|
Magic APIs hooking in Windoze |
Our own tools |
slightly edited by fravia+
Besides we are starting right now (with +RCG's help) the new and important +HCU's project 'Our tools'... this article about APIs intercepting, together with +RCG explanations of the very poorly explained "vxd magic" in Windoze (see +RCG's new essays starting from Our protections) represents the 'basic material' to start the new project... so work on this!
In the mean time... a 'polite' question to +RCG... my friend, could you please spend some more time commenting the code? You'll agree with me that for instance your "LOST CODE is the original code 'under' the call FHK95.DLL" is a little too cryptic for many readers :-)
That's how the light gets in
APIs hooking: an useful essay for beginners and intermediates alike (and an useful tool for the +HCU :-)
Written by +RCG
No Introduction
softice
~
prudens' site at http://www.spywindows.com
H
E
E
S
S
A
Y
COMSPY98 A TOOL OF OUR TRADE Well this utility can be useful to study what personal information give away some 'Trojan Horses' like Micro$oft's IE (Ughhh!!!). Also it can be useful to understand how computers 'talk' and exchange information, but for me, the best is that I can learn how THIS TARGET itself hooks APIs... do you understand me? D'you understand HOW IMPORTANT this is for us? After all we need to hook (or unhook) freely, so much as necesary to understand (or remove) the protection schemes we find. You already know something about this subject from Footstep's essay about MemMonitor95... well, let us assume we don't know nothing, what do we have here? A regdll32.dll file, and some crippled functions, but the target can be registered by a key. Well, quite a lot of info already, thinking of it! Fire the target and a Nagscreen will at once ask you for a file called COM98UR.DAT. All right!!!! Let's remove all this crap in 30 seconds flat (plus the time w32dasm takes in my 486 to dissasemble 356 Kb)... we need to see the whole target working in order to decide if we need to study (and ameliorate) part of its code for our purposes. If you have never cracked for "real" educational reasons until now, this target will offer you the perfect opportunity to do it! Fishing strings for COM98UR.DAT we find a call to a function on the regdll32.dll (these programmers will never learn... it is easy, man, simple name it sunnyday.dll or whatever), then we see the first cmp with a jmp if it is zero. Lets see, some lines below..., ah!!! This EVAL copy ...will expire on..., that's all you need. The crack is so stupidly easy that we don't need to explain it. Ok!!! now we can hook and unhook whatever we want with this target, but only now comes the REALLY interesting part: how does this program perform such hooking? (That is what we really need to know). Lets use a kernel32 function like CloseHandle. Before loading Comspy98 fire winice and: u closehandle 137:???????? 83EC1C SUB ESP,1C 137:???????? A17CC2FBBF MOV EAX,[BFFBC27C] .. .. .. Now fire Comspy98, hook closehandle, fire winnie and: u closehandle 137:???????? E8694BBCC4 CALL 84B407E0 137:???????? C2FBBF RET BFFB Ignore the 'RET BFFB' because it is only what the disassembler inside winice makes out of the remaining last bytes of the previous MOV EAX,[BFFBC27C] So we have now a "new" hooking call... mmm... What is stored at 84B407E0? Oh!!! it is the FHK95.DLL file, lets have a look: 44 inc esp 44 inc esp 44 inc esp 44 inc esp 90 nop 90 nop 90 nop 90 nop 6800000100 push 00010000 ;*for this function E80EF8FDFF call 84F40000 C20400 ret 0004 Searching for "44" I found this interesting snippet of code: :BFF72D55 8B45F4 mov eax, dword ptr [ebp-0C] :BFF72D58 83C001 add eax, 00000001 :BFF72D5B 8945F4 mov dword ptr [ebp-0C], eax :BFF72D5E 817DF4D0070000 cmp dword ptr [ebp-0C], 000007D0 :BFF72D65 0F8D2A010000 jnl BFF72E95 :BFF72D6B 8B4DF4 mov ecx, dword ptr [ebp-0C] :BFF72D6E C1E105 shl ecx, 05 :BFF72D71 C681C017F9BF44 mov byte ptr [ecx+BFF917C0], 44 :BFF72D78 8B55F4 mov edx, dword ptr [ebp-0C] :BFF72D7B C1E205 shl edx, 05 :BFF72D7E C682C117F9BF44 mov byte ptr [edx+BFF917C1], 44 :BFF72D85 8B45F4 mov eax, dword ptr [ebp-0C] :BFF72D88 C1E005 shl eax, 05 :BFF72D8B C680C217F9BF44 mov byte ptr [eax+BFF917C2], 44 :BFF72D92 8B4DF4 mov ecx, dword ptr [ebp-0C] :BFF72D95 C1E105 shl ecx, 05 :BFF72D98 C681C317F9BF44 mov byte ptr [ecx+BFF917C3], 44 :BFF72D9F 8B55F4 mov edx, dword ptr [ebp-0C] :BFF72DA2 C1E205 shl edx, 05 :BFF72DA5 C682C417F9BF90 mov byte ptr [edx+BFF917C4], 90 :BFF72DAC 8B45F4 mov eax, dword ptr [ebp-0C] :BFF72DAF C1E005 shl eax, 05 :BFF72DB2 C680C517F9BF90 mov byte ptr [eax+BFF917C5], 90 :BFF72DB9 8B4DF4 mov ecx, dword ptr [ebp-0C] :BFF72DBC C1E105 shl ecx, 05 :BFF72DBF C681C617F9BF90 mov byte ptr [ecx+BFF917C6], 90 :BFF72DC6 8B55F4 mov edx, dword ptr [ebp-0C] :BFF72DC9 C1E205 shl edx, 05 :BFF72DCC C682C717F9BF90 mov byte ptr [edx+BFF917C7], 90 :BFF72DD3 8B45F4 mov eax, dword ptr [ebp-0C] :BFF72DD6 C1E005 shl eax, 05 :BFF72DD9 C680C817F9BF68 mov byte ptr [eax+BFF917C8], 68 :BFF72DE0 8B4DF4 mov ecx, dword ptr [ebp-0C] :BFF72DE3 C1E105 shl ecx, 05 :BFF72DE6 C681C917F9BF00 mov byte ptr [ecx+BFF917C9], 00 :BFF72DED 8B55F4 mov edx, dword ptr [ebp-0C] :BFF72DF0 C1E205 shl edx, 05 :BFF72DF3 C682CA17F9BF00 mov byte ptr [edx+BFF917CA], 00 :BFF72DFA 8B45F4 mov eax, dword ptr [ebp-0C] :BFF72DFD C1E005 shl eax, 05 :BFF72E00 C680CB17F9BF00 mov byte ptr [eax+BFF917CB], 00 :BFF72E07 8B4DF4 mov ecx, dword ptr [ebp-0C] :BFF72E0A C1E105 shl ecx, 05 :BFF72E0D C681CC17F9BF00 mov byte ptr [ecx+BFF917CC], 00 :BFF72E14 8B55F4 mov edx, dword ptr [ebp-0C] :BFF72E17 C1E205 shl edx, 05 :BFF72E1A C682CD17F9BFE8 mov byte ptr [edx+BFF917CD], E8 :BFF72E21 8B45F4 mov eax, dword ptr [ebp-0C] :BFF72E24 C1E005 shl eax, 05 :BFF72E27 C680D217F9BFC2 mov byte ptr [eax+BFF917D2], C2 :BFF72E2E 8B4DF4 mov ecx, dword ptr [ebp-0C] :BFF72E31 C1E105 shl ecx, 05 :BFF72E34 C681D317F9BF00 mov byte ptr [ecx+BFF917D3], 00 :BFF72E3B 8B55F4 mov edx, dword ptr [ebp-0C] :BFF72E3E C1E205 shl edx, 05 :BFF72E41 C682D417F9BF00 mov byte ptr [edx+BFF917D4], 00 :BFF72E48 8B45F4 mov eax, dword ptr [ebp-0C] :BFF72E4B C1E005 shl eax, 05 :BFF72E4E C680D517F9BF00 mov byte ptr [eax+BFF917D5], 00 :BFF72E55 8B4DF4 mov ecx, dword ptr [ebp-0C] :BFF72E58 C1E105 shl ecx, 05 :BFF72E5B C681DF17F9BF00 mov byte ptr [ecx+BFF917DF], 00 :BFF72E62 8B55F4 mov edx, dword ptr [ebp-0C] :BFF72E65 C1E205 shl edx, 05 :BFF72E68 81C2D217F9BF add edx, BFF917D2 :BFF72E6E B80010F7BF mov eax, BFF71000 :BFF72E73 2BC2 sub eax, edx :BFF72E75 8945F8 mov dword ptr [ebp-08], eax :BFF72E78 6A04 push 00000004 :BFF72E7A 8D4DF8 lea ecx, dword ptr [ebp-08] :BFF72E7D 51 push ecx :BFF72E7E 8B55F4 mov edx, dword ptr [ebp-0C] :BFF72E81 C1E205 shl edx, 05 :BFF72E84 81C2CE17F9BF add edx, BFF917CE :BFF72E8A 52 push edx :BFF72E8B E80AEAFFFF call BFF7189A :BFF72E90 E9C0FEFFFF jmp BFF72D55 What is this...? It is selfmodifying the code....lets see umm!!! MAP32 FHK95.DLL ==> this area is DATA, so it is executing at the area code!!!!! I can't believe it!!!! Lets use one of my old programs, and I will force the execution of data 'code'. Wait!!!! Look!!! Oh!!!! no problem it runs fine, good idea indeed (this is another trick to create selfmod. code.) If I now hook the CreateFile function as well I get the same, except for the 'push 10000h', now it is 'push 20000h' I am thinking it copies part of the routine, umm!!! lets see... trace until the real code is executed. Exported fn(): ExpFn0016() - Ord:00C9h :BFF71000 55 push ebp :BFF71001 8BEC mov ebp, esp :BFF71003 83EC6C sub esp, 0000006C :BFF71006 53 push ebx :BFF71007 56 push esi :BFF71008 57 push edi :BFF71009 C745E000000000 mov [ebp-20], 00000000 :BFF71010 FF1590F1FABF Call dword ptr [BFFAF190]GetCurrentProcess :BFF71016 8945E4 mov dword ptr [ebp-1C], eax :BFF71019 FF157CF1FABF Call dword ptr [BFFAF17C]GetCurrentProcessId :BFF7101F 8945F0 mov dword ptr [ebp-10], eax :BFF71022 FF15A8F1FABF Call dword ptr [BFFAF1A8]GetCurrentThread :BFF71028 8945F8 mov dword ptr [ebp-08], eax :BFF7102B FF15E0F1FABF Call dword ptr [BFFAF1E0]GetCurrentThreadId :BFF71031 8945E8 mov dword ptr [ebp-18], eax :BFF71034 C745FC00000000 mov [ebp-04], 00000000 .. .. .. :BFF7129A 8B08 mov ecx, dword ptr [eax] :BFF7129C 890D1C07F8BF mov dword ptr [BFF8071C], ecx :BFF712A2 8B55CC mov edx, dword ptr [ebp-34] :BFF712A5 FF12 call dword ptr [edx] <==Here :BFF712A7 8945F4 mov dword ptr [ebp-0C], eax .. .. :BFF71400 8B45D8 mov eax, dword ptr [ebp-28] :BFF71403 5F pop edi :BFF71404 5E pop esi :BFF71405 5B pop ebx :BFF71406 8BE5 mov esp, ebp :BFF71408 5D pop ebp :BFF71409 C20400 ret 0004 Tracing a little we can get: * Referenced by a Jump at Address:BFF71757(U) | :BFF71762 6A00 push 00000000 :BFF71764 8B45F4 mov eax, dword ptr [ebp-0C] :BFF71767 50 push eax :BFF71768 8B4DCC mov ecx, dword ptr [ebp-34] :BFF7176B 51 push ecx :BFF7176C E8A2010000 call BFF71913 <== Here :BFF71771 8945D4 mov dword ptr [ebp-2C], eax :BFF71774 C745D001000000 mov [ebp-30], 00000001 Tracing the call finally we get: LOST CODE LOST CODE push next_instrucion_at_lost_code_offset ret LOST CODE is the original code 'under' the call FHK95.DLL Ok!!!! Lets pull some conclusions out of this "mess": A VxD is needed to patch the Kernel32. We can execute code at data areas. We have discovered new ways to monitor API,s. So, this will be the flow of our own Monitor_Api_Program. At the beginning of the API function we will put a jmp/call to our own code. We will analize the stack and get the valuable data we are seeking. We will execute the missing code in our area. We will return the control (if needed, because sometimes it can be interesting to return instead to the program with our own answers :-) You have now enough data! Work on it, it's GREAT fun!!!!! +rcg 1998
Notes
OK, so this essay opens officially the new +HCU project: Our tools: 1) The +HCU's API interceptor
Back to Ourtools Project
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia+
Is reverse engineering legal?