 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
rovnix
Newbie cheater
![]() Reputation: 0
Joined: 09 Feb 2014
Posts: 18
|
 Posted: Fri Apr 11, 2014 4:21 pm Post subject: [Help] API Hooking C++ / asm |
 |
|
good evening,
I have been trying to figure out what hooking seems like using C++ with inline assembly so i decided to try my hands on something, not sure i went about it the right way just starting out with messagebox hook, so please i do need help seriously
my source code
| Code: |
#include <window.h>
#include <iostream>
typedef int (WINAPI *NewMessageBoxA)(HWND,LPCWSTR,LPCWSTR,UINT);
int WINAPI TestMessageBox(HWND,LPCWSTR,LPCWSTR,UINT);
char *data;
void Hook()
{
data = (DWORD)GetProcAddress(GetModuleHandle("user32.dll"),"MessageBoxA");
_asm
{
xor ebx,ebx
mov eax,MessageBoxA
add eax,2
mov eax,[eax]
mov eax,[eax]
mov MessageBoxA,eax
push ebx
push ebx
call MessageBoxA
nop
nop
nop
nop
nop
nop
mov eax,MessageBoxA
add eax,5
jmp eax
}
}
int main()
{
MessageBox(NULL,"Hooked MessageBox","Hooked",MB_ICONINFORMATION|MB_OK);
}
|
Please I dont mean to overload this forum, just need someone to teach me thats all pls.
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Fri Apr 11, 2014 9:10 pm Post subject: |
|
|
Not really sure what this code is even supposed to do... your Hook() method is doing like 4 different things all of which are not actually hooking anything.
_________________
- Retired. |
|
| Back to top |
|
|
rovnix
Newbie cheater
![]() Reputation: 0
Joined: 09 Feb 2014
Posts: 18
|
| Posted: Sat Apr 12, 2014 12:40 am Post subject: |
|
|
@atom0s, thanks for your reply, i am trying to hook MessageBox, to display this MessageBox(NULL,"Hooked MessageBox","Hooked",MB_ICONINFORMATION|MB_OK);
Forgive my in experience, i just want to learn thats it.
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sat Apr 12, 2014 3:12 am Post subject: |
|
|
You do realize that your Hooking function isn't even being called...?
for hooking to be possible you actually need to redirect execution from the desired API to you own code, and there is no redirection here though.
btw, what the h3ll that code suppose to do? it doesn't even make sense
_________________
Stylo |
|
| Back to top |
|
|
rovnix
Newbie cheater
![]() Reputation: 0
Joined: 09 Feb 2014
Posts: 18
|
| Posted: Sat Apr 12, 2014 4:48 am Post subject: |
|
|
@stylo, thanks for your reply. i want to do a simple message box hook. following this example, but this is written in asm
| Code: |
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
; FileName: msgbox2.asm
; Function: Demo how to hook MessageBoxA locally
; Author: Purple Endurer
;
; log
;--------------------------------------------------
; 2006-07-10 Optimized code
; 2006-07-08 Created, success under Windows XP +SP1
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
.586p
.model flat, stdcall
option casemap: none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
m_m2m MACRO d1, d2
push d2
pop d1
ENDM
MEMORY_BASIC_INFORMATION_SIZE EQU 28
.data
g_szUser32dll DB "user32.dll", 0
g_szMsgBox DB "MessageBoxA", 0
g_szHookedOK db " has been hooked OK!", 0
.data?
g_dwOld_protect DD ?
g_lpfnMessagBox dword ?
g_dbOldCode db 10 dup(?)
g_dwReaded dword ?
g_hCurProc HANDLE ?
.code
start:
do_hook:
invoke GetModuleHandle, ADDR g_szUser32dll
invoke GetProcAddress, eax, ADDR g_szMsgBox
mov edi, eax ;finally got MessageBoxA address
mov g_lpfnMessagBox, eax
push 0
push OFFSET g_szMsgBox
push OFFSET g_szMsgBox
push 0
call g_lpfnMessagBox ;确认得到MessageBoxA的地址
invoke GetCurrentProcess
mov g_hCurProc, eax
; BOOL ReadProcessMemory(
; HANDLE hProcess, // handle of the process whose memory is read
; LPCVOID lpBaseAddress, // address to start reading
; LPVOID lpBuffer, // address of buffer to place read data
; DWORD nSize, // number of bytes to read
; LPDWORD lpNumberOfBytesRead // address of number of bytes read
; );
invoke ReadProcessMemory, eax, g_lpfnMessagBox, ADDR g_dbOldCode, 10, ADDR g_dwReaded
test eax, eax
jz @FinalMsgBox
invoke VirtualAlloc, 0, MEMORY_BASIC_INFORMATION_SIZE, MEM_COMMIT, PAGE_READWRITE
test eax, eax
jz @FinalMsgBox
mov esi, eax ;allocation for MBI
invoke VirtualQuery, edi, esi, MEMORY_BASIC_INFORMATION_SIZE
;typedef struct _MEMORY_BASIC_INFORMATION { // mbi
; PVOID BaseAddress; // base address of region
; PVOID AllocationBase; // allocation base address
; DWORD AllocationProtect; // initial access protection
; DWORD RegionSize; // size, in bytes, of region
; DWORD State; // committed, reserved, free
; DWORD Protect; // current access protection
; DWORD Type; // type of pages
;} MEMORY_BASIC_INFORMATION;
test eax, eax
jz @free_mem
invoke FlushInstructionCache, g_hCurProc, edi, 5 ;just to be sure
lea eax,[esi+014h]
push eax
push PAGE_EXECUTE_READWRITE
lea eax, [esi+0Ch]
push [eax]
push [esi]
call VirtualProtect
;we will change protection for a moment, so we will be able to write there
test eax, eax
jz @free_mem
mov byte ptr [edi], 0E9h ;写入jmp跳转指令
mov eax, OFFSET @newMsgBox ;计算跳转地址
sub eax, edi
sub eax, 5
inc edi
stosd ;传送32位跳转地址
push OFFSET g_dwOld_protect
lea eax, [esi+014h]
push [eax]
lea eax, [esi+0Ch]
push [eax]
push [esi]
call VirtualProtect ;return back the protection of page
@free_mem:
push MEM_RELEASE
push 0
push esi
call VirtualFree ;free memory
@FinalMsgBox:
invoke MessageBoxA, 0, ADDR g_szMsgBox, ADDR g_szMsgBox, 0
invoke ExitProcess, 0
@newMsgBox: ;004010CD
;mov [esp+16], MB_ICONINFORMATION ;修改信息ICON
m_m2m [esp+16], MB_ICONINFORMATION
;mov [esp+12], OFFSET g_szHookedOK ;修改标题
mov eax, [esp+8] ;修改信息内容
invoke lstrcat, eax, ADDR g_szHookedOK
; BOOL WriteProcessMemory(
; HANDLE hProcess, // handle to process whose memory is written to
; LPVOID lpBaseAddress, // address to start writing to
; LPVOID lpBuffer, // pointer to buffer to write data to
; DWORD nSize, // number of bytes to write
; LPDWORD lpNumberOfBytesWritten // actual number of bytes written
; );
invoke WriteProcessMemory, g_hCurProc, g_lpfnMessagBox, ADDR g_dbOldCode, 10, ADDR g_dwReaded
jmp g_lpfnMessagBox ;push g_lpfnMessagBox
;ret; 10H
end start
|
But i just want it in c++ with inline asm and that has been giving me some hard time, i know some c++, but asm....too difficult for me.
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sat Apr 12, 2014 11:31 am Post subject: |
|
|
Take a good look how it's done in the example code you posted.
He's getting the address of the desired API, change the page permissions at that address so he'll be able to write his own code in there.
the common change is to use a jump command to your own code and from there you do whatever you want before / after the API is called.
you got a lot to understand before jumping into API hooking you can cause the application to crash if it's not done correctly.
_________________
Stylo |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
