Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Programming Hookin(?) Question
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-09-2005, 09:05
gabri3l's Avatar
gabri3l gabri3l is offline
Parity Error 0x0FF2131D
  
Join Date: Aug 2003
Location: Eastern Shore
Posts: 118
Rept. Given: 0
Rept. Rcvd 5 Times in 1 Post
Thanks Given: 8
Thanks Rcvd at 21 Times in 10 Posts
gabri3l Reputation: 5
Hooking usually involves intercepting a programs function and redirecting it to your own function. Often used to redirect functions that cannot be patched. ex: kernel32.dll or a program with internal integrity checks.

If your program is not protected or integral to windows. You should be able to simply redirect to a code cave and execute your functions from there. This of course depends on how your program manages user input. But often times you can find your programs window message handler.

Basicaly the message handler handles all messages; keydown, keypress, mousemove. Stuff like that. You can usually find it by simply choosing the about dialog and working backwards.

For example. I chose the about dialog in Notepad. I pause execution in Olly and then look at the call stack:
Code:
Call stack of main thread
Address    Stack      Procedure                            Called from                   Frame
0006FAEC   77E32DD5   USER32.WaitMessage                   USER32.77E32DD0               0006FB1C
0006FB20   77E340CE   USER32.77E32CEB                      USER32.77E340C9               0006FB1C
0006FB44   77E3410F   USER32.77E34014                      USER32.77E3410A               0006FB40
0006FB64   77E291C6   USER32.DialogBoxIndirectParamAorW    USER32.77E291C1               0006FB60
0006FB88   7CFB0DCB   USER32.DialogBoxParamW               SHELL32.7CFB0DC5              0006FB84
0006FBB0   01001EF8   SHELL32.ShellAboutW                  NOTEPAD.01001EF2              0006FBAC
0006FE1C   010028BD   NOTEPAD.01001AE3                     NOTEPAD.010028B8              0006FE18
0006FE3C   77E4158F   NOTEPAD.0100248F                     USER32.77E4158C               0006FE38
0006FE5C   77E41DC9   USER32.77E41577                      USER32.77E41DC4               0006FE58
0006FEE8   77E41E7E   USER32.77E41CBF                      USER32.77E41E79               0006FEE4
0006FEF4   01002A64   USER32.DispatchMessageW              NOTEPAD.01002A5E              0006FF24
0006FF28   01006576   ? NOTEPAD.0100299E                   NOTEPAD.01006571              0006FF24
0006FFC4   7C598989   Includes NOTEPAD.01006576            KERNEL32.7C598986             0006FFC0
Looking at the call stack we see that Notepad called USER32.DispatchMessageW from here: NOTEPAD.01002A5E. Go there in Olly and we see that we are in a loop.
This loop runs continuosly when the program is running monitoring for input. Once input is recieved it translates it and dispatches it.

DispatchMessageW processed the input and returns execution to Notepad here: NOTEPAD.0100248F.

Looking up the call stack further we find that the about dialog is called from NOTEPAD.01001EF2. Go there in Olly and you find yourself in a switch case.

Code:
01001ED2  |>  6A 02         PUSH 2                                           ; /RsrcName = 2.; Case B of switch 01001B11
01001ED4  |.  FF35 988C0001 PUSH DWORD PTR DS:[1008C98]                      ; |hInst = 01000000
01001EDA  |.  FF15 00120001 CALL NEAR DWORD PTR DS:[<&USER32.LoadIconW>]     ; \LoadIconW
01001EE0  |.  50            PUSH EAX                                         ; /hIcon
01001EE1  |.  68 98130001   PUSH NOTEPAD.01001398                            ; |OtherStuff = ""
01001EE6  |.  FF35 50800001 PUSH DWORD PTR DS:[1008050]                      ; |Title = "Notepad"
01001EEC  |.  FF35 D0870001 PUSH DWORD PTR DS:[10087D0]                      ; |hWnd = 001F0486 ('Untitled - Notepad',class='Notepad')
01001EF2  |.  FF15 9C110001 CALL NEAR DWORD PTR DS:[<&SHELL32.ShellAboutW>]  ; \ShellAboutW
01001EF8  |.  E9 95020000   JMP NOTEPAD.01002192
01001EFD  |>  BF E08B0001   MOV EDI,NOTEPAD.01008BE0                         ;  Case 20 of switch 01001B11
Simply our input is monitored by a loop.
The input (or lack thereof) is then translated and sent to another function that determines what kind of input it was keydown, mousedown, etc...
Once the input type is determined the program takes the value of the input. (Each menu item has a value assigned, mouse moves have coordinates assigned, etc...)
Notepad then calls a function according to the input values, to do so it uses a switch with a case for each value. Like the one we are in right now.

Now that we know where our messages are handled we can easily redirect the case for the "About" value to become something else. I decided to change it to be the Save command.

Code:
01001ED2    ^\E9 75FEFFFF   JMP NOTEPAD.01001D4C
01001ED7      90            NOP
01001ED8      90            NOP
01001ED9      90            NOP
01001EDA  |.  FF15 00120001 CALL NEAR DWORD PTR DS:[<&USER32.LoadIconW>]     ; \LoadIconW
01001EE0  |.  50            PUSH EAX                                         ; /hIcon
Now whenever we press the ABOUT menu item it will jump back up to the SAVE case.

In your case you could instead redirect the case to your own cave and execute whatever code you desire.
__________________
-=RETIRED=--=http://cracking.accessroot.com=--=RETIRED=-
Last edited by gabri3l; 08-09-2005 at 14:13.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Database programming in C++ hmora General Discussion 1 07-12-2004 09:48


All times are GMT +8. The time now is 03:40.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )