07 Nov

Knowing if and when you can fit a JMP5 binary hook.

First an interesting read on API hooking methods: http://help.madshi.net/ApiHookingMethods.htm

Traditionally and perhaps the most logical way to do a function hook is to overwrite the code entry point with a 5 byte 32bit relative offset JMP instruction.
IMHO sort of the “bread and butter” of binary hooking .
madCodeHook actually uses a 6 byte 32bit absolute offset JMP instruction.
(Incidentally, some people have been known to resort to using rather unusual instruction combinations of various lengths in attempts to hide from anti-hack detections).

Our number one problem is when the function to be hooked is less then 5 bytes in size.
One solution is to use a one byte exception hook instead. These are one byte opcodes like an int3 instruction.
This will work well (with the addition of a custom exception handler) although the exception overhead is a bit costly compared to the few cycles of a JMP5.
madCodeHook uses it’s “mixture mode” for some of these cases. Applies only to API hooks of course as there is no import/export table for regular code functions.
Read More

07 Nov

Windows binary hook engine design

I’m revisiting my unfinished binary hook engine that I started back in 2007 to hopefully complete it and use it in some current projects.

For people new to such things.  It’s a programming mechanism that allows you to inject/load a DLL (usually) into a target process at the same time, or after it’s loaded to allow you to modify, and, or, hijack parts of it’s code.  See: Hooking at wikipedia

What game and otherwise hackers might use to make “hacks”, bots, etc.  But that’s not all.  It’s along the same lines as “plug-ins”, “ad-dons”, etc.  For instance there are systems that use a hook system to add TeamSpeak to games so you can graphically see who is speaking.   Firewalls and security software like real time anti-virus programs might use a hook system too.

When you read about hooking systems you will mostly see API hooking.  But as the Wikipedia article covers to some degree is that the whole “hooking” concept is actually pretty broad topic. Often maligned do to it’s notorious uses in malware like rootkits.  But there are as many of not more positive, helpful, and useful reasons to use hooking mechanisms.
Read More