Need help with HookCode

c++ / delphi package - dll injection and api hooking
Post Reply
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Need help with HookCode

Post by Davita »

Hi

I have an executable from which I want to acquire some variable value. I have disassembled the executable file and it looks like this:

Code: Select all

debug386:078AEBA5 loc_78AEBA5:                            ; CODE XREF: debug386:078AEB9Ej
debug386:078AEBA5 mov     eax, [ebp+5050h]
debug386:078AEBAB neg     eax
debug386:078AEBAD mov     [ebp+5050h], eax
debug386:078AEBB3 mov     ecx, [ebp+5050h]
debug386:078AEBB9 mov     eax, [ebp+5028h]
debug386:078AEBBF add     eax, ecx
debug386:078AEBC1 mov     [ebp+5028h], eax
debug386:078AEBC7 mov     eax, [ebp+5028h]
debug386:078AEBCD mov     ecx, [ebp+2A7Dh]
debug386:078AEBD3 cmp     eax, ecx
debug386:078AEBD5 mov     eax, 1
debug386:078AEBDA jl      loc_78AEBE5
debug386:078AEBE0 mov     eax, 0
debug386:078AEBE5
The variable I need to acquire is located in [ebp+5028h] address. If I was able to hook that function/address space, I could use inline asm to extract it's value.
Now I have 2 problems. First one is that, the segment which contains the code, debug386 is visible in IDA only when I debug the application. I can't see it in disassembly view if the application is not running and debugger attached. I have impression that this segment is unpacked from somewhere at runtime, but I think this is not a problem, assuming, that I can sequentially scan process memory and find the correct address by matching bytes of this code. My main problem is that, I don't know how to hook loc_78AEBA5. If I acquire correct memory address of loc_78AEBA5, then what? What signature should callback and next function pointers should have?

Any help would be greatly appreciated.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Need help with HookCode

Post by madshi »

This does not look like one exact function because there's no clear beginning (e.g. a stack frame) and no clear end (e.g. a "ret" instruction). Hooking it with Delphi or C++ code might not work because a Delphi/C++ function only preserves the content of some registers, but not of all. You could try hooking this with an empty parameter list. Maybe it will work because this code section doesn't seem to rely on a specific content of registers. However, some code after this might. In that case, you may have to create a callback function written in inline assembler which carefully preserves all registers (e.g. pushad + pushdf at the start of your callback function and popdf + popad at the end).
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: Need help with HookCode

Post by Davita »

Could you elaborate a bit more madshi? I have never created a callback in assembly.
How should I preserve registries, does madCodeHook alters cpu regisitries in any way? Or I should restore every registry to initial state when I'm done in the callback.

Thank you very much again :)
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Need help with HookCode

Post by madshi »

In Delphi you would do:

Code: Select all

var NextHook : procedure;

procedure YourHookCallback;
asm
  pushad
  pushfd
  call NextHook
  popfd
  popad
end;
And then hope that it's enough to make it work. madCodeHook itself also does some additional stuff, but it should not hurt much. If it does you can reduce the amount of stuff madCodeHook does by using the "NO_SAFE_UNHOOKING" flag when calling HookCode().
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: Need help with HookCode

Post by Davita »

Thank you very much madshi. Actually I'm using C but I think I can accomplish same thing with naked function. I will try it soon and let you know the results :)
Post Reply