Retrieve True Bytes of a Function

c++ / delphi package - dll injection and api hooking
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Retrieve True Bytes of a Function

Post by pambol »

How you can return/get the real bytes of a function if since someone can hook these apis?
For example if they hook OpenProcess using inline hook, how you can get the real bytes to write on OpenProcess address and use it without problems.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Post by madshi »

You can use madCodeHook's RestoreCode() API which will unpatch an API and replace it with the original bytes from the file on harddisk. RestoreCode() will only restore the first 6 bytes of the API, though.

Doing this is not as easy as it might sound because you can't just fetch the bytes from the file on harddisk untouched. You also may have to apply relocation adjustments. Of course RestoreCode() does all that properly.
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »

that's sounds great, and madcodehook have some way to detect it?
i'm checking if the first byte of function are some of these bytes:

case 0x68:
case 0xC2:
case 0xC3:
case 0xE8:
case 0xE9:
case 0xFF:

if are i restore.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Post by madshi »

Why don't you simply let madCodeHook do the job, by calling RestoreCode(), instead of trying to do it yourself?
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »

i think it's good check if the function are patched or not before call it, or madcodehook already do it?
other question, it's possible run RestoreCode on external application?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Post by madshi »

Yes, madCodeHook only restores the code if it was changed.

Why would you need to do this on an external application?
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »

because some application hooks LdrLoadDll, so your inject function don't work.
for this reason need restore these bytes.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Post by madshi »

Are we talking about injection into already running processes (done by the user mode part of madCodeHook)? Or do you mean the driver's injection into already running processes?
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »

About both.
Other question about RestoreHook, per example OpenProcess. From XP to W10 i don't need call restorecode to OpenProcess right? just need call restorecode to ZwOpenProcess?
isn't, need call the three, i tested hooking one per one and calling OpenProcess.

The question now is how restore these bytes on an external program to inject on him.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Post by iconic »

RestoreCode is only meant to function as an aggressive backup in case HookCode/HookApi fails *disclaimer should be present* due to another library already hooking the target function. Out-of-the-box RestoreCode can't be repurposed for what you require, which is doing the same thing out of process context, you MUST already be inside it for this API to work, meaning LdrLoadDll has already loaded your injected DLL. You've confused the purpose of the in-context API completely. If Madshi originally intended this to work for any process outside the current perhaps it would have this function prototype, which still wouldn't help if a LdrLoadDll hook is installed before your DLL is loaded in order to even call RestoreCode from within it! What you're asking isn't complex but this isn't the design nor sole reason madCodeHook was created

Code: Select all

function RestoreCode(const hProcess: THandle; lpCode: Pointer): BOOL; stdcall;
--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Post by madshi »

Of course you could call RestoreCode() in your own process and then copy the first 6 bytes to all other processes which have the same bitdepth (you should first check if ntdll.dll/kernel32.dll are loaded at the same address as in yours, of course), by using VirtualProtectEx + WriteProcessMemory. It seems a rather nasty thing to do, though, so please do this at your own risk. Also, it will only work to restore the API in the same bitdepth as your own process.
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »

iconic wrote:RestoreCode is only meant to function as an aggressive backup in case HookCode/HookApi fails *disclaimer should be present* due to another library already hooking the target function. Out-of-the-box RestoreCode can't be repurposed for what you require, which is doing the same thing out of process context, you MUST already be inside it for this API to work, meaning LdrLoadDll has already loaded your injected DLL. You've confused the purpose of the in-context API completely. If Madshi originally intended this to work for any process outside the current perhaps it would have this function prototype, which still wouldn't help if a LdrLoadDll hook is installed before your DLL is loaded in order to even call RestoreCode from within it! What you're asking isn't complex but this isn't the design nor sole reason madCodeHook was created

Code: Select all

function RestoreCode(const hProcess: THandle; lpCode: Pointer): BOOL; stdcall;
--Iconic
The only way to restore the bytes on others process who hooks LdrLoadDll is read from my own process and write on their address? Don't have other way?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Post by iconic »

One way (my preference) is to call CreateFileMapping() with (SEC_IMAGE or PAGE_EXECUTE_READ) protection and map the module into your process. Compare target code (usually x bytes in the prologue) to whatever function RVA you've added to your mapping base, if they differ you can use x file mapping bytes to restore the target function to its original code form. You can calculate a function's RVA (Relative Virtual Address) by subtracting the target module's base address from the function's VA (Virtual Address) then simply add this value to whatever your file mapping base address is. I wouldn't run around intentionally unhooking code since it can in fact break programs. A legitimate use could potentially be an anti-rootkit that is capable of removing malicious hooks system-wide, for example.

--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »

iconic wrote:One way (my preference) is to call CreateFileMapping() with (SEC_IMAGE or PAGE_EXECUTE_READ) protection and map the module into your process. Compare target code (usually x bytes in the prologue) to whatever function RVA you've added to your mapping base, if they differ you can use x file mapping bytes to restore the target function to its original code form. You can calculate a function's RVA (Relative Virtual Address) by subtracting the target module's base address from the function's VA (Virtual Address) then simply add this value to whatever your file mapping base address is. I wouldn't run around intentionally unhooking code since it can in fact break programs. A legitimate use could potentially be an anti-rootkit that is capable of removing malicious hooks system-wide, for example.

--Iconic
i mean restore function bytes on external processes, not on my. i need do it to injectlibrary from madcodehook work, if not he don't inject the dll.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Post by iconic »

I've already explained how to do this in my previous post. As Madshi mentioned earlier as well, you can use WriteProcessMemory on the target process (you don't need a previous call to VirtualProtectEx because WriteProcessMemory already does this internally by protecting with PAGE_EXECUTE_READWRITE and will also even flush the icache after modifying the memory). Map the target module as executable in your process, adjust the RVA to the new mapped base in your process and then read in the original bytes. After this is done simply write these original bytes back to the target(s) in the other process(es). That's it


--Iconic
Post Reply