0

I just started using the ms Detours library, and I would like to know how to hook an exe file using it. I got the function offset from IDA Pro, however i don't know what address should hook to. It gives a access violation if I hook to the offset using the withdll.exe tool. Could someone show me an example of hooking an exe if it is possible?

Cool_er
  • 1
  • 5
  • Did you try the offset minus the image base offset? – fassl Jul 04 '15 at 00:21
  • @fassl No, I didn't. How do I get it? If by getting current process and casting it to void pointer, than I am not able to subtract it. – Cool_er Jul 04 '15 at 07:10
  • You can see the image base offset in the summary of the examined file, the first thing before any code in IDA view. You can cast it to DWORD or QWORD and add the function offset minus imagebase. Also be sure if you are overwriting stuff (i don't know how detours does the hooking) to prepare the address with VirtualProtect, like allow writing to or execution of the memory range. Possibly also detours does this for you, i don't know, just giving a hint. – fassl Jul 04 '15 at 11:43
  • Hmmm... Can't get it to work... the imagebase is `0x400000`, and the function location is `0x401652`, even if I cast those to DWORD and subtract the image base the program just crashes with the error `StackHash_4c0d`. – Cool_er Jul 04 '15 at 14:21
  • You have to add 0x1652 to the image handle address. – fassl Jul 04 '15 at 14:47
  • Sorry, module handle, see https://msdn.microsoft.com/en-us/library/windows/desktop/ms683199(v=vs.85).aspx – fassl Jul 04 '15 at 14:49
  • Do you mean I should do it like that: `function to detour address = (DWORD)GetModuleHandle(NULL) + 0x1652`? If so, then it still crashes, but it shows that the exe caused it instead of the injected dll. Also for the reason it doesn't state `AppCrash` anymore, but `BEX`. – Cool_er Jul 04 '15 at 15:31
  • Yes, if it is a 32bit app, else if is 64bit you need a QWORD. What is BEX? Anyway it seems the hook worked? You could try to put __asm int 3; to the beginning of the hook function, if your hook was successful, a msvs dialog should appear and let you attach to the process with a debugger. – fassl Jul 04 '15 at 15:47
  • Well, after some changes my app doesn't crash anymore, but it still runs the standard function, instead of the detoured one. I checked again the addresses: imagebase `0x400000`, function location `0x401652`, so the offset is `0x1652`, and the address for detour is this `(DWORD)GetModuleHandle(NULL) + 0x1650` and I used the attach detour function like this `DetourAttach(&(PVOID&)real, Detoured);`. – Cool_er Jul 05 '15 at 07:07
  • http://zenersblog.blogspot.co.at/2008/04/api-hooking-with-detours-part-1.html?m=1 – fassl Jul 05 '15 at 11:51
  • I am already doing it like that, but from the Dll I can't even call the real function. I disabled `Windows Data Execution Prevention`, maybe it has something to do with the EXE that I detour. Could you somehow take a look at my project(It has both the source and the binarys)?[link](http://www.mediafire.com/download/50tj3jngd80jha7/Test.zip) – Cool_er Jul 05 '15 at 13:27
  • I don't really know whats wrong, the way we find the address seems to be correct since the memory at that address looks like the function you want to hook. A problem could probably be that the instruction at the ToHack offset is actually just a jump instruction to the real function, you should be able to just alter that address to your new function. The problem here is that you dont have enough space to do an absolute jump. You will need to calculate a relative address to your new function and override the value at 0x1652 + hm. – fassl Jul 05 '15 at 15:48
  • If you try to hook the function in the exe itself and debug it, you can see that the target function is always at a different random address. ASLR is going on. I don't know how to get the real function address reliably, so kind of stuck right now, also do not have the time to look into it. Good luck with your project. – fassl Jul 05 '15 at 21:29
  • All right I recompiled the test exe without `random base address`, and now it gives the same address in debug view(0x004016D6, which corresponds to the function location in `IDA Pro`), however no matter what address to detour I specify it prints out 0x404000D8. – Cool_er Jul 06 '15 at 07:08
  • Also the address seems to change after the Detour Attach, before it is the same as the real function one's, but the program still uses the one in the exe. It seems to me that the Detour function just doesn't get called. Perhaps after the Detour the function gets back it's original address? Or the detach is called right after attach? – Cool_er Jul 06 '15 at 07:20
  • The attaching/detaching is fine, just that we dont know the real address of the function. Still even with fixed base the functions are at different addresses every time. You can observe that debugging your exe, put a breakpoint in the ToHook function, then in the memory window put ToHook as address, you will get to the real address of the function. – fassl Jul 06 '15 at 11:26
  • Haha! Got it working! Apparently it was the project itself that was broken. Even tho Incremental linking was disable it would generate a jmp stub, and wouldn't let modify it. I just created a new project, and tested it, and it works just fine! Thanks for your help! – Cool_er Jul 06 '15 at 12:58
  • Nice, glad you got it working. – fassl Jul 06 '15 at 13:48

1 Answers1

0

The StackHash crash happens because you are probably trying to execute code from the page that does not have EXECUTE access. You can disable DEP just to make sure this is the cause for the crash. Subsequently, if this is indeed the case, you should use VirtualProtect or VirtualProtectEx to modify the page protection using one of the protection constants that include EXECUTE access (you can see the list of the constants here). As per the address/offset calculation, I don't see any problem with that in your description.

Below are the instructions on how to disable DEP:

  1. Click on the Start menu and then go to the Control Panel.
  2. Click on System Maintenance and then System.
  3. Choose Advanced System Settings.
  4. Under System Properties, select Settings from the Performance section at the top.
  5. Click on the Data Execution Prevention tab.
  6. Select “Turn on DEP for all programs and services except those I select”.
  7. Find the executable file for the application that triggered the error.
  8. Select the application causing the error and click Open to add it to your DEP Exceptions list.
  9. Click OK to save your new settings.

Hope this helps.

David Elkind
  • 169
  • 7