CodeProject: Win32 API hooking: Another reason why it might not work. Free source code and programming help

Report Article

Discuss

Send to a friend

24 votes for this Article.

Popularity: 6.65 Rating: 4.82 out of 5

Introduction

Like (many) other people, I've been quite fascinated by the possibilities given by Win32 hooking. After reading API hooking revealed, I decided the best way to do it was to rewrite the Import Address Table (IAT) in the application I targeted. This technique is called IAT-patching. It worked quite well for some time, but then, my program failed to hook properly on a number of target applications, such as the MSN Messenger or the latest versions of Emule. I first suspected some kind of protection within these applications, but since Emule is open source, I could download the code and see there was no such thing that should have made IAT-patching fail. Then, an in-depth look at how the function I targeted was called from MSN and Emule allowed me to understand where the problem came from: the targeted function, imported from a standard DLL, was not loaded into these executables in the standard way, based upon the IAT (and which is described by Matt Pietrek in MSDN). I'll describe here how the loader deals with these functions, and why this undocumented feature of the Portable Executable format makes IAT-patching powerless.

Background

Since my goal here is to show why IAT-patching does not always work, it would be quite useful to know how IAT is supposed to work. The two articles I mentioned in the introduction are the best places for a starter.

The standard way of calling an imported function

When a function is imported into an executable, the loader stores the actual address of this function into the IAT before any call to this function is made. In an application that calls its imported functions in a standard way, here is what you get when you make such a call after the loader has done its job:

00412CB7   CALL DWORD PTR DS:[0042C544]

The four bytes at DS:[0042C544] are inside the IAT, they store the actual address (that is 0x77D5C411) of the function I intend to hook (in this case: SetMenuItemInfoW from User32.dll). Rewriting the IAT basically means I'll change the address written at DS:[0042C544] and write the address of my replacement function instead.

How SetMenuItemInfoW is called in Emule

The problem is: SetMenuItemInfoW is not called this way in Emule. The first thing to say about SetMenuItemInfoW is that you won't even find it in the IAT if you use programs such as PEView or DUMPBIN. And still, it is used by emule.exe. Here's the assembler code for Emule:

00568A65   CALL DWORD PTR DS:[0074BE08]

This assembler line is the line that corresponds to the C++ line that calls SetMenuItemInfoW, but the address stored at DS:[0074BE08] is not the address of SetMenuItemInfoW, and the four bytes at 0074BE08 are not inside the IAT: there's no way you could change the value there. The address pointed to by PTR DS:[0074BE08] is 005D4F70, and it is inside emule.exe itself. Here is what we have at 005D4F70:

As you can see, instead of calling SetMenuItemInfoW, the code calls a function located at 005D5529. I'll call it the "loader function" in this article. This function takes five arguments, three of them are interesting to describe:

Arg3=0074BE08 is the address used just before (at 00568A65: CALL DWORD PTR DS:[0074BE08]). (It is cast here as the address of an ASCII string, this is due to a little problem with my assembler debugger.)
Arg2 is the name of the function originally called: "SetMenuItemInfoW".
Arg1 is the name of the DLL that exports SetMenuItemInfoW, "user32.dll".

(You can see that this function is also called for other imported functions such as EnumFontsW or GetDateFormatW...).

Immediately after the call to the loader function, there is a line of code (at 005D4F8F) that calls the same address as the line at 00568A65 : JMP DWORD PTR DS:[0074BE08]. Remember the address stored at DS:[0074BE08] is the address of the loader function. That is, once the loader function has returned, this JMP instruction will cause the loader function to be called again, in an infinite cycle.

I won't give too much useless information as to what the loader function does. Here is the most important: it first calls LoadLibrary to get a handle to the required DLL, and then it looks up the name of the function originally called inside the Export Address Table of that DLL in order to calculate the actual address of this function (note: the loader function does not use GetProcAddress).

Once the loader function has returned, the line that follows it is modified: it is still JMP DWORD PTR DS:[0074BE08], but the location pointed to by DS:[0074BE08] is no longer 005D4F70 but the actual address of SetMenuItemInfoW (= 77D5C411). So, the JMP will not call the loader function again, but SetMenuItemInfoW instead.

Now, we can jump to SetMenuItemInfoW for good.

As you noticed, the first time, at 00568A65, we "called" the address DS:[0074BE08] (CALL DWORD PTR ...), and the second time, at 005D4F8F, we "jumped" (JMP DWORD PTR ...). This way, when SetMenuItemInfoW returns, it will not return to the line where it was actually called (with a JMP) but to the original CALL line.

Of course, since the address in the JMP and in the CALL are the same, the next time we call SetMenuItemInfoW, at 00568A65, we will call the actual function not the protocol we had to go through for the first call.

The next schemas will illustrate this discussion:

before the first call:
right after the loader function has returned:
all the subsequent calls:

What are the consequences for Win32 hooking?

Since this mechanism does not use IAT, there is no way you can intercept calls to SetMenuItemInfoW by altering the IAT. And there is no way to say where to find the four bytes that will be altered by the loader function: those four bytes are inside the executable, exactly where the imported function is called.

There are still two possibilities that could allow you to hook such a function.

The first one is similar to IAT altering: but instead of rewriting entries in the IAT, you have to rewrite entries in the Export Address Table (EAT) of the DLL that hosts the targeted function. But this has to be done before any call to the targeted function is made; once the first call is made, the loader function has already looked up the EAT and written the actual address. So the trick is to alter the EAT so that the loader function will read the address of your own function.

The second possibility consists in changing the first few bytes at the beginning of the function you want to hook, the new bytes will be a JMP to your own function.

This solution is in fact the most efficient since it enables you to bypass not only the protocol described in this article but also other forms of protection against Win32-hooking (use of GetProcAddress, encrypted executables ...). But it goes beyond the scope of this article. Anyway, you'll find all the necessary information here.

Conclusion

Going through this protocol is a lengthy process, so it is implemented only if the targeted function is called from a single location in the executable. Calling the loader function only once is similar to processing the IAT: both protocols must load the DLL and calculate the actual address of the function. But, while the IAT must be processed when the executable is launched, the process described here happens only when the function is called for the first time, causing the executable to launch faster. It is thus similar to the delay-import function mechanism.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Safir Perocheau

Occupation:	Web Developer
Location:	France

Other popular DLLs & Assemblies articles:

PasswordSpy - Retrieving lost passwords using Windows hooks
A practical application of setting Windows hooks
Step by Step: Calling C++ DLLs from VC++ and VB - Part 1
This series of articles is a step-by-step guide to constructing C++ DLLs that include C++ functions and C++ classes, and then calling the DLL functions and classes from VC++ and VB programs.
Hooks and DLLs
There is a lot of confusion about how to set up and use global hook functions. This essay attempts to clear up some of these issues.
DLLs are simple: Part 2
This article describes how to export classes from a DLL.
Regular DLL Tutor For Beginners
Regular Win32 and MFC DLL tutorial for beginners.

Article Top

You must Sign In to use this message board.

Msgs 1 to 16 of 16 (Total in Forum: 16) (Refresh)

FirstPrevNext

display a splash screen as soon as app startup?

yph20040107

21:55 9 Dec '07

My app contains a lot of dlls. It takes too much time for the loader to load all of them. So I want to display a splash screen during the loading process. If I display it before the loader starts working, how can I do it? Or do you have any other solutions? Give me a help please. THANKS!
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

Thx

Kharfax

4:33 27 Jun '06

Great info, thanks a lot for sharing this
Sign In·View Thread·PermaLink

What triggers this mechanism

yafan

6:56 15 Jan '06

Hi Safir, a great article, and very informative especially if you are interesting in a general mechanism for spying apps.

You didn't mention why some apps adopt this unusual IAT scheme while others do not. What triggers it being used?

If the reason is that the function only gets called once in the app then I don't see how a application could possibly benefit from this scheme - what is the advantage of delaying the function fixup as opposed to using the normal IAT mechanism?

If it is an obfuscation technique, then why not apply it to all functions? Why SetMenuItemInfo() etc.

Cheers,

-y

Dll for Hook the API OpenProcess

Vitoto

6:56 4 Jan '06

Hi man, is posible using you code fix my problem ?

Global Model Image.
http://www.legion-of-terror.cl/download/temp/model.jpg

Detail :
This is the API OpenProcess or Class in .Net GetProcessID
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wcekernl/html/_wcesdk_win32_OpenProcess.asp

Cheat program use the API and use in parameter PID the Game in Memory.
Game is not .Net program, i not have source, only launch from .Net code.

Example : Game Pid is : 5675

When cheat program "program01.exe(pid 1234)" use the API then in parameters use the value 5675.

Example :

IDProcess = 5675
HandleWindow = OpenProcess(PROCESS_ALL_ACCESS,False,IDProcess);

For get value 5675 use others APIs :

IDProcess = FindWindow -> Get using Window Name -> "Game Window Name"
IDProcess = GetHProcExe -> Get using game.exe
IDProcess = GetWindowProcessID -> Get using Directly IDProcess -> PID the Game.exe

I not want stop this 3 methods, i need Stop OpenProcess where values will be passed.

After OpenProcess get Access to Game Process using parameter : PROCESS_ALL_ACCESS
Return HandleWindow and use after in API WriteProcessMemory
WriteProcessMemory(HandleWindow, Offset, Value, 1, 0&)

From my ".Net Program" i use PID 1234 "program01.exe" for Spy, Hook or Intercept if Use API OpenProcess.

When program01.exe was detected using the API OpenProcess then Log, Hook or Intercept the value in parameter used.

If value is IDProcess = 5675, then assume "program01.exe" is Cheat Program trying attack GAME Process.

After check program02.exe and detect not using API OpenProcess, skip for monitor others process.

Contact

choose file

23:12 29 Dec '05

Hi Saf, Very interessting article even if that kind of problem is far away from my everyday nerd's life. The point of my posting is, first of all, to get in touch with you again. Could you, please, send me your contact at testos@no-log.org. Then will send mine back. Regards Nicolas LOUVET
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

Am I Missing Something...

qwerty666qwerty666

6:03 28 Dec '05

Or is this nothing new? Maybe it's just new to some people? Every example I've seen of API hooking notes that 1. Certain code may take the address of a function, particularly when compiled with optimizations, so you must either keep that in mind, or else hook the function before it possibly could have been called. 2. That you hook GetProcAddress.
Sign In·View Thread·PermaLink

Re: Am I Missing Something...

Safir Perocheau

13:35 28 Dec '05

qwerty666qwerty666 wrote:
Certain code may take the address of a function

This is definitely a good reason why certain hooks will fail, but it's not what is involved here. If the executable needs the "loader function" described here, it's precisely because it does not already know the address of the imported function

qwerty666qwerty666 wrote:
That you hook GetProcAddress

That would not work here : the loader function never uses GetProcAddress. It looks up the Export Table of User32.dll, and then calculates the actual address of SetMenuItemInfo. That's exactly what GetProcAddress would have done, but the executable "decides" to do it by itself here.

To tell you exactly why I thaught this article would be interesting so some, it's because I was a bit surprised to see a dll (User32.dll) present in the IAT of an executable (emule.exe), but some of the functions exported by this dll were not in the IAT, while they were actually called by the executable. It's as if the linker optimizes the number of functions that will be linked when the executable loads, even for a dll that is linked when the executable loads.

Re: Am I Missing Something...

qwerty666qwerty666

4:03 29 Dec '05

Sorry, I see. I was missing something.
Sign In·View Thread·PermaLink

Invaluable !

WREY

4:44 26 Dec '05

This is the kind of article that can save you not only a ton of work, but a lot of frustrations and headaches. I know I would have been going around in circles for a very long time before I would have figured out what was happening. Thank you very much for sharing this invaluable piece of information with the community. An easy '5' from me. William Fortes in fide et opere!
Sign In·View Thread·PermaLink

Interesting stuff!

Nishant Sivakumar

1:18 23 Dec '05

Got my 5.
Sign In·View Thread·PermaLink

Delayed loading?

dighn

14:55 22 Dec '05

Could this be standard delayed DLL loading as described here http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx[^] If it is, then you can probably patch the IAT obtained from the delayload data section. It worked for me when I was messing around with it.
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

Re: Delayed loading?

Safir Perocheau

0:23 23 Dec '05

No, there are two main differences. 1 : the functions are not in the Delay Import Section, so there is no pre-defined place where to overwrite the address of the targeted function. 2 : the "loader function" described here does not use GetProcAddress to calculate the address of the targeted function (while you can hook GetProcAddress if you want too deal with Delay Import dlls). But still, in its principles, both work almost the same way : the executable waits for the function to be called for the first time to calculate its actual address

Re: Delayed loading?

J0ker

3:40 23 Dec '05

Looks like custom delayed loading. Anyway you can patch export table of user32.dll to hook a function.
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

Re: Delayed loading?

dighn

18:23 24 Dec '05

I see... very interesting. I wonder if the source code of eMule contains the code for these loader functions or if it's from somewhere else. Will have to take a look
Sign In·View Thread·PermaLink

Re: Delayed loading?

c2j2

0:31 27 Dec '05

It would be nice to hear the results of your search! Thanks.
Sign In·View Thread·PermaLink

Re: Delayed loading?

Safir Perocheau

13:10 28 Dec '05

Well, SetMenuItemInfo is called from a single location in Emule 0.46c, in TitleMenu.cpp :
VERIFY( SetMenuItemInfo(nIDNewItem, (MENUITEMINFO*)&info, FALSE) );
(the VERIFY macro is the standard MFC VERIFY macro)

In fact, Emule calls the MFC version of SetMenuItemInfo : CMenu::SetMenuItemInfo. In the Release version of Emule, CMenu:SetMenuItemInfo is declared inline, and only returns the Win32 version of SetMenuItemInfo. See afxwin1.inl :

_AFXWIN_INLINE BOOL CMenu::SetMenuItemInfo(UINT uItem, LPMENUITEMINFO lpMenuItemInfo, BOOL 
fByPos)
	{ ASSERT(::IsMenu(m_hMenu)); ASSERT_POINTER(lpMenuItemInfo, MENUITEMINFO);
		return ::SetMenuItemInfo(m_hMenu, uItem, fByPos, lpMenuItemInfo); }

One might wonder if the inline declaration of CMenu::SetMenuItemInfo might have an influence on this optimization after all. The example of ExtractIconEx, imported from Shell32.dll, makes me think it's not the case :
1 while Shell32.dll is in the IAT, ExtractIconEx is not in it and is linked during runtime with the same loader function as SetMenuItemInfo
2 ExtractIconEx is called from a single location in Emule (in Emule.cpp :
int iExtractedIcons = ExtractIconEx(strFullResPath, iIconIndex, aIconsLarge, aIconsSmall, 1));
3 This time it's directly the Win32 version ; and of cource, ExtractIconEx is not inline.

So, there is no optimization in the code itself. I guess the optimization is made by the linker : SetMenuItemInfo is called as if it was called in the DELAY LOAD way, but since User32.dll is loaded when Emule starts (and so, is incorporated in the IAT), the linker cannot add an entry for it in the DELAY LOAD table. This makes the IAT smaller, and since the loader does not have to link all the functions of User32.dll tht will be called, Emule starts faster.

Last Visit: Monday, December 1, 2008 11:46 AM Last Update:Monday, December 1, 2008 11:46 AM

General News Question Answer Joke Rant Admin