the original one. You can even automatically get its position, window-style, caption, etc, anyway, in this example i did it manually. Last edited by aldente; 08-09-2005 at 09:24.
|
|
#4
08-09-2005, 15:45
|
||||
|
||||
|
Hello:
Interesting this Thread. It is just the one I was needing. I am trying to execute some code that it is in a process loaded in memory, from an application that loads that process. Big or what: Is it possible to get a tutorial of the way you have developped your calculator patch? As it is made without hooks it shows an alternative point of view of the scenary. gabri3l: Your explanation is brilliant! Many thanks for the info. Cheers  Nacho_dj
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Database programming in C++ | hmora | General Discussion | 1 | 07-12-2004 09:48 |
Linear Mode
