Practical Guides on Win32 Hacking and Windows Hooking – Part I Originally from:
http://www.kk-wuti.blogspot.com/ http://kk-wuti.blogspot.com/2007/10/windowshooking-and-hacking1.html
Copyright: http://kk-wuti.blogspot.com
TABLE OF CONTENTS
Disclaimer ......................................................................................................................3 About this guide.............................................................................................................3 Pre-exquisite ..................................................................................................................3 Intercepting API calls ....................................................................................................3 Method I – Proxy DLL ..............................................................................................3 Step 1 Create a Win32 DLL (MyDLL.dll) that exports a function. ......................4 Step 2 Create a client or any windows application. ...............................................6 Step 3 Create the Proxy DLL.................................................................................6
2
Copyright: http://kk-wuti.blogspot.com
Disclaimer THIS INFORMATION IS PROVIDED BY ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS INFORMATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
About this guide There are tones of information available regarding windows hooking. As such, this guide will not go into details of what is Windows Hooking or what it can do for you. This guide will instead directly jump into the many ways of Windows Hooking and for each method; a working source codes example with a step by step guide is given. While the author will paint a picture on where and how a particular method could be used, it is entirely up to the reader to assess and make his or her own judgment on how a particular method presented here could best be used with regard to the actual needs.
Pre-exquisite Familiar with Ms Visual C++ 6.0 tools
Intercepting API calls Method I – Proxy DLL This is an easy method where the proxy DLL will directly replace an existing DLL that contains the function or functions you want to be intercepted. Assuming you want to intercept an API in a DLL called MyDLL. To demonstrate, follow the steps described below.
3
Copyright: http://kk-wuti.blogspot.com
Step 1 Create a Win32 DLL (MyDLL.dll) that exports a function. CODE:
4
Copyright: http://kk-wuti.blogspot.com
Header file definition // The following ifdef block is the standard way of creating macros which make exporting // from a DLL simpler. All files within this DLL are compiled with the MYDLL_EXPORTS // symbol defined on the command line. this symbol should not be defined on any project // that uses this DLL. This way any other project whose source files include this file see // MYDLL_API functions as being imported from a DLL, wheras this DLL sees symbols // defined with this macro as being exported.
#ifdef MYDLL_EXPORTS #define MYDLL_API __declspec(dllexport) #else #define MYDLL_API __declspec(dllimport) #endif // This class is exported from the MyDLL.dll class MYDLL_API CMyDLL { public: CMyDLL(void); // TODO: add your methods here. void MyDLL_func(){ MessageBox(0,"Hello from my dll", "Test", MB_OK); } };
CPP file #include "stdafx.h" #include "MyDLL.h" BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
That’s it. You have a DLL, exporting a function called MyDLL_func(). Since this function is exported by MyDLL, any other application that import this DLL into its process space will be able to invoke the function MyDLL_func().
5
Copyright: http://kk-wuti.blogspot.com
Step 2 Create a client or any windows application. To invoke the exported DLL function, follow the steps describe below. • •
Include the header file created from Step 1. Use the correct path where you have created the header file in Step 1. Construct the exported class object and invoke the exported function as show below.
CODE: //Include the path to where MyDLL header file is located #include "..\\MyDLL\MyDll.h" //construct the exported class’s object CMyDLL dll; //invoke the exported function. dll.MyDLL_func();
Step 3 Create the Proxy DLL This is the actual part of the API intercepting. This DLL will be renamed to MyDLL.dll and MyDLL.dll will in turn be renamed to another name that you like, for instance Realmydll.dll.
1. To create the proxy DLL, first create a normal DLL, no function export is needed here. Header files definition: CODE: // The following ifdef block is the standard way of creating macros which make exporting // from a DLL simpler. All files within this DLL are compiled with the MYDLL_EXPORTS // symbol defined on the command line. this symbol should not be defined on any project // that uses this DLL. This way any other project whose source files include this file see // MYDLL_API functions as being imported from a DLL, wheras this DLL sees symbols // defined with this macro as being exported.
#ifdef FAKE_MYDLL_EXPORTS #define FAKE_MYDLL_API __declspec(dllexport) #else #define FAKE_MYDLL_API __declspec(dllimport) #endif
CPP file
Inside the main CPP file, add the followings: -
6
Copyright: http://kk-wuti.blogspot.com • •
•
Declare a WINAPI function pointer of the function you want to intercept. Implement the intercepting or hooked function. This function will get called instead when the client invoke MyDLL_func as shown in step 2 earlier. Update the DllMain function
CODE: //Declare the function pointer static void (WINAPI *RealMyDLL_func)();
//Implement the intercepting function extern "C" void WINAPI HookedMyDLL_func( ) { //Do whatever you wanrt here //You can call the real MyDLL_func here if you want //Do something extra TCHAR strTitle[250]={0x00}; GetModuleFileName(0,strTitle,250); MessageBox(0,strTitle, "Test",MB_OK); //You can call the real MyDLL_func here if you want
}
2. Use the “dumpbin” utility provided by Ms VC++ and run it on MyDLL.dll to get all the exported symbols. We would need this information later. You should be getting something similar like this: -
7
Copyright: http://kk-wuti.blogspot.com
Caution: Since we are using C++, there is C++ name decoration (symbols such as “?”, “$” etc included in the name) in the names of the functions and members exported from the C++ class. You can find more information on C++ Name Decoration from the Internet. Another way of creating export functions is to use definition file. In this case, no name decoration is applied and the names of the exported functions are exactly the same as the name of the functions specified in the definition file.
3. Use #pragma comment(…) to tell the compiler that you are forwarding functions call from your DLL. For example: #pragma comment(linker, "/export:??0CMyDLL@@QAE@XZ=Realmydll.??0CMyDLL@@QAE@XZ") ??0CMyDLL@@QAE@XZ is the name of the exported function/member from the original dll (MyDLL.dll). So this statement means reference to “??0CMyDLL@@QAE@XZ” is now forwarded to “??0CMyDLL@@QAE@XZ” in Realmydll. Note the prefix of
“Realmydll.”
8
Copyright: http://kk-wuti.blogspot.com You need to repeat doing the above for all the exported functions shown in the “dumpbin /export” inside MyDLL.dll, except for the function or functions you want to intercept, since you want to handle this yourself inside your proxy DLL.
An example is given as below: CODE: #pragma comment(linker, "/export:??0CMyDLL@@QAE@XZ=Realmydll.??0CMyDLL@@QAE@XZ") #pragma comment(linker, "/export:??4CMyDLL@@QAEAAV0@ABV0@@Z=Realmydll.??4CMyDLL@@QAEAAV0@ABV0@@ Z") #pragma comment(linker, "/export:??_C@_04JDHC@Test?$AA@=Realmydll.??_C@_04JDHC@Test?$AA@") #pragma comment(linker, "/export:??_C@_0BC@HKHC@Hello?5from?5my?5dll?$AA@=Realmydll.??_C@_0BC@HKHC@Hello? 5from?5my?5dll?$AA@") #pragma comment(linker, "/export:?MyDLL_func@CMyDLL@@QAEXXZ=_HookedMyDLL_func@0")
A good way is to create a new header file (ex. Mydll_fwd.h) in your Proxy DLL project and add the above into it.
4. Update the DllMain function in your proxy DLL project. CODE: BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { HMODULE hRealDLL; switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { hRealDLL = LoadLibrary( "RealmyDLL" ); if( !hRealDLL ) { return FALSE; } // Store the real function address for hooked function to call.
*(void **)&RealMyDLL_func = (void *)GetProcAddress( hRealDLL, "MyDLL_func" ); } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: FreeLibrary( hRealDLL ); case DLL_PROCESS_DETACH: break; } return TRUE; }
5. To test, rebuild all your 3 projects and copy the DLL files to the same destination directory. Rename MyDLL.dll to Realmydll.dll and ProxyDll.dll to MyDll.dll. Run
9
Copyright: http://kk-wuti.blogspot.com your test application. The hooked function inside the Proxy DLL (which you have renamed to MyDLL.dll) should get invoked instead of the function in Realmydll.dll.
10