1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MSVCRT hook

Discussion in 'C++' started by david_BS, Mar 17, 2013.

  1. david_BS

    david_BS New Member

    Joined:
    Apr 5, 2012
    Messages:
    16
    Likes Received:
    3
    Trophy Points:
    0
    An interesting example where it is intercepted, as a test, the function STRLWR. I will take no credit out of the hook, since it is about a simple patch that I googled in like 5 seconds. What I will show is a pair of pictures at the respect. How the executable was compiled, so it will be MSVCRT DLL dependent.

    [​IMG]

    How it was searched the ‘export’ in the DLL, you can see its index and its symbol.

    [​IMG]

    The rest of the code is nothing special, I leave the project made in VC++6

    Code:
    //
    // By 85
    // elhacker.net
    // InterceptAPI: (googleado en 5 segundos XD)
    // 2013
    //
    
    
    #pragma comment (lib,"Shlwapi.lib")
    #include<windows.h>
    #include <Shlwapi.h>
    #include<stdio.h>
    
    ///////////////////////////////////////////////////////////
    
    char* mystrlwr(char* a){
    
    	static bool onlyonce=false;
    	if(!onlyonce){
    		onlyonce=true;
    		printf("\nSTRLWR INTERCEPTADA!\n");
    	//	MessageBox(0,0,0,0);
    	}
    	return a;
    }
    
    //
    BOOL InterceptAPI(HMODULE hLocalModule,const char* c_szDllName,const char* c_szApiName, DWORD dwReplaced)
    {
        DWORD dwOldProtect;
        DWORD dwAddressToIntercept=(DWORD)GetProcAddress(GetModuleHandle((char*)c_szDllName),(char*)c_szApiName);
    	printf("add: %x\n", dwAddressToIntercept);
    	printf("dll: %s\n", c_szDllName);
    	printf("api: %s\n", c_szApiName);
    //	system("pause");
    	if(!dwAddressToIntercept) return false;
        BYTE *pbTargetCode = (BYTE *) dwAddressToIntercept;
        BYTE *pbReplaced = (BYTE *) dwReplaced;
        VirtualProtect((void *) dwAddressToIntercept, 5, PAGE_WRITECOPY, &dwOldProtect);
        *pbTargetCode++ = 0xE9;        // jump rel32
        *((signed int *)(pbTargetCode)) = pbReplaced - (pbTargetCode +4);
        VirtualProtect((void *) dwAddressToIntercept, 5, PAGE_EXECUTE, &dwOldProtect);
        FlushInstructionCache(GetCurrentProcess(), NULL, NULL);
        return TRUE;
    }
    
    //
    void Dummy(){
    
    	strlwr(new char[] = "85 de elhacker.net :D\0");
    }
    
    //
    int main(){
    
    	Sleep(500);
    	char l_s11[] = {'m','s','v','c','p','6','0','.','d','l','l',0};
    	char l_s12[] = {'m','s','v','c','p','7','1','.','d','l','l',0};
    	char l_s13[] = {'m','s','v','c','p','1','0','0','.','d','l','l',0};
    	char l_s[] = {'m','s','v','c','r','t','.','d','l','l',0};
    	char l_api[] = {'_','s','t','r','l','w','r',0};
    	char l_exe[] = {'m','s','v','c','r','t','_','h','o','o','k','.','e','x','e',0};
    	char FileName[256];
    	if(!GetModuleHandle(l_s)) ExitProcess(0);
    	GetModuleFileName(GetModuleHandle(NULL), FileName, sizeof(FileName));
    	PathStripPath(FileName);
    	if (strcmp(FileName, l_exe) == 0){
    		InterceptAPI(GetModuleHandle(NULL), l_s, l_api, (DWORD)mystrlwr);
                    /* else: no se ha interceptado ! */
    	}
    	else 
    	{ /* no se ha interceptado ! */ return 0;}
    	Dummy();
    	printf("\n");
    	system("pause");
    	return 0;
    }
    
     

    Attached Files:

Share This Page