Post tutorial Report RSS Function Hooking

In this tutorial, I will try to explain you why you want to hook functions and show you how its done.

Posted by on - Intermediate Client Side Coding

1. Intoduction
2. Creating our workspace
3. Analysing
4. Hooking
5. Tips & Tricks
6. Full Source

 

1. Introduction


Why Hooking:
Wikipedia: Hooking in programming is a technique employing so called hooks to make a chain of procedures as an event handler.

I will try to explain this for the people new to programming, you can skip this if you aleady understand what wikipedia is saying. In programming you use functions to order your code and make it easier to call the same chunk of code multiple times from different places. Example function:

int Attacked(int iHp, int iDamage)
{
iHp = iHp - iDamage;
return iHp;
}

Let's pretent that this function is part of a big project, a game. When a NPC attacks you this function gets called. What it does is it recieves the arguments it needs "iHp" and "iDamage" where iHp is your hit points left and iDamage is the damage done by the NPC. The function will calculate the hit points that remain after the attack and return the value. In a game their are hundreds/thousands of these functions.
With hooking we can do a couple things with this function. We can call it whenever we want, prevent it from happening or make it do something else.

Now, what im going to try to explain with this tutorial is how you find these functions in a executable and how to hook them. And I will give some helpfull tips in the end.

2. Creating our Workspace


Stuff you need to for this tutorial:

  • Visual Studio 2008 / Visual C++ Express Edition 2008 (Or another C++ compiler but this code is tested on Visual C++ 2008)
  • IDA Pro (Download)
  • Notepad (located in your windows folder)
  • Detours Library (Download, detours.h and detours.lib)
  • Winject(Download)

Let's start with preparing our workspace:

  1. Create a new folder on your desktop and call it 'hooking'
  2. Copy notepad.exe from the windows folder and paste it in folder hooking
  3. Download and install IDA Pro
  4. If you ain't already got it, download and install Visual C++ Express Edition 2008 for free or download and install the trial version of Visual Studio 2008.
  5. Now create a new folder in your hooking folder and call it 'detours'
  6. Download detours.h and detours.lib and place them in the detours folder

Creating our project in Visual C++:

  1. Start Visual Studio 2008
  2. Go to: File > New > Project (or press Ctrl + Shift + N)
  3. Click on 'Empty Project'
  4. Fill in 'SampleHook' as name and your hooking folder as path
  5. Make sure 'Create directory for solution' is ticked on and click OK
  6. Go to: View > Solution Explorer (or press Ctrl + Alt + L)
  7. Right mouse click on 'SampleHook' and choose properties
  8. In this window change 'Application(.exe)' to Dynamic Library(.dll)
  9. Click on 'C/C++' and add the detours folder as directory in 'Additional Include Directories'
  10. Click on Linker and add the detours folder as directory in 'Additional Library Directories'
  11. Choose OK when done.

Our workspace is ready. Lets start with analyzing our target (notepad).

3. Analysing


First of all, start IDA Pro. First you get a about screen, press ok. Then you get to the 'Welcome to IDA!" form. Here you can decide what you want to do. You can start on a new file(New), Work on your own(Go), or open an existing/old project. Im going to guide you so you can choose for 'Go'.
Now go to your hooking folder and from their you drag notepad.exe into IDA.
On the 'Load a new file' form you tick on "load resources" on click OK.
When IDA Pro asks you if you want to load the corresponding PDB file you choose 'Yes' and IDA Pro will start analysing notepad.
When its done analysing open the 'Functions' tab and search for "InsertDateTime(x)".
Right mouse click on the function and choose 'Edit function...' from the menu.
A new form popup with more information about the function. What we want to know is the value of the 'Start address'. For me its ".text:01006F10" where .text is the section and 01006F10 is the address. Write this down somewhere.
Now press 'cancel' in this form and double click on the function. Scroll up A LITTLE! until you see something like: '; __stdcall InsertDateTime(x)'. Right mouse click on this spot and choose 'Set function type...' from this menu. This will give us more information about the function and parameter types. For me its: "int __stdcall InsertDateTime(int)" where the first int is the function type, __stdcall is the calling convention and the second int is the parameter type. Again, write this down somewhere.

We found all the information we need for this function. This is what I, and hopefully you got:

  • InsertDateTime(x)
  • 01006F10
  • int __stdcall InsertDateTime(int)

Let's move on to the next chapter to find out how to hook this function. Close IDA Pro.

4. Hooking


Okey, the interesting part ^^. The hook im going to show you is called a 'detours'.
Go to: Project > Add New Item... (or press Ctrl + Shift + A)
In this form you click on 'C++ file(.cpp)' and name it 'main'
Choose OK.
Lets start with the Entry Point of our dll. First include windows so we can use the api's:

#include <windows.h> 

And include the detours header and library so we can use it:

#include "detours.h"
#pragma comment(lib, "detours.lib")

Now i recommend you to just copy/paste the following code because im not going to fully explain everything because this is basic C++ and not the point im trying to make with this tutorial. I did commented it a little tho =D. Here it is:

BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call) //Decide what to do
{
case DLL_PROCESS_ATTACH: //On dll attach
break;
case DLL_THREAD_ATTACH: //On thread attach
break;
case DLL_THREAD_DETACH: //On thread detach
break;
case DLL_PROCESS_DETACH: //on process detach
break;
}
return TRUE;
}

Okey, what we need to do now is creating a prototype of the function we found so the compiler knows what we are talking about. Add this code between the includes and the entry point:

int (__stdcall* InsertDateTime)(int x); //Function prototype

Now that the compiler knows the function we are going to create our own. We are going to call it MyInsertDateTime and place it below the prototype and above the entry point. This is what we are going to place:


int MyInsertDateTime(int x) //Our function
{
//Messagebox
MessageBox(NULL, "InsertDateTime Just Got Called", "InsertDateTime", MB_OK);
return InsertDateTime(x); //Return the origional function
}

As you can see, the value that our function returns is the value of the origional function. So what we just did is expanding the function. It will do the same as it always did with a little extra, showing a messagebox.

But, before we can test this we first need to define the address so the DLL knows where to look for the function. In order to do this we need to add 2 chunks of code. 1 part in DLL Attach and 1 part in DLL detach.
The following part needs to be placed in the entry point between "case DLL_PROCESS_ATTACH:" and "break;". Here it is:


InsertDateTime = (int (__stdcall*)(int))DetourFunction((PBYTE)0x01006F10, (PBYTE)MyInsertDateTime);

This will set the hook. And because we are clean coders we are going to unset the hook when the dll detaches. This detachment also happens when the program closes so its the best place to put your cleaning code in. Add the following code between "case DLL_PROCESS_DETACH:" and "break;".


DetourRemove((PBYTE)0x1006F10, (PBYTE)InsertDateTime);

Now go to: Build > Rebuild SampleHook.
Download Winject from the link above and place it into your hooking folder.
Start Winject
Click on the button that says '...' in the DLL to Inject groupbox.
Select your dll: ../hooking/SampleHook/Debug/SampleHook.dll
Open notepad.exe from your hooking folder
Go back to Winject and select notepad from the combobox in the Target Process groupbox.
Click 'Inject(+)'
Now in notepad go to: Edit > Time/Date (or press F5) and Tadam.....
Messagebox ^^, congrats, you managed to make your first hook!

5. Tips & Tricks


- The reason Notepad.exe is so easy is because the program debug database files are availble. These files contain information about the executables like the exact function names. If you want to analyse your target you can try to contact the developers for the .pdb file or look into debugging in order to find out how to find functions in an environment that ain't got the .pdb file.
- You can call InsertDateTime from your code whenever you want to execute the function.

6. Full Source

Use this source as example basehook for future projects. Because moddb doesn't allow me to add code in a good way i uploaded it on my server. Its hooking.rar. I included the whole hooking folder you are building while folowing this tutorial.

Thats all for now,

Author: Bepetemish
Date: Saturday 1 Match
On behalf of: iBepex Team

Post comment Comments
Varsity
Varsity

Anti-cheats like VAC will permanently ban you if they find strange programs hooking their games. Be /incredibly/ careful is all I can say.

Why would you even want to do this, anyway? For those games that don't provide an SDK?

Reply Good karma Bad karma+2 votes
Bepetemish Author
Bepetemish

Exactly. Im not trying to get people into game hacking.. Tho this is an undetected method if createthread isn't detected ;).

Reply Good karma+1 vote
icemens
icemens

Sorry, where did you say I could get the full source code?
I can't seem to find it ^^

btw, the other links are broken.

Reply Good karma Bad karma+1 vote
Guest
Guest

This comment is currently awaiting admin approval, join now to view.

Post a comment

Your comment will be anonymous unless you join the community. Or sign in with your social account: