News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

[Help] API Hooking via a proxy DLL

Started by Ksbunker, September 09, 2007, 06:52:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Ksbunker

September 09, 2007, 06:52:09 AM
Soley to improve my own knowledge on the subject. I'm trying to create a dll that acts as a proxy between the calling process and the target DLL.

I have written a basic 'HelloWorld' Application, that calls messagebox followed by ExitProcess. My intention is to hook the exitprocess and get a messagebox to popup just before it actually terminates...

My proxy kernel32.dll (renamed to vernel32.dll, then patch the target process to point to vernel32.dll NOT kernel32.dll, straight forward, just have to patch one by 'k' to 'v').

Anyway, the dll (bare basics);

Code Select
.386
.model flat,stdcall
option casemap:none

include windows.inc
include kernel32.inc
includelib kernel32.lib

.code

DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD
mov eax,TRUE
ret
DllEntry Endp

End DllEntry

The Important part, the .DEF file;

Code Select
LIBRARY vernel32
EXPORTS
ExitProcess <equ> kernel32.ExitProcess

Now, when I patch the process to point to vernel32.dll it does, and forwards the call onto the real kernel32.

This is all fine, no problems. NOW, if I try to 'intercept' the function doing the following, it DOES NOT work.

dll;

Code Select
.386
.model flat,stdcall
option casemap:none

include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib

.data

szCaption db "Message!", 0
szText db "ExitProcess Hooked...", 0

.code

DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD
mov eax,TRUE
ret
DllEntry Endp

hookedExitProcess PROC code:UINT
INVOKE MessageBox, 0, ADDR szText, ADDR szCaption, 0
INVOKE ExitProcess, code
ret
hookedExitProcess EndP

End DllEntry

and importantly, the .DEF;

Code Select
LIBRARY vernel32
EXPORTS
ExitProcess <equ> hookedExitProcess ;redirect EditProcess call to hooked function

When I open the DLL and click the exported function "ExitProcess" it actually points to the real kernel32.ExitProcess located in the IAT as opposed to my 'hooked' hookedExitProcess function.

Any ideas on how to remedy this??? This process is based on a tutorial I read (Here: http://www.osix.net/modules/article/?id=728) based in C++, but I see no reason why what I have posted is not working?

Anyone have an idea?

Cheers

Timbo

#1
September 09, 2007, 10:59:52 PM
Your use of equ in the DEF file is a bit baffling to me.  Use = instead.  You do understand that a .def is intended for the linker and not the assembler right?

Hope this helps.

Ksbunker

#2
September 10, 2007, 08:05:21 AM
Well, that seemed to fix it straigt up.

Thanks Timbo.

I wasn't aware equ was soley asm, but now I do.
Print
Go Up Pages1
User actions