Mid-Hook Function Help [Solved]
Mid-Hook Function Help [Solved]
Well, the other day i found a tutorial on mid function hooking on another forum i got from google and i said to myself, "you need to expand your methods of hooking so you need to learn this". So, i did, and i read the tutorial and i totally understand everything about it, it's just that my test program keeps crashing. Here is my code:
Code:
#include <Windows.h>
#include <iostream>
DWORD retaddie = 0x003814AC;
void MakeJump(BYTE* paddress, DWORD yourfunction, DWORD dwlen);
DWORD base = (DWORD) GetModuleHandleA("Test Programming Ideas.exe");
DWORD dwjmpback = base + 0x114B1;
void MakeJump(BYTE* paddress, DWORD yourfunction, DWORD dwlen)
{
DWORD dwOldProtect, dwBkup, dwRelAddr;
// give the paged memory read/write permissions
VirtualProtect(paddress, dwlen, PAGE_EXECUTE_READWRITE, &dwOldProtect);
// calculate the distance between our address and our target location
// and subtract the 5bytes, which is the size of the jmp
// (0xE9 0xAA 0xBB 0xCC 0xDD) = 5 bytes
dwRelAddr = (DWORD) (yourfunction - (DWORD) paddress) - 5;
// overwrite the byte at pAddress with the jmp opcode (0xE9)
*paddress = 0xE9;
// overwrite the next 4 bytes (which is the size of a DWORD)
// with the dwRelAddr
* ((DWORD*) (paddress + 0x1)) = dwRelAddr;
// overwrite the remaining bytes with the NOP opcode (0x90)
// NOP opcode = No OPeration
for(DWORD x = 0x5; x < dwlen; x++) *(paddress + x) = 0x90;
// restore the paged memory permissions saved in dwOldProtect
VirtualProtect(paddress, dwlen, dwOldProtect, &dwBkup);
return;
}
_declspec (naked) void jumpfunc()
{
_asm
{
push 0
push 0
push 0
push 0
call MessageBoxA
push 56
push 200
call Beep
push 3E8h
JMP [dwjmpback]
}
}
BOOL _stdcall DllMain(HINSTANCE hInst, DWORD msg, LPVOID reserved)
{
char buffer[10];
switch (msg)
{
case DLL_PROCESS_ATTACH:
sprintf(buffer, "%X", (base));
MessageBoxA(0, buffer, "POINT OF DATA OPERATION", MB_OK);
MakeJump((BYTE*)(base + 0x114AC), (DWORD)jumpfunc, 5);
break;
}
}
Make sure you're not jumping back in mid-instruction.
Well, i am jumping back to the next instruction after the one i hooked. The instruction i hooked is 5 bytes which is all i need and i am just jumping back to the next command. That's why idk what's going on.
THIS IS THE DISASSEMBLY FOR WHERE I AM HOOKING:
Here is the while(1) loop
I am hooking at 003414C0, and i am returning at the instruction after which is a call to Sleep().
So any ideas what the issue is?
THIS IS THE DISASSEMBLY FOR WHERE I AM HOOKING:
Here is the while(1) loop
Code:
CPU Disasm Address Hex dump Command Comments 003414A2 |> /B8 01000000 MOV EAX,1 003414A7 |. |85C0 TEST EAX,EAX 003414A9 |. |74 29 JE SHORT 003414D4 003414AB |. |68 30783400 PUSH OFFSET 00347830 ; /_Val = "Still Looping." 003414B0 |. |A1 CCA23400 MOV EAX,DWORD PTR DS:[<&MSVCP100D.?cout@ ; | 003414B5 |. |50 PUSH EAX ; |_Ostr 003414B6 |. |E8 80FCFFFF CALL 0034113B ; \std::operator<<<std::char_traits<char> > 003414BB |. |83C4 08 ADD ESP,8 003414BE |. |8BF4 MOV ESI,ESP 003414C0 |68 E8030000 PUSH 3E8 003414C5 |. |FF15 1CA23400 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] 003414CB |. |3BF4 CMP ESI,ESP 003414CD |. |E8 AFFCFFFF CALL 00341181 ; [_RTC_CheckEsp 003414D2 |.^\EB CE JMP SHORT 003414A2
So any ideas what the issue is?
Ok, so after further debugging, i see that it's changing the first byte to E9 as i wanted but then the problem is with dwRelAddr because it's at an out of range address. so how do i calculate the address to which my function is and then i can jump to it?
SChiM posted a good JMP hook tutorial in the CA NA source section a while ago. See if you can dig it up.
Also, post a stack dump the moment your program fails. I don't know which tutorial you took this from, but a common problem with mid function hooks is that the arguments to your function(on the stack) are invalid. If you're sure this is not the problem however try debugging the function which sets the hook, you can see which value ends up in your pointer.
Also post the code you use to call the hook function. Are you sure you're passing a pointer to your function( &yourfunction() ), instead of whatever there's at memory location *yourfunction()?
Also if I'm not mistaken, is that the function to calculate the length to jump is from-to-5 (but I could be mistaken here, I always get them wrong the first time
)
Also post the code you use to call the hook function. Are you sure you're passing a pointer to your function( &yourfunction() ), instead of whatever there's at memory location *yourfunction()?
Also if I'm not mistaken, is that the function to calculate the length to jump is from-to-5 (but I could be mistaken here, I always get them wrong the first time
)Well, i am adding the function as a parameter like this: (DWORD)myfunc
And i am pretty sure i am calculating the distance wrong, cuz i saw it in the debugger and it's pointing to the wrong address in the jump.
Code:
MakeJump((BYTE*)(base + 0x114C0), (DWORD)jumpfunc, 0x5);
shouldn't your JMP back in be to dwjumpback, not [dwjumpback] ? My asm (while never good at all) is a bit rusty. :/
Originally Posted by Jason
shouldn't your JMP back in be to dwjumpback, not [dwjumpback] ? My asm (while never good at all) is a bit rusty. :/
Originally Posted by open|Fire
............................
You don't have to jump, can't you just push and ret? Imho jumps are much harder to maintain.
push returnAddress
ret - pops off return address and sets EIP to that address.
Mid-function hooking is kind of an odd practice, usually you can detour the prologue of another function to get the same effect - that isn't to say it doesn't have its uses though. A while back, PB and other anti-hack systems would do a checksum on just the prologue of the function (detouring the functions prologue is much more practicle than detouring half-way through - which usually is much more difficult to do) because checksums can be time-expensive operations at the rate the given anti-hack software was performing them.
I.e, in this case you might just want to detour the sleep routine and check the return address on the stack to identify whether you should morph the arguments or not. However, this isn't really what one would usually do with a detour, so I suppose a mid-function 'detour' is practicle in this situation.
However, I'd just disable the protection system opposed to detour your way around it.
push returnAddress
ret - pops off return address and sets EIP to that address.
Mid-function hooking is kind of an odd practice, usually you can detour the prologue of another function to get the same effect - that isn't to say it doesn't have its uses though. A while back, PB and other anti-hack systems would do a checksum on just the prologue of the function (detouring the functions prologue is much more practicle than detouring half-way through - which usually is much more difficult to do) because checksums can be time-expensive operations at the rate the given anti-hack software was performing them.
I.e, in this case you might just want to detour the sleep routine and check the return address on the stack to identify whether you should morph the arguments or not. However, this isn't really what one would usually do with a detour, so I suppose a mid-function 'detour' is practicle in this situation.
However, I'd just disable the protection system opposed to detour your way around it.
Well, i used a naked function so it won't have prologue or epilogue. That's what's puzzling me. I used a ret instead of the jump back and it's still crashing. Idk what's going on. Should i just save the eip before i go to my hack func then i should just push eip instead of return?
Alright, I was just going over some of your assembly; here's the problems I found.
You're calling functions using the MessageBoxA pointers as if they point directly to the functions header, when, in fact, they point to the functions corresponding entry in the jmp thunk table.
Secondly, if dwjmpback contains the address you want to jump to, you should jmp dwjmpback, as [] translates to the data at the address of.
Give that shot.
it should look something like:
You're calling functions using the MessageBoxA pointers as if they point directly to the functions header, when, in fact, they point to the functions corresponding entry in the jmp thunk table.
Secondly, if dwjmpback contains the address you want to jump to, you should jmp dwjmpback, as [] translates to the data at the address of.
Give that shot.
it should look something like:
Code:
_asm
{
push 0
push 0
push 0
push 0
call dword ptr[MessageBoxA]
push 56
push 200
call dword ptr[Beep]
push 3E8h
JMP dwjmpback
}
Thanks jetamay, I am glad ur back, we all benefit from your knowledge of assembly. It turned out that it works (i just had to change the dwJumpback address cuz it was wrong offset, LOL), and calling my functions in the hook as DWORD PTR:[function].
But i still don't understand why i have to call it as DWORD PTR? Why do i need to do that?
BTW Thanks for your help everyone Schim and Jason, and i appreciate it.
But i still don't understand why i have to call it as DWORD PTR? Why do i need to do that?
BTW Thanks for your help everyone Schim and Jason, and i appreciate it.
It looks good, just make sure ur not jumping back :P
Similar Threads
- 3Last post
- 37Last post
- 3Last post
- 7Last post
- 2Last post