Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

tweaks

  • Loading branch information...
commit 82c1e8242e5743ae001a4e6bd81457e0907ae3d4 1 parent 33e0f82
unknown authored
View
32 hook_test/hook_test.c
@@ -4,6 +4,7 @@
#pragma warning (disable:4047)
#pragma warning (disable:4024)
+#pragma warning (disable:4305)
unsigned int __declspec(naked) CalledFrom(void){
_asm{
@@ -27,8 +28,11 @@ void test(void){ printf("Inside Test\n");}
void hook(void){ printf("In Hook\n");}
HANDLE __stdcall My_LoadLibrary(char* dllName){
- printf("Inside hooked LoadLibrary! %s Called From: %X\n", dllName, CalledFrom() );
- return Real_LoadLibrary(dllName);
+ HANDLE h = 0;
+ printf("Inside hooked LoadLibrary! *dllname= %x ret_addr= %x\n", (int)dllName, CalledFrom() );
+ h = Real_LoadLibrary(dllName);
+ printf("\tDll=%s retval=%x\n", dllName, h);
+ return h;
}
@@ -66,38 +70,24 @@ void main(void){
HMODULE h=0;
FARPROC f=0;
-
- if ( !InstallHook( test, hook, Test_thunk) ){
- printf("Install hook failed :(");
- return;
- }
-
- printf("Calling test!\n");
- test();
-
- printf("Trying to call the real api now!\n");
-
- RealTest();
-
- printf("And back where i belong at end\n");
-
- if (!InstallHook( LoadLibrary, My_LoadLibrary, LoadLibrary_thunk) ){
+ if (!InstallHook( LoadLibrary, My_LoadLibrary, LoadLibrary_thunk,1) ){
printf("Install hook failed :(");
return;
}
- printf("Loadlibrary hook installed\n");
+ printf("Loadlibrary traditional hook installed\n");
+// _asm int 3
h = LoadLibrary("ws2_32");
printf("Ws2_32 handle=%X\n", h );
- if(!InstallHook( GetProcAddress, My_GetProcAddress, Real_GetProcAddress) ){
+ if(!InstallHook( GetProcAddress, My_GetProcAddress, Real_GetProcAddress,0) ){
printf("Install hook failed :(");
return;
}
- printf("GetProc Hook installed\n");
+ printf("GetProc non traditional hook installed\n");
f = GetProcAddress(h,"listen");
printf("GetProcAddress(listen)=%X\n\n", f);
View
20 hook_test/hook_test.dsp
@@ -86,14 +86,34 @@ LINK32=link.exe
# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
# Begin Source File
+SOURCE=..\hooker\asmserv.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\hooker\assembl.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\hooker\disasm.c
+# End Source File
+# Begin Source File
+
SOURCE=.\hook_test.c
# End Source File
+# Begin Source File
+
+SOURCE=..\hooker\hooker.c
+# End Source File
# End Group
# Begin Group "Header Files"
# PROP Default_Filter "h;hpp;hxx;hm;inl"
# Begin Source File
+SOURCE=..\hooker\disasm.h
+# End Source File
+# Begin Source File
+
SOURCE=.\..\hooker.h
# End Source File
# End Group
View
2  hooker.h
@@ -34,5 +34,5 @@ License: hooker.c Copyright (C) 2005 David Zimmer <david@idefense.com, dzzie@yah
#define unique
#endif
-unique int InstallHook(void *real, void* hook, void* thunkJMP);
+unique int InstallHook(void *real, void* hook, void* thunkJMP, int traditional_hook);
unique char* lastError;
View
BIN  hooker.lib
Binary file not shown
View
BIN  hooker/asmserv.obj
Binary file not shown
View
BIN  hooker/assembl.obj
Binary file not shown
View
BIN  hooker/disasm.obj
Binary file not shown
View
41 hooker/hooker.c
@@ -55,11 +55,15 @@ int RestorePerm(char* offset, int size, int oldPerm){
return VirtualProtect(offset, size, oldPerm, &oldPerm) ;
}
-int _InstallHook(char* real, char* hook, char* thunk){
+int _InstallHook(char* real, char* hook, char* thunk, int traditional_hook){
t_disasm disasm;
t_asmmodel am;
+ /* 68 aa bb cc dd push xxxxxxxx (push ret hook = 6 bytes) (non-traditional)
+ c3 ret
+ cc int3 */
+ char hook_code[6] = {0x68,0xAA,0xBB,0xCC,0xDD,0xC3};
char myAsm[TEXTLEN] , errtext[TEXTLEN];
char *pointer = real;
@@ -68,9 +72,9 @@ int _InstallHook(char* real, char* hook, char* thunk){
if(!EnableWrite(thunk,20)){
sprintf(lastError,"Could not set writable memory perm on thunk?");
return 0;
- }
+ }
- while(length<5){ //copy min space of first instructions of real fx to our thunk
+ while(length<6){ //copy min space of first instructions of real fx to our thunk
l = Disasm(pointer,10, (unsigned long)pointer, &disasm, DISASM_CODE);
if(l<1){
sprintf(lastError,"Disasm Error?");
@@ -125,12 +129,16 @@ int _InstallHook(char* real, char* hook, char* thunk){
//now we replace the first bytes of the real function with a
//rdirection to our hook replacement
- sprintf(myAsm,"jmp 0%X", (int)hook); //jmp hook
- asmLen = Assemble(myAsm,(int)real,&am,0,0,errtext); //asm to embed at real fx start
-
- if(asmLen<1){
- sprintf(lastError,"Asm Length failed? %d %s", asmLen,errtext);
- return 0;
+ if(traditional_hook){
+ sprintf(myAsm,"jmp 0%X", (int)hook); //jmp hook
+ asmLen = Assemble(myAsm,(int)real,&am,0,0,errtext); //asm to embed at real fx start
+
+ if(asmLen<1){
+ sprintf(lastError,"Asm Length failed? %d %s", asmLen,errtext);
+ return 0;
+ }
+ }else{
+ memcpy( &hook_code[1], (int)&hook, 4); //embed our address in tmp buf
}
oldPerm = EnableWrite(real,asmLen);
@@ -140,8 +148,13 @@ int _InstallHook(char* real, char* hook, char* thunk){
return 0 ;
}
- while(length--) real[length] = 0xCC; //be tidy for debugging sake
- memcpy(real, am.code, asmLen); //embed our patch at beginning of real function
+ while(length--) real[length] = 0xCC; //be tidy for debugging sake (CC full stolen buffer from real function)
+
+ if(traditional_hook){
+ memcpy(real, am.code, asmLen); //embed our patch at beginning of real function
+ }else{
+ memcpy(real, hook_code, 6);
+ }
RestorePerm(real,asmLen,oldPerm);
@@ -150,7 +163,7 @@ int _InstallHook(char* real, char* hook, char* thunk){
}
-int InstallHook(void *real, void* hook, void* thunkJMP){
+int InstallHook(void *real, void* hook, void* thunkJMP, int traditional_hook){
t_disasm disasm;
int l=0;
@@ -169,9 +182,9 @@ int InstallHook(void *real, void* hook, void* thunkJMP){
switch(disasm.cmdtype){
case C_JMP:
realAllocation = disasm.jmpconst;
- return _InstallHook( (char*) real, (char*) hook, realAllocation);
+ return _InstallHook( (char*) real, (char*) hook, realAllocation, traditional_hook);
default:
- return _InstallHook( (char*) real, (char*) hook, (char*)thunkJMP);
+ return _InstallHook( (char*) real, (char*) hook, (char*)thunkJMP, traditional_hook);
}
}
View
BIN  hooker/hooker.obj
Binary file not shown
View
40 main.cpp
@@ -1083,8 +1083,9 @@ FARPROC __stdcall My_GetProcAddress(HMODULE a0,LPCSTR a1)
void usage(void){
printf(" Generic Shellcode Logger v0.1c BETA\r\n");
- printf(" Author David Zimmer <david@idefense.com, dzzie@yahoo.com>\r\n");
- printf(" Uses the GPL Asm/Dsm Engines from OllyDbg (C) 2001 Oleh Yuschuk\r\n\r\n");
+ printf(" Author David Zimmer <dzzie@yahoo.com> Developed @ iDefense.com\r\n");
+ printf(" Uses the GPL Asm/Dsm Engines from OllyDbg (C) 2001 Oleh Yuschuk\r\n");
+ printf(" ---- Compilation date: %s %s ----\r\n\r\n", __DATE__, __TIME__);
SetConsoleTextAttribute(STDOUT, 0x0F); //white
@@ -1105,7 +1106,8 @@ void usage(void){
printf(" /log <file> \tWrite all output to logfile\r\n");
printf(" /dll <dllfile> \tCalls LoadLibrary on <dllfile> to add to memory map\r\n");
printf(" /foff hexnum \tStarts execution at file offset\r\n");
- printf(" /hooks \tshows implemented hooks\r\n\r\n");
+ printf(" /va \t\t0xBase-0xSize VirtualAlloc memory at 0xBase of 0xSize\r\n");
+ printf(" /hooks \t\tshows implemented hooks\r\n\r\n");
SetConsoleTextAttribute(STDOUT, 0x07); //default gray
@@ -1197,6 +1199,32 @@ void main(int argc, char **argv){
printf("LoadLibrary(%s) = 0x%x\n", argv[i+1], hh);
}
+ if(strstr(argv[i],"/va") > 0 ){
+ if(i+1 >= argc){
+ printf("Invalid option /va must specify 0xBase-0xSize as next arg\n");
+ exit(0);
+ }
+ char *ag = strdup(argv[i+1]);
+ char *sz;
+ unsigned int size=0;
+ unsigned int base=0;
+ if (( sz = strstr(ag, "-")) != NULL)
+ {
+ *sz = '\0';
+ sz++;
+ size = strtol(sz, NULL, 16);
+ base = strtol(ag, NULL, 16);
+ int r = (int)VirtualAlloc((void*)base, size, MEM_RESERVE | MEM_COMMIT, 0x40 );
+ printf("VirtualAlloc(base=%x, size=%x) = %x - %x\n", base, size, r, r+size);
+ if(r==0){ printf("ErrorCode: %x\nAborting...\n", GetLastError()); exit(0);}
+ //0x57 = ERROR_INVALID_PARAMETER
+
+ }else{
+ printf("Invalid option /va must specify 0xBase-0xSize as next arg\n");
+ exit(0);
+ }
+ }
+
}
printf("Loading urlmon... 0x%x\r\n", LoadLibrary("urlmon.dll") );
@@ -1329,7 +1357,7 @@ void DoHook(void* real, void* hook, void* thunk, char* name){
printf("\t%s\r\n",name);
hook_count++;
}else{
- if ( !InstallHook( real, hook, thunk) ){ //try to install the real hook here
+ if ( !InstallHook( real, hook, thunk, 0) ){ //try to install the real hook here
infomsg("Install %s hook failed...Error: %s\r\n", name, &lastError);
ExitProcess(0);
}
@@ -1384,7 +1412,7 @@ void InstallHooks(void)
//ADDHOOK(URLDownloadToFileA);
void* real = GetProcAddress( GetModuleHandle("urlmon.dll"), "URLDownloadToFileA");
- if ( !InstallHook( real, My_URLDownloadToFileA, Real_URLDownloadToFileA) ){
+ if ( !InstallHook( real, My_URLDownloadToFileA, Real_URLDownloadToFileA,0) ){
infomsg("Install hook URLDownloadToFileA failed...Error: \r\n");
ExitProcess(0);
}
@@ -1402,7 +1430,7 @@ void InstallHooks(void)
//ADDHOOK(URLDownloadToCacheFile);
real = GetProcAddress( GetModuleHandle("urlmon.dll"), "URLDownloadToCacheFileA");
- if ( !InstallHook( real, My_URLDownloadToCacheFile, Real_URLDownloadToCacheFile) ){
+ if ( !InstallHook( real, My_URLDownloadToCacheFile, Real_URLDownloadToCacheFile,0) ){
infomsg("Install hook URLDownloadToCacheFile failed...Error: \r\n");
ExitProcess(0);
}

0 comments on commit 82c1e82

Please sign in to comment.
Something went wrong with that request. Please try again.