1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

MSVCRT hook

Discussion in 'C++' started by david_BS, Mar 17, 2013.

  1. david_BS

    david_BS New Member

    Joined:
    Apr 5, 2012
    Messages:
    16
    Likes Received:
    3
    Trophy Points:
    0
    An interesting example where it is intercepted, as a test, the function STRLWR. I will take no credit out of the hook, since it is about a simple patch that I googled in like 5 seconds. What I will show is a pair of pictures at the respect. How the executable was compiled, so it will be MSVCRT DLL dependent.

    [​IMG]

    How it was searched the ‘export’ in the DLL, you can see its index and its symbol.

    [​IMG]

    The rest of the code is nothing special, I leave the project made in VC++6

    Code:
    //
    // By 85
    // elhacker.net
    // InterceptAPI: (googleado en 5 segundos XD)
    // 2013
    //
    
    
    #pragma comment (lib,"Shlwapi.lib")
    #include<windows.h>
    #include <Shlwapi.h>
    #include<stdio.h>
    
    ///////////////////////////////////////////////////////////
    
    char* mystrlwr(char* a){
    
    	static bool onlyonce=false;
    	if(!onlyonce){
    		onlyonce=true;
    		printf("\nSTRLWR INTERCEPTADA!\n");
    	//	MessageBox(0,0,0,0);
    	}
    	return a;
    }
    
    //
    BOOL InterceptAPI(HMODULE hLocalModule,const char* c_szDllName,const char* c_szApiName, DWORD dwReplaced)
    {
        DWORD dwOldProtect;
        DWORD dwAddressToIntercept=(DWORD)GetProcAddress(GetModuleHandle((char*)c_szDllName),(char*)c_szApiName);
    	printf("add: %x\n", dwAddressToIntercept);
    	printf("dll: %s\n", c_szDllName);
    	printf("api: %s\n", c_szApiName);
    //	system("pause");
    	if(!dwAddressToIntercept) return false;
        BYTE *pbTargetCode = (BYTE *) dwAddressToIntercept;
        BYTE *pbReplaced = (BYTE *) dwReplaced;
        VirtualProtect((void *) dwAddressToIntercept, 5, PAGE_WRITECOPY, &dwOldProtect);
        *pbTargetCode++ = 0xE9;        // jump rel32
        *((signed int *)(pbTargetCode)) = pbReplaced - (pbTargetCode +4);
        VirtualProtect((void *) dwAddressToIntercept, 5, PAGE_EXECUTE, &dwOldProtect);
        FlushInstructionCache(GetCurrentProcess(), NULL, NULL);
        return TRUE;
    }
    
    //
    void Dummy(){
    
    	strlwr(new char[] = "85 de elhacker.net :D\0");
    }
    
    //
    int main(){
    
    	Sleep(500);
    	char l_s11[] = {'m','s','v','c','p','6','0','.','d','l','l',0};
    	char l_s12[] = {'m','s','v','c','p','7','1','.','d','l','l',0};
    	char l_s13[] = {'m','s','v','c','p','1','0','0','.','d','l','l',0};
    	char l_s[] = {'m','s','v','c','r','t','.','d','l','l',0};
    	char l_api[] = {'_','s','t','r','l','w','r',0};
    	char l_exe[] = {'m','s','v','c','r','t','_','h','o','o','k','.','e','x','e',0};
    	char FileName[256];
    	if(!GetModuleHandle(l_s)) ExitProcess(0);
    	GetModuleFileName(GetModuleHandle(NULL), FileName, sizeof(FileName));
    	PathStripPath(FileName);
    	if (strcmp(FileName, l_exe) == 0){
    		InterceptAPI(GetModuleHandle(NULL), l_s, l_api, (DWORD)mystrlwr);
                    /* else: no se ha interceptado ! */
    	}
    	else 
    	{ /* no se ha interceptado ! */ return 0;}
    	Dummy();
    	printf("\n");
    	system("pause");
    	return 0;
    }
    
     

    Attached Files:

Share This Page