MadCode Hook didn't work on WINME

[uall]

changed:
- result must start at -1 because evertime function is called the nextaddress will changes
- added VirtualProtect because some dlls (comctl32.dll) protects the import table
- added some badreadptr calls for preventing crashes

Code: Select all

function HookExtendedImportTable(hmodule: integer; oldaddress, newaddress: pointer; var nextaddress: pointer): integer; stdcall;
type TRelocBlock = record
                     vaddress: integer;
                     size: integer;
                   end;
     PRelocBLock = ^TRelocBlock;
var myreloc: PRelocBlock;
    reloccount: integer;
    startp: ^word;
    i: integer;
    p: ^integer;
    IDH: PImageDosHeader;
    INH: PImageNtHeaders;
    old: cardinal;
begin
  result := -1;
  IDH := pointer(hmodule);
  if (not IsBadReadPtr(IDH,4)) and (IDH^.e_magic = IMAGE_DOS_SIGNATURE) then
  begin
    INH := pointer(cardinal(hmodule)+cardinal(IDH^._lfanew));
    if (not IsBadReadPtr(INH,4)) and (INH^.Signature = IMAGE_NT_SIGNATURE) then
    begin
      myreloc := pointer(hmodule+integer(INH^.OptionalHeader.DataDirectory[5].VirtualAddress));
      startp := pointer(integer(myreloc)+8);
      while (not isbadreadptr(myreloc,8)) and (myreloc^.vaddress <> 0) do
      begin
        reloccount := (myreloc^.size-8) div sizeof(word);
        for i := 0 to reloccount-1 do
        begin
          if (not isbadreadptr(startp,2)) and  (startp^ xor $3000 < $1000) then
          begin
            p := pointer(myreloc^.vaddress+startp^ mod $3000+hmodule);
            if (not isbadreadptr(pointer(integer(p)-2),6)) and
               (pbyte(integer(p)-2)^ = $FF) and
               ((pbyte(integer(p)-1)^ = $25) or (pbyte(integer(p)-1)^ = $15)) and
               (not isbadreadptr(pointer(p^),4)) and
               (not isbadreadptr(ppointer(p^)^,4)) and
               (ppointer(p^)^ = oldaddress) then
            begin
              if VirtualProtect(ppointer(p^),4,PAGE_EXECUTE_READWRITE,old) then
              begin
                ppointer(p^)^ := newaddress;
                inc(result);
                VirtualProtect(ppointer(p^),4,old,old);
              end;
            end;
          end;
          startp := pointer(integer(startp)+sizeof(word));
        end;
        myreloc := pointer(startp);
        startp := pointer(integer(startp)+8);
      end;
    end;
  end;
  nextaddress := oldaddress;
end;

[uall]

die ersten beispiele für die benutzung hätte ich schon z.b. für:

CreateProcessInternalWSecure / LZDone
LZStart etc.

dein CodeHook gibt da nen True zurück, also es wurde erfolgreich gehookt was aber leider nicht stimmt

mit HookExtendedImportTable funktioniert es und theoretisch würde es auch mit madCodeHook funzen weil die bytes danach alles nops sind

[cool_tester]

Hi Uall,
i hope you are feeling better and the hospital hasn't reached the bottom of your POCKECTS.

anyway i tried your function with the API 'OpenClipBoard' and it didn't work.... just though you may want to know.

Code: Select all

  @OldClipBoard := GetProcAddress(GetModuleHandleA('user32.dll'),'OpenClipboard');
  HookExtendedImportTable(GetModuleHandle(nil),@OldClipBoard,@MyClipBoard,@MyClipBoardNext);

Keep up the good work.

[uall]

GetModuleHandle(nil) must be the handle of the module which is calling OpenClipBoard

GetModuleHandle(nil) -> exectuable
GetModuleHandle('kernel32.dll') -> kernel32.dll

etc.

[cool_tester]

You are right after the Hooked the right Module it worked, also i though you might want to know that it works under Win9x as well...
one more question how do you UNHOOK ? or is it safe to just close the application without unhooking.?

[uall]

i think u can use theis function to unhook the code again
only change oldaddress <> newaddress, and let nextaddress be the same

if its not working post again and ill create an unhook funktion tomorrow, and thank u for testing with 9x


also there *should* no problem when u dont unhook and close the application

[cool_tester]

Yep Flipping the Functions around seems to UnHook it ...

Also tested on WinMe, Win95, Win98Se, Win2K, WinXp Home SP2.

and all passed the test with flying colors.

Thanks.

[uall]

i have created a complete unit
but i cant test it on 9x and i dont know if it is working because of the assembler part

http://uall.overclock.ch/ExtIAThook.pas

would be nice if someone can test it

example of the 3 API calls which get hooked by this method

Code: Select all

var oldMessageBoxA: function(a: integer; b,c: pchar; d: integer): integer; stdcall;
var nextMessageBoxA: function(a: integer; b,c: pchar; d: integer): integer; stdcall;

function myMessageBoxA(a: integer; b,c: pchar; d: integer): integer; stdcall;
begin
  result := nextMessageboxA(a,pchar(b+' - hooked'),c,d);
end;

procedure TForm1.Button1Click(Sender: TObject);
begin
  @oldMessageBoxA := GetProcAddress(GetModuleHandle('User32.dll'),'MessageBoxA');
  HookExtendedImportTable(@oldMessageBoxA,@myMessageBoxA,@nextMessageBoxA);
  oldMessageBoxA(0,'sadASD',nil,0);

  @oldMessageBoxA := GetProcAddress(GetModuleHandle('User32.dll'),'MessageBoxA');
  oldMessageBoxA(0,'aaaa',nil,0);

  MessageBox(0,'test',nil,0);
end;

[madshi]

but i cant test it on 9x

Don't you have VmWare or VirtualPC running? I couldn't live without one of those...

would be nice if someone can test it

I will have a look sooner or later, but can't promise when exactly, cause I'm back at a completely different work right now.

[cool_tester]

I'm testing it for you and will let you know what i found out.

Thanks.

[cool_tester]

Ok here are the results:

Works on Win2k. WinXp

I got a AV when tried on win95, Win98: here is the Error report from MadExcept:

Code: Select all

exception class   : EAccessViolation
exception message : Access violation at address 0047ADD0 in module 'PROJECT1.EXE'. Read of address FFFFFFFF.

main thread ($fffd7553):
0047add0 PROJECT1.EXE Unit1     203 HookExtendedImportTableAllModules
0047ae1f PROJECT1.EXE Unit1     239 HookExtendedImportTable
0047aed9 PROJECT1.EXE Unit1     253 TForm1.Button1Click
0045b3cc PROJECT1.EXE Controls 4621 TControl.Click
0045338c PROJECT1.EXE StdCtrls 3347 TButton.Click
00453480 PROJECT1.EXE StdCtrls 3399 TButton.CNCommand
0045b234 PROJECT1.EXE Controls 4561 TControl.WndProc
0045e083 PROJECT1.EXE Controls 6242 TWinControl.WndProc
00453300 PROJECT1.EXE StdCtrls 3327 TButtonControl.WndProc
0045b004 PROJECT1.EXE Controls 4468 TControl.Perform
0045e1bb PROJECT1.EXE Controls 6288 DoControlMsg
0045e817 PROJECT1.EXE Controls 6474 TWinControl.WMCommand
004751b8 PROJECT1.EXE Forms    4035 TCustomForm.WMCommand
0045b234 PROJECT1.EXE Controls 4561 TControl.WndProc
0045e083 PROJECT1.EXE Controls 6242 TWinControl.WndProc
004732dd PROJECT1.EXE Forms    3044 TCustomForm.WndProc
0045dd00 PROJECT1.EXE Controls 6139 TWinControl.MainWndProc
004491cc PROJECT1.EXE Classes       StdWndProc
0045b7d4 PROJECT1.EXE Controls 4752 TControl.WMLButtonUp
0045b74a PROJECT1.EXE Controls 4735 TControl.WMMouseMove
0045b234 PROJECT1.EXE Controls 4561 TControl.WndProc
0045e083 PROJECT1.EXE Controls 6242 TWinControl.WndProc
004732dd PROJECT1.EXE Forms    3044 TCustomForm.WndProc
0045dd00 PROJECT1.EXE Controls 6139 TWinControl.MainWndProc
004793db PROJECT1.EXE Forms    6696 TApplication.ProcessMessage
004793fa PROJECT1.EXE Forms    6715 TApplication.HandleMessage
0047961a PROJECT1.EXE Forms    6799 TApplication.Run
0047b1bf PROJECT1.EXE Project1   14 Project1

modules:
00400000 PROJECT1.EXE             C:\WINDOWS\DESKTOP
65340000 OLEAUT32.DLL 2.40.4275.1 C:\WINDOWS\SYSTEM
65f00000 OLE32.DLL    4.71.1120.0 C:\WINDOWS\SYSTEM
70200000 WININET.DLL  4.71.1712.5 C:\WINDOWS\SYSTEM
7e2e0000 WSOCK32.DLL  4.0.0.950   C:\WINDOWS\SYSTEM
7fed0000 COMDLG32.DLL 4.0.0.950   C:\WINDOWS\SYSTEM
bfb60000 SHLWAPI.DLL  4.71.1712.0 C:\WINDOWS\SYSTEM
bfb90000 COMCTL32.DLL 4.71.1712.3 C:\WINDOWS\SYSTEM
bfed0000 ADVAPI32.DLL 4.71.118.0  C:\WINDOWS\SYSTEM
bfee0000 VERSION.DLL  4.0.0.950   C:\WINDOWS\SYSTEM
bff30000 GDI32.DLL    4.0.0.950   C:\WINDOWS\SYSTEM
bff60000 USER32.DLL   4.0.0.950   C:\WINDOWS\SYSTEM
bff70000 KERNEL32.DLL 4.0.0.950   C:\WINDOWS\SYSTEM


disassembling:
************************
0047adc6 197   mov     ecx, [eax]
0047adc8 198   xor     ebx, ebx
0047adca 200   cmp     ecx, eax
0047adcc 201   jz      loc_47adf7
0047adce 202   mov     edx, ecx
0047add0 203 > cmp     dword ptr ds:[edx+8], 0
0047add5 204   mov     ecx, ds:[ecx]
0047add8 205   jz      loc_47adca
0047adda 206   push    edx
0047addb 207   push    ecx
0047addc 208   push    eax
***********************

[uall]

ok its the assembler part...
ill use CreateToolHelp32Snapshot instead to get all dlls this should be better

msdn: Requires Windows XP, Windows 2000 Professional, Windows Me, Windows 98, or Windows 95
(dont know if its wokring on winNT workstation)

also i try to find out the assembler part of win98
ill post an updated version later


@madshi why doesnt log your madExcept the registers ;P

[madshi]

ok its the assembler part...
ill use CreateToolHelp32Snapshot instead to get all dlls this should be better

msdn: Requires Windows XP, Windows 2000 Professional, Windows Me, Windows 98, or Windows 95
(dont know if its wokring on winNT workstation)

No, Toolhelp is not available on NT 4. But you can use a VirtualQuery loop to enumerate the modules OS independently.

@madshi why doesnt log your madExcept the registers ;P

Will probably come in a future version...

[uall]

i added toolhelp32snapshot, maybe ill change it later to asm stuff (if i get it wokring with win9x) or VirtualQuery


http://uall.overclock.ch/ExtIAThook.pas

you can only use this hook method on win9x in a library which is loaded > 0x80000000 because i hook LoadLibraryA and GetProcAddress

if u want to use it in you exe you have to comment out the hook from GetProcAddress and LoadLibraryA (initialization and finalization)

[uall]

i added a check if a global hook is possible

http://uall.overclock.ch/ExtIAThook.pas