09-03-2012, 02:29 PM
This tutorial will show you how to hook a dll into your application. First thing you need to do is to create a DLL:
Now Some Dll Tutorial:
You would need a
main.cpp - A file that contains the entry point for your dll
Hook.def - module definition file used to make functions much visible
Hook.h - used to define your Common stuff
And your c++ files:
main.cpp 2
#include <windows.h>
/*
*hinstDLL - Dll instances you want
*fdwReason - attaching reason
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){
switch (fdwReason){
case DLL_PROCESS_ATTACH:{
printf("Hook.dll has been attached\n");
break;
}
case DLL_PROCESS_DETACH:{
printf("Hook.dll has been detached\n");
break;
}
}
return TRUE;
}
Hook.h
//to make your objects/methods visible (exported)
#ifndef HOOK_API
#define HOOK_API __declspec(dllexport)
#else
#define HOOK_API __declspec(dllimport)
#endif
Your cpp/h files:
#include "Hook.h"
#include <stdio.h>
void HOOK_API MyFunction(){
printf("myFunction\n");
}
Hook.def 2
It is used to make visible the functions to GetProcAddress, that will be used to retrieve functions from dll.
LIBRARY "Hook"
DESCRIPTION Simple Hook Dll
EXPORTS
MyFunction
Attaching the DLL
Second thing is to attach the DLL to your application:
1)Open the executable with a OllyDbg
2)Search some free space on the executable and write the Dll File name(Select a zone to edit, right click->Binary->edit->write "MyHook.dll" with out quotes), and copy the offset (lets call it offset1).
007EE120 4D DEC EBP ; ASCII "MyHook.dll",0
007EE121 79 48 JNS SHORT GameServ.007EE16B
007EE123 6F OUTS DX,DWORD PTR ES:[EDI]
007EE124 6F OUTS DX,DWORD PTR ES:[EDI]
007EE125 6B2E 64 IMUL EBP,DWORD PTR DS:[ESI],64
007EE128 6C INS BYTE PTR ES:[EDI],DX
007EE129 6C INS BYTE PTR ES:[EDI],DX
3)Search for another free space on the executable and write the code to load your dll(write "push offset1" without quotes, and copy to a file the offset of this instruction).
007EE142 68 20E17E00 PUSH GameServ.007EE120 ; ASCII "MyHook.dll"
4)now to load the dll, press CTRL+N and search for LoadLibraryA, and press enter, nother window will appear. Follow 1 of the call DWORD instructions there, copy that command and to the next line of your instruction(or much simple you could write call KERNEL32.LoadLibraryA, but this will give error).
007EE142 68 20E17E00 PUSH GameServ.007EE120 ; ASCII "MyHook.dll"
007EE147 FF15 4C816200 CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] ; kernel32.LoadLibraryA
007EE14D 90 NOP ; ignore this line, ^this instruction is copied from CTRL+N
5)Go to your Entry point(or somewhere at the beginning of the program) and jump to your dll loading code (add "jmp offset2" with out qotes).
6)Save EAX somewhere in memory.
7)Complete entry point code(or the missing code from the first jump) and jump back
007EE142 68 20E17E00 PUSH GameServ.007EE120 ; ASCII "MyHook.dll"
007EE147 FF15 4C816200 CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] ; kernel32.LoadLibraryA
007EE14D 90 NOP ; ignore this line, ^this instruction is copied from CTRL+N
007EE14E A3 30CC7E00 MOV DWORD PTR DS:[7ECC30],EAX ; Save eax in memory->dll handle
007EE153 55 PUSH EBP ; -complete code
007EE154 8BEC MOV EBP,ESP ; |
007EE156 6A FF PUSH -1 ; |
007EE158 -E9 C8C9E0FF JMP GameServ.005FAB25 ; jumps back to the program
And lastly using the functions from the DLL in your application: Now using the functions from the Executable:
I made a code to not write the same thing all over again(this code return the function address).
007EE19A 55 PUSH EBP ; Save base stack pointer
007EE19B 8BEC MOV EBP,ESP ; the stack pointer becomes the new base stack
007EE19D FF75 08 PUSH DWORD PTR SS:[EBP+8] ; get last parameter, ASCII "MyFinction",0
007EE1A0 FF35 30CC7E00 PUSH DWORD PTR DS:[7ECC30] ; MyHook.73120000
007EE1A6 FF15 C4806200 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
007EE1AC A3 34CC7E00 MOV DWORD PTR DS:[7ECC34],EAX ; save the function address address for later use
007EE1B1 8BE5 MOV ESP,EBP ; return to the previous stack pointer
007EE1B3 5D POP EBP ; return to the previous base pointer
007EE1B4 C2 0400 RETN 4 ; retun and remove a Dword value from stack
And to use it:
007EE18A 68 DAE07E00 PUSH GameServ.007EE0DA ; ASCII "MyFunction"
007EE18F E8 06000000 CALL GameServ.007EE19A
007EE194 FFD0 CALL EAX ; MyHook.MyFunction
Hooking without knowing ASM
For this you will need to know About this Windows API:
- 2
- 2
- 2
- 2
- 2
- 2
- 2
- 2
What you need to do first:
The First thing you need is to get the process ID, you can get the process ID either by getting it from task manager, starting a process thru 2+ 2, or searching the memory to find the Process Id thru 2 + 2, or thru 2
After you got the process ID you can simply open the Process with OpenProcess, to get the process Handle, if you already have the process handle, you dont need to open the process(if you use ShellExecuteEx, or create Process, to open it with All Access).
//open the processm 1234 is the process ID
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 1234);
if (hProcess == NULL){
//error could not open process
}
Now you need to allocate some Memory in the process(create a new data section), for your data:
//your file that you need to hook
char myFile[] = "C:\myHook.dll";
//this usully does not matter if you put 1 byte or 1000 but you allways allocates 1000 bytes in hex
int iAllocSize = strlen(myFile)+1;
HANDLE addr = VirtualAllocEx( hProcess, NULL, iAllocSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if( addr == NULL ) {
//Error could not allocate memory
}
Now you need to copy your data to the Process, for the process to find it(the process will look in its memory not in some other process memory)
//Write your Hook File Location to the Process
bool bWrite = WriteProcessMemory( hProcess, addr, myFile, strlen(myFile), NULL );
if(bWrite){
//error could not write to process
}
Now The Hooking Part:
Hooking with LoadLibrary and and CreateRemoteThread, it starts the Loadlibrary function in a Thread separate thread, Usually is rewuired to suspend the process first before you create the thread.
//geting the handle of LoadLibrary functrion
HANDLE hLoadLibrary = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
if (hLoadLibrary == NULL){
// return failed
}
//Creating the Thread to run Loadlibrary, with the parameter the String that i made
HANDLE hThread = CreateRemoteThread( x, NULL, 0,(LPTHREAD_START_ROUTINE)hLoadLibrary, addr, 0, NULL );
// Wait till the thread finishes
int Result = WaitForSingleObject(hThread, INFINITE);
if(Result != 0){
//error thread failed
}
//close the thread
CloseHandle(hThread);
//delete the data section created earlier
VirtualFreeEx(hProcess, addr, iAllocSize, MEM_RELEASE);
//close the process
CloseHandle(hProcess);
More documentation(start with C then continue with c++):
C/C++
C: 2
C++: 2
Tools Win32:Notepad++, CodeBlocks , Visual C++, Borland C++, Turbo C
Tools Linux:Geany, CodeBlocks, Kwrite, gedit, emacs
To learn Assembly I suggestThis Book:
Read this 16bit Edition: 2
On linux AT&T sintax: 2