Function Hook Macros/Procedures

[jag]

I created a bunch of macros to make it easy to hook API.
They actually use procedures internally to avoid codebloat since they will be called numerous times perhaps.
Please post any comments.

- Jag

http://modseven.de/pastebin.php?id=1252

[jag]

My website is down so I put them on pastebin:

http://modseven.de/pastebin.php?id=1252

[ecube]

Great job  :U the code looks good however the program crashes when I try one of your examples, I attached the test files, i'll debug in abit but thanks for sharing none the less.

[attachment deleted by admin]

[jag]

I apologize. When I modified the macros I made a mistake (forgot OFFSET.)
Please redownload the file - I have fixed the problem.

The reason why a crash is happening if not because of the mistake I made is due to your executables write permissions.

When not using the procedural-style hooking, you must make your code section writable.

From the include file:

Code Select Expand

your .text section needs to be writable if using the non-procedural hooking
if using radasm, add /SECTION:.text|RWE the LINK box under Project -> Project Options]
otherwise, just add /SECTION:.text,RWE to linking arguments

Hope this helps and sorry about the problem in the previous include file.

Below, attached are two radasm projects - one for procedural hooking and the other for non-procedural hooking.

[attachment deleted by admin]

[ic2]

I fire up the jagHookTest.exe and it crash on my XP Pro no service pack .. 498 MHz Intel Celeron.  I did not look at the code yet to see what i should have done, i only tried to run the test.exe

[jag]

Aye, that is wierd. Both of the exes work fine for me.
I have service pack 2 on xp media center edition.

[ic2]

That's the very reason write i write nearly any project using Win 95 to start it off.  If work on 95 than XP it should work for everything in-between.  Not sure about 2000.  I caught hell trying to keep up switching and testing back and forth to 95 - XP but it was worth it.  You be surprised when something should work for 95 from a XP project but DON'T... and you know you have done everything 100% correctly.

It because XP will allow code to run but it has to be modified to work on 9x.  (Usually something silly)

XP has been a big trip for me but thanks to 95 it can't fool me anymore.  Also what works on one XP might not work under another XP of the same Pack.  I think some kind of forgiving XP  force code to allow your program to run on that machine.  You got all kinds of doctors watson or whatever that fix your code to run on that machine but will not run on another machine with-out modifications.  I experience this for years but never got tried to get to the bottom of it.  I just rely on my win95 when building what XP still allow than go from there and it never fails.

I had the same type of problem with 95 back in the day to where a working program stop working all because i added one line of code to it that should have work... example: I had to copy all of those files to another folder... delete the old folder... re-boot the machine... re-name the new folder to the old name and if there is not a God in Heaven "IT always WORKED".

Bottom line... the OS will fool you... I can promise you that.  Every coder may never experence this but if you do new things that the OS api has questions about it simply block the code from running.  Crazy but TRUE... Just want to make sure everyone remember this if you step into some (since able) clever coding that the OS "IS" capable of fooling you.  I guest that's the life of an OS writer, thinking that something is trying to slip in when it actually not....

Anyway...

Of-course in this case it 9 out of 10  a users would have to have servicepack2 in order to run it.  In my opinion no asm program should end up with these dependency unless designed to do so.  General purpose coding is the way to go.  Hopefully others will test on many OS and let you know what happened.  Your work is very interesting.


I tried to run the jagHookTest-NONPROCEDURAL.exe and it also did not run.  I even put it on a non-INTERNET straight super clean XP Pro (no-service pack) machine and it still fail. ( clean meaning with absolutely no M$ programs or other new tech products installed ) Example: Nothing higher than Adobe 5.0 or WP 8 for the OS to start a conflict with.

[evlncrn8]

actually 'if it works on 9x it should work on xp' is a bit wrong.. as for the dont know about 2000, if it works on xp it probably will on 2000...

there are some things you can do in 9x in code, that you cant in 2k or higher (nt base), privileged commands and so on, along with tighter memory access rights.. try reading the bios are in 9x, then run the same code in xp..

call enddialog without 1 param, in 9x = gui frozen, do it in 2k or higher.. fine

[u]

In win95/98 you can play with ebx/esi/edi on callbacks, but on winnt your app will crash. ".shared" segments are forbidden in w2k/xp.
Toying with esp (without changing bounds via fs: ) will kill your app without a crash-message on w2k/xp.

It isn't nice to crash your whole OS (95/98) or freeze the gui when there's a bug :)

[jag]

Ultrano, I always thought MS was really for backward compatibility :P

I don't see why my hooks would have any problems with win 95. All they do is read and write.
Aye, well it sucks that I don't have a copy of Win 95 so I may find the problem myself. Is it possible one of you could debug and find out where the exception is occurring? I would really appreciate it.

[ic2]

I was only specking of standard (portable) coding with 95 that would work with XP also.  Either way which ever one you start building with it's best to switch before you get to deep in the code to check if it still work or not if you can(and you must some how unless you a **darn** good coder).

I choose 95 over 98 or Me to match up with XP until the program is force to use more api that 95 don't support.  All of this is still great info.  Now i see why i caught hell trying to make 9x code work on xp, Never did understand why until now... many years latter ...

jag

I will try but i really don't have Debugging experience. There are a few new things I am trying to implement into my program simply because of my excitement over these new ideas and your Hook is one of them.  That's is how I learn to use, fix or improve code.  Whatever i bump into you will hear from me about it. But for now im sure someone can get to the bottom of the immediate problem.

What the heck, now is as good  as latter.  I'll be playing with it all day and night to see what i can see.

[jag]

Alright - sounds good! I recommend you use ollydbg and just step thru the code with f7. Once you get an exception mark down the location it occurs - surrounding assembly instructions and such. Then I can see what code is causing the problem and perhaps fix it. Thanks.

[ic2]

jagHookTest-NONPROCEDURAL:

Code Select Expand



It's kind of strange that if i EXECUTE TILL RETURN  with OLLY the programs shows your 3 message box.  After turning the last one off OLLY jump to retn and int3 code is the next line under it.

I bet if you remove int3 from the program it might work for 9x.  This is my first guest ...
............................................................
............................................................
............................................................

When i ANIMATE OVER first stop is:

At this reading:
$-FF25 14204000

message1  pop-up
jmp near dword ptr ds: [<&user32.Messagebox]
I close

message2 pop-up
jmp near dword ptr ds: [<&user32.Messagebox]
I close it

message3 pop-up
jmp near dword ptr ds: [<&user32.Messagebox]
I close it

Proess terminated, exit code (259) at
call far fword ptr cs: [BFFC9734]

i touch something and it jumped to:
CMP EAX, 0C0


This is surround by

push dword ptr ss: [esp+10]
push dword ptr ss: [esp+10]
push 2A005C
call KERNEL32.#8
Cmp eax, 0C0 ........................#####
mov esi, eax
jnz short KERNEL32.BFF99B40
call KERNEL32.BFF8502C
mov eax, esi
pop esi
retn 0C

............................................................
............................................................

When i ANIMATE INTO .... on the 59 step it fire up woooot my text!!!
It return all of the above.... this time including the Windows Error Message.

............................................................
............................................................


When I try to run it straight-up from disk like clicking a regular program it return the Window Error Message...

JAGHOOKTEST caused an invalid page fault in
module JAGHOOKTEST.EXE at 0167:0040102a.
Registers:
EAX=0063fdec CS=0167 EIP=0040102a EFLGS=00010217
EBX=407fd074 SS=016f ESP=0063fe18 EBP=0063fe24
ECX=81635440 DS=016f ESI=00000005 FS=2c4f
EDX=bffc9490 ES=016f EDI=bfc0412e GS=0000
Bytes at CS:EIP:
c6 07 e9 89 5f 01 8b 5d 0c 8d 45 08 50 ff 75 08
Stack dump:
8163524c 00000000 00530000 0063ff78 004011e0 004011a7 004011b9 bfc0412e 00000005 bff8b560 00000000 8163524c 00530000 6867614a 746b6f6f 00747365



If this is all that is needed  latter on tell me what parts were really important.  If what you need is not here.  Tell me what i need to do.  I don't think i cross anything up if so i will be trying again.

[ic2]

I wonder why OLLY don't have print or allow the user to set speed of step through.  I would love to slow it way down and why don't it have a way to ring a bell or something to notify you of something you set reach that point.  These are my main reasons for not having interest in debuggers.  I never see a way to do these things but if i could print results that would be a good start.

[jag]

Based on the error information you sent me, the problem is occuring in pInstallHook at this line:
264:    mov BYTE PTR [edi], 0E9h

I still don't see why that would cause the problem though. If edi is first virtualprotected, shouldn't that line be fine to execute?