|
Unble to hook GetMessageW
it says the fuction coulnt be found.
im testing with notepad.exe i checked with autodebug and it does use the GetMessageW
any idea what am i doing wrong?
this is how i do include the function to patch
HookStruct HookedFunctions[] =
{
{"Gdi32.dll" , "TextOutA" , MyTextOutA , NULL, NotHookedYet},
{"Gdi32.dll" , "TextOutW" , MyTextOutW , NULL, NotHookedYet},
{"Kernel32.dll", "LoadLibraryA" , MyLoadLibraryA , NULL, NotHookedYet},
{"Kernel32.dll", "LoadLibraryW" , MyLoadLibraryW , NULL, NotHookedYet},
{"Kernel32.dll", "LoadLibraryExA", MyLoadLibraryExA, NULL, NotHookedYet},
{"Kernel32.dll", "LoadLibraryExW", MyLoadLibraryExW, NULL, NotHookedYet},
{"user32.dll", "GetMessageW", MyGetMessageW, NULL, NotHookedYet},
};
Thx in advance
|
|
|
|
|
first of all very good project
Well i can build the dll only in debugg mode if i wanna to win32 release it will give me 1 errors on linking:
>ThreadSpy.obj : error LNK2019: unresolved external symbol __imp__ImageDirectoryEntryToData@16 referenced in function "bool __cdecl Replace(struct HookStruct *,int,struct HINSTANCE__ *)" (?Replace@@YA_NPAUHookStruct@@HPAUHINSTANCE__@@@Z)
If i build it on dbg mode everything is fine, but will the dbg mode builded dll affect hooking, like may cause situation where virtualquery and virtualqueryex will not be hooked coz, i have the situation where they are not just hooked ...
Will be thanful for answers
|
|
|
|
|
Hello
This page contains a ton of interesting hooking related links:
codeplex easyhook
Elmü
|
|
|
|
|
ive noticed that part of code needed to unhook all hooked functions doesnt fire at all, so everytime i try to free my dll, the app crashes. help?
dude, did you test it before to relase it? it doesnt work!!!
at least fix it, ..next time avoid to post such codes
|
|
|
|
|
Hey men... its a nice article from Mr/Mrs xryl669!
However, it believe you are right about the problem with unloading the hooks.
I have added an UnHookAllModules function, which I believe was forgotten in the original sourcecode and fixed the problem for me (I also had to replace some GetModuleHandle for GetModuleHandleA...).
Regards! PDG>
====================================================================
void UnHookAllModules(HookStruct array[], const int size)
{
// Now replace in all the module of the current process
HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId());
MODULEENTRY32 mod;
int i;
mod.dwSize = sizeof(MODULEENTRY32);
Module32First(snap,&mod);
HMODULE first = mod.hModule;
for (i = 0; i < size; i++)
Replace(&array[i], FALSE, first);
while(Module32Next(snap,&mod))
{
HMODULE next = mod.hModule;
if (next == hCurrentHandle) continue;
for (i = 0; i < size; i++)
Replace(&array[i], FALSE, next);
}
}
|
|
|
|
|
I'm try to hook all calls to LoadLibrary.
But If I first call LoadLibrary to load a module then hook all the calls within that module to Kernel32::LoadLibrary, i'm too late, so calls to load submodules were made during the call to LoadLibrary.
Where's the trick?
Thanks
|
|
|
|
|
Have you got a version that handles hooking when the calling DLL uses ordinals instead of names, ie when pThunk->u1.Ordinal is valid instead of pThunk->u1.Function ?
|
|
|
|
|
Hi man, i am try get some code for Anticheat and need know if you code can help me.
Is posible using you code Hook API WriteProcessMemory when use in parameters the PID the my Game program ?
WriteProcessMemory required use the API OpenProcess.
OpenProcess Need PID the Game in memory founded using API FindWindow.
Most used API for Cheats Coders.
FindWindow
GetWindowProcessID
OpenProcess
ProtectEx
WriteProcessMemory
You think is posible detect cheats ?
|
|
|
|
|
Of course it is. Just like the rootkit revealer from Sysinternal, you can monitor the address of the functions (like FindWindow/etc...) and see if they are in the kernel32.dll address space. If not, they are hooked.
To know this, get the kernel32 mapping (GetModuleInstance), size by enumerating modules, and check that GetModuleInstance(Kernel32) <&FindWindow < GetModuleInstance(Kernel32)+size of(Module) is true.
However this is a cat and mouse game. A cheater software will find the trick quickly and will patch your exe in order to remove the test.
The only solution is to cypher your code(and include the decyphering code) so the patching can not be done without loosing too much functionnality.
Good luck
|
|
|
|
|
thank you man, we think how using that.
You are expert in that.
You have some idea "How detect when clients using programs XP SPEED" ?
This programas accelerate the timer and run more fast inside game.
Any idea where begin my search ?
|
|
|
|
|
This is more complicated than you usually think of.
First, the XP Speeder software installs a kernel mode driver to fake the hardware timer.
If you have access to the game source code, simply don't call any function that are timer based (like clock, GetSystemTimeAsFiletime etc...) and implement a function "GetCPURealTicks" based on assembler "rdtsc" instruction (search on Codeproject, there is a lot of article on this). This instruction is not fakeable.
If you don't have access to the source code, then you'll have to create a thread that implement the above trick, and calculate the clock from your read value. Then hook all the timer based functions to feed them with the real value you've read & calculated.
Good luck...
|
|
|
|
|
Hello,
I am not able to make StackWalk64 work properly in my system. Am using the same codebase as used in your article (Part III). I have a WIN XP system. HAL.dll version is 5.1.2600.2180.xpsp_sp2_rtm.040803-2158. This is working fine in another system which has SP1 service pack. But not with SP2.
I have tried downloading the symbols (kernel32.pdb and ntdll.pdb) and have set _NT_SYMBOL_PATH environmental variable to point c:\winnt\system32.. But its not working. StackWalk64 is giving a stack depth of only 2. Same for StackWalk function.
Any suggestions would be of great help.
Regards
Rajdeep
|
|
|
|
|
I don't know why. You should analyse what StackWalk reports (errors, contexts, etc...).
Can you try the memory leak detector called VLD (search for memory leak in CodeProject) to see if you have stack with this software. If you do, then change the asm code to Get EIP to the one used in VLD.
Hope it helps
Sincerely,
Cyril
|
|
|
|
|
Thanks so much, this article is great.
But when I unhook the DLL, seems to me that the real method's adresses are corrupted or not written again, because i get an "error reading memory in 0x00003" and all that that we know are bad news.
When i unhook the DLL how can I replace the false adresses with the real ones again?
|
|
|
|
|
I guess there is something wrong happening here.
The HookStruct structure should hold the previous address (in the last NULL member) and it is used to avoid changing the API function address twice.
The good value should be stored in that member, so I think you should add a message box with such string ("last member address is : %08X, should be %08X", hookStructPointer->pPrevFunc, GetTrueProcAddress(GetModuleHandle("kernel32.dll"), "yourfunctionhere")) and see if they match.
If they match, then you should double check the unhooking code. If they don't match, then you should try to see where you've rewritten the last member with the wrong value. If you use the last version (part 3 of these articles), then change the ThreadSpy.cpp:287 from
<br />
array[i].pPrevFunc = etTrueProcAddress(::GetModuleHandleA(array[i].szDLLName), array[i].szFuncName);<br />
to
<br />
array[i].pPrevFunc ? MessageBox(NULL, "This is strange, as the member is already initialized", "Error", 0) : array[i].pPrevFunc = etTrueProcAddress(::GetModuleHandleA(array[i].szDLLName), array[i].szFuncName);<br />
Hope it helps, sorry for late answer.
|
|
|
|
|
I tried to use working implementation with Notepad.exe with ThreadSpy.exe.
I have commented the overriding of Gdi32.dll code.
When i try to save the file it always give the following error
"Not enough memory available to complete the program.Quit one or more applications to increase virtual memory"
Why it is prompting the above error.
Regards,
Sunil Virmani
|
|
|
|
|
I have no idea. Please be more specific about what you are doing and what you have modified.
I can save the file with this version. Please confirm you can do the same with yours.
xryl669
|
|
|
|
|
// This is an ugly function
void * FindFunction(LPCSTR lpName)
Why do you call this ugly?
One problem with it occurs when functions are called in the DLL by export ordinal.
See documentation for GetProcAddress. If this happens, then lpName is not a pointer
to a character string and the hooked application crashes.
I can prevent the crash by adding to the start of FindFunction
if( (int)lpName < 1000 )
return NULL;
Of course, this would defeat our purpose if the function called by export ordinal
is the one we want to hook.
TODO:
The number 1000 is arbitrary. What would be the most appropriate?
How can we determine the export ordinals, and fix this?
|
|
|
|
|
Hi,
You're right, this is why FindFunction is an ugly function (and because it is prone to buffer overflow too).
Okay, after reading GetProcAddress documentation,
From MSDN about lpName: [GetProcAddress]
If this parameter is an ordinal value, it must be in the low-order word; high-order word must be zero
So, I think the code should be changed to check if the 2 first chars are zero, and if yes handle the next 2 chars as unsigned short number. I'll try this modification as soon as I release a new version.
Thanks for spotting the bug.
|
|
|
|
|
Hi xryl669,
Excuse me guies, this question is targating towards xryl669 and the dudes who has gud understading of API HiJacking !
Is it always required to HiJack these 4 functions of Kernel32.dll ???
1. LoadLibraryA
2. LoadLibraryW
3. LoadLibraryExA
4. LoadLibraryExW
5. GetProcAddress
I am trying to HiJack "BitBlt" API from GDI32.dll, I will appriciate if u could guide me on this.
Things I have tried -
- I am trying to HiJack the "BitBlt" API from GDI32.dll, so the structure for function becomes -
{"Gdi32.dll" , "BitBlt" , MyBitBlt , NULL, NotHookedYet}
{"Kernel32.dll", "LoadLibraryA" , MyLoadLibraryA , NULL, NotHookedYet},
{"Kernel32.dll", "LoadLibraryW" , MyLoadLibraryW , NULL, NotHookedYet},
{"Kernel32.dll", "LoadLibraryExA", MyLoadLibraryExA, NULL, NotHookedYet},
{"Kernel32.dll", "LoadLibraryExW", MyLoadLibraryExW, NULL, NotHookedYet},
{"Kernel32.dll", "GetProcAddress", MyGetProcAddress, NULL, NotHookedYet}
- Created WIN32 DLL, which is installing a global message hook. In DLLMain I am calling function for API HiJacking (HookFunctions,HookAllModules). I make sure that this code should get executed only once using synchronization (i.e by the application which is installing the hook).
- Not getting desired results as such, it seems to me BitBlt API for the application which is installing hook gets HiJacked only (my observation) ?
- Is it required to call the API HiJacking function in DLL_PROCESS_ATTACH section and restoring of HiJacking in DLL_PROCESS_DETACH section ?
Thnx for listening !
Cheers,
Vishal
|
|
|
|
|
- The things you've tried are ok. The MyBitBlt function should call the initial BitBlt function for compatibility.
If the module you're hooking is already mapped in the system process when the HookAllModules is called, then you don't need to hook LoadLibrary and such.
LoadLibrary simply can tell you when this modules is loaded if not done yet.
- HookAllModules/HookFunctions can be called multiple times, as only the initial call will really do the hooking process.
- I highly suggest you try the code in the part 2, as it does :
- Injecting the hooking dll in the debuggee process (have you done that ?)
- Hook the function in all modules
- Communicate with the server ( for debugging purpose, as it is not always easy to do)
- I think so
Sincerly,
Cyril
|
|
|
|
|
:(Here the error output:
Compiling...
StdAfx.cpp
Compiling...
Hooked.cpp
G:\x\xx\Hook0\ThreadSpy\Hooked.cpp(17) : warning C4273: 'MyLoadLibraryA' : inconsistent dll linkage. dllexport assumed.
G:\x\xx\Hook0\ThreadSpy\Hooked.cpp(25) : warning C4273: 'MyLoadLibraryW' : inconsistent dll linkage. dllexport assumed.
G:\x\xx\Hook0\ThreadSpy\Hooked.cpp(33) : warning C4273: 'MyLoadLibraryExA' : inconsistent dll linkage. dllexport assumed.
G:\x\xx\Hook0\ThreadSpy\Hooked.cpp(41) : warning C4273: 'MyLoadLibraryExW' : inconsistent dll linkage. dllexport assumed.
G:\x\xx\Hook0\ThreadSpy\Hooked.cpp(49) : warning C4273: 'MyGetProcAddress' : inconsistent dll linkage. dllexport assumed.
G:\x\xx\Hook0\ThreadSpy\Hooked.cpp(62) : warning C4273: 'MyTextOutA' : inconsistent dll linkage. dllexport assumed.
G:\x\xx\Hook0\ThreadSpy\Hooked.cpp(67) : warning C4273: 'MyTextOutW' : inconsistent dll linkage. dllexport assumed.
ThreadSpy.cpp
Generating Code...
Linking...
Creating library ../ThreadSpy.lib and object ../ThreadSpy.exp
LINK : warning LNK4049: locally defined symbol ""int (__stdcall*__stdcall MyGetProcAddress(struct HINSTANCE__ *,char const *))(void)" (?MyGetProcAddress@@YGP6GHXZPAUHINSTANCE__@@PBD@Z)" imported
LINK : warning LNK4049: locally defined symbol ""struct HINSTANCE__ * __stdcall MyLoadLibraryExW(unsigned short const *,void *,unsigned long)" (?MyLoadLibraryExW@@YGPAUHINSTANCE__@@PBGPAXK@Z)" imported
LINK : warning LNK4049: locally defined symbol ""struct HINSTANCE__ * __stdcall MyLoadLibraryExA(char const *,void *,unsigned long)" (?MyLoadLibraryExA@@YGPAUHINSTANCE__@@PBDPAXK@Z)" imported
LINK : warning LNK4049: locally defined symbol ""struct HINSTANCE__ * __stdcall MyLoadLibraryW(unsigned short const *)" (?MyLoadLibraryW@@YGPAUHINSTANCE__@@PBG@Z)" imported
LINK : warning LNK4049: locally defined symbol ""struct HINSTANCE__ * __stdcall MyLoadLibraryA(char const *)" (?MyLoadLibraryA@@YGPAUHINSTANCE__@@PBD@Z)" imported
LINK : warning LNK4049: locally defined symbol ""int __stdcall MyTextOutW(struct HDC__ *,int,int,unsigned short const *,int)" (?MyTextOutW@@YGHPAUHDC__@@HHPBGH@Z)" imported
LINK : warning LNK4049: locally defined symbol ""int __stdcall MyTextOutA(struct HDC__ *,int,int,char const *,int)" (?MyTextOutA@@YGHPAUHDC__@@HHPBDH@Z)" imported
ThreadSpy.dll - 0 error(s), 14 warning(s)
|
|
|
|
|
Hi rbrigger,
Where are the errors ???
It seems that u have got some warnings although [somtimes] programmers does not care abt some warnings !
Cheers,
Vishal
|
|
|
|
|
Hi
I dont have "Dbghelp.lib" and its dll also. what is alternative lib for this lib? I am looking for this on web.
Can your code inject new APi proc (new version of function in dll ) in all modules.....
I am looking for a way to prevent copy/paste of file?
can u suggest me which api i need to hook for that?
i can think of CopyFile A/w and may be createfile. Any other?
Thanks
Jetli
conclusion means Coming to wrong Decision with confidence
|
|
|
|
|
DbgHelp is in Platform SDK from MSDN (it is freely downloadable).
This code will exchange the function you're hooking by your function in all modules of the process when inserting the DLL. If you want to hook in all loaded module next, you should hook LoadLibrary too. See part II and III for more details.
You should hook CreateFile, CopyFile, MoveFile, DeleteFile, "DragAndDrop" functions (like RegisterDragDrop, etc).
Sincerly
Cyril
|
|
|
|
|