Go4Expert

Go4Expert (http://www.go4expert.com/)
-   C++ (http://www.go4expert.com/articles/cpp-tutorials/)
-   -   MSVCRT hook (http://www.go4expert.com/articles/msvcrt-hook-t29556/)

david_BS 17Mar2013 10:43

MSVCRT hook
 
1 Attachment(s)
An interesting example where it is intercepted, as a test, the function STRLWR. I will take no credit out of the hook, since it is about a simple patch that I googled in like 5 seconds. What I will show is a pair of pictures at the respect. How the executable was compiled, so it will be MSVCRT DLL dependent.

http://imgs.g4estatic.com/msvcrt-hook/MSVCRThook1.png

How it was searched the ‘export’ in the DLL, you can see its index and its symbol.

http://imgs.g4estatic.com/msvcrt-hook/MSVCRThook2.png

The rest of the code is nothing special, I leave the project made in VC++6

Code:

//
// By 85
// elhacker.net
// InterceptAPI: (googleado en 5 segundos XD)
// 2013
//


#pragma comment (lib,"Shlwapi.lib")
#include<windows.h>
#include <Shlwapi.h>
#include<stdio.h>

///////////////////////////////////////////////////////////

char* mystrlwr(char* a){

        static bool onlyonce=false;
        if(!onlyonce){
                onlyonce=true;
                printf("\nSTRLWR INTERCEPTADA!\n");
        //        MessageBox(0,0,0,0);
        }
        return a;
}

//
BOOL InterceptAPI(HMODULE hLocalModule,const char* c_szDllName,const char* c_szApiName, DWORD dwReplaced)
{
    DWORD dwOldProtect;
    DWORD dwAddressToIntercept=(DWORD)GetProcAddress(GetModuleHandle((char*)c_szDllName),(char*)c_szApiName);
        printf("add: %x\n", dwAddressToIntercept);
        printf("dll: %s\n", c_szDllName);
        printf("api: %s\n", c_szApiName);
//        system("pause");
        if(!dwAddressToIntercept) return false;
    BYTE *pbTargetCode = (BYTE *) dwAddressToIntercept;
    BYTE *pbReplaced = (BYTE *) dwReplaced;
    VirtualProtect((void *) dwAddressToIntercept, 5, PAGE_WRITECOPY, &dwOldProtect);
    *pbTargetCode++ = 0xE9;        // jump rel32
    *((signed int *)(pbTargetCode)) = pbReplaced - (pbTargetCode +4);
    VirtualProtect((void *) dwAddressToIntercept, 5, PAGE_EXECUTE, &dwOldProtect);
    FlushInstructionCache(GetCurrentProcess(), NULL, NULL);
    return TRUE;
}

//
void Dummy(){

        strlwr(new char[] = "85 de elhacker.net :D\0");
}

//
int main(){

        Sleep(500);
        char l_s11[] = {'m','s','v','c','p','6','0','.','d','l','l',0};
        char l_s12[] = {'m','s','v','c','p','7','1','.','d','l','l',0};
        char l_s13[] = {'m','s','v','c','p','1','0','0','.','d','l','l',0};
        char l_s[] = {'m','s','v','c','r','t','.','d','l','l',0};
        char l_api[] = {'_','s','t','r','l','w','r',0};
        char l_exe[] = {'m','s','v','c','r','t','_','h','o','o','k','.','e','x','e',0};
        char FileName[256];
        if(!GetModuleHandle(l_s)) ExitProcess(0);
        GetModuleFileName(GetModuleHandle(NULL), FileName, sizeof(FileName));
        PathStripPath(FileName);
        if (strcmp(FileName, l_exe) == 0){
                InterceptAPI(GetModuleHandle(NULL), l_s, l_api, (DWORD)mystrlwr);
                /* else: no se ha interceptado ! */
        }
        else
        { /* no se ha interceptado ! */ return 0;}
        Dummy();
        printf("\n");
        system("pause");
        return 0;
}



All times are GMT +5.5. The time now is 09:51.