Results 1 to 11 of 11
  1. #1
    Void's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Inline.
    Posts
    3,198
    Reputation
    205
    Thanks
    1,445
    My Mood
    Mellow

    [Source]Hooking via forced exception

    Super bored so I decided to do this, now I'm bored again. >_>

    The example below shows how forcing an access violation and setting up an exception handler to catch the exception could be used to hook a function. Yep...

    Remember, I'm always looking for criticism to improve my code. |:

    Well, enjoy?

    Code:
    #include <windows.h>
    
    /*
    xor eax,eax
    mov eax,[eax]
    nop
    */
    BYTE bytes[] = { 0x33,0xC0,0x8B,0x00,0x90 }; //force access violation    
    
    BYTE origBytes[5];
    BYTE *addy;
    
    int __stdcall Func(HWND hwnd,LPCTSTR text,LPCTSTR caption,UINT code)
    {
        text = "Hooked";
        caption = "Hooked";
    
        return MessageBox(hwnd,text,caption,code);
    }
    
    LONG CALLBACK ExceptionHandler(PEXCEPTION_POINTERS pException)
    {
        pException->ContextRecord->Eip = (DWORD)Func;
        for(int i=0;i<sizeof(bytes)+1;i++)
        {
            *(addy+i) = origBytes[i];
        }
    
        return EXCEPTION_CONTINUE_EXECUTION;
    }
    
    void Main()
    {
        while(!GetModuleHandle("user32.dll"))
        {
            Sleep(10);
        }
    
        AddVectoredExceptionHandler(1,&ExceptionHandler);
    
        addy = (BYTE*)GetProcAddress( LoadLibrary("user32.dll"),"MessageBoxA" );
    
        DWORD old;
        VirtualProtect(addy,4096,PAGE_EXECUTE_READWRITE,&old);
        for(int i=0;i<sizeof(bytes)+1;i++)
        {
            origBytes[i] = *(addy+i);
            *(addy+i) = bytes[i];
        }
    }
    
    bool __stdcall DllMain(HINSTANCE hInst,DWORD dwReason,void* useless)
    {
        if(dwReason == DLL_PROCESS_ATTACH)
        {
            CreateThread(0,0,(LPTHREAD_START_ROUTINE)Main,0,0,0);
        }
        return true;
    }

  2. The Following 4 Users Say Thank You to Void For This Useful Post:

    -Raz0r- (10-01-2010),Kallisti (10-01-2010),LegendL3n (12-04-2016),therofl (10-01-2010)

  3. #2
    Kallisti's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Location
    深い碧の果てに
    Posts
    4,019
    Reputation
    52
    Thanks
    376
    My Mood
    In Love
    This thread was inspired by me.

    未来が見えなくて怖いから
    未来が見えてしまって悲しいから
    目を閉じて優しい思い出に浸ってしまう




  4. The Following User Says Thank You to Kallisti For This Useful Post:

    momagkromag (08-01-2016)

  5. #3
    Void's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Inline.
    Posts
    3,198
    Reputation
    205
    Thanks
    1,445
    My Mood
    Mellow
    Uhg, I should have added the exception handler before writing the bytes to cause the exception. |:

    kdone.

  6. #4
    -Raz0r-'s Avatar
    Join Date
    Aug 2010
    Gender
    male
    Location
    Australia
    Posts
    117
    Reputation
    15
    Thanks
    38
    My Mood
    Lurking
    Heh, neato. Might try this out some time soon =o
    Languages: C, C++, x86 ASM, PHP, Lua

  7. #5
    Gab's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Posts
    6,716
    Reputation
    1755
    Thanks
    1,543
    Quote Originally Posted by Void View Post
    Super bored so I decided to do this, now I'm bored again. >_>

    The example below shows how forcing an access violation and setting up an exception handler to catch the exception could be used to hook a function. Yep...

    Remember, I'm always looking for criticism to improve my code. |:

    Well, enjoy?

    [php]#include <windows.h>

    /*
    xor eax,eax
    mov eax,[eax]
    */
    BYTE bytes[] = { 0x33,0xC0,0x8B,0x00,0x90 }; //force access violation

    BYTE origBytes[5];
    BYTE *addy;

    int __stdcall Func(HWND hwnd,LPCTSTR text,LPCTSTR caption,UINT code)
    {
    text = "Hooked";
    caption = "Hooked";

    return MessageBox(hwnd,text,caption,code);
    }

    LONG CALLBACK ExceptionHandler(PEXCEPTION_POINTERS pException)
    {
    pException->ContextRecord->Eip = (DWORD)Func;
    for(int i=0;i<sizeof(bytes)+1;i++)
    {
    *(addy+i) = origBytes[i];
    }

    return EXCEPTION_CONTINUE_EXECUTION;
    }

    void Main()
    {
    while(!GetModuleHandle("user32.dll"))
    {
    Sleep(10);
    }

    AddVectoredExceptionHandler(1,&ExceptionHandler);

    addy = (BYTE*)GetProcAddress( LoadLibrary("user32.dll"),"MessageBoxA" );

    DWORD old;
    VirtualProtect(addy,4096,PAGE_EXECUTE_READWRITE,&o ld);
    for(int i=0;i<sizeof(bytes)+1;i++)
    {
    origBytes[i] = *(addy+i);
    *(addy+i) = bytes[i];
    }
    }

    bool __stdcall DllMain(HINSTANCE hInst,DWORD dwReason,void* useless)
    {
    if(dwReason == DLL_PROCESS_ATTACH)
    {
    CreateThread(0,0,(LPTHREAD_START_ROUTINE)Main,0,0, 0);
    }
    return true;
    }[/php]
    What is a BYTE?

  8. #6
    Void's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Inline.
    Posts
    3,198
    Reputation
    205
    Thanks
    1,445
    My Mood
    Mellow
    Quote Originally Posted by xXModz View Post
    What is a BYTE?
    unsigned char.

  9. #7
    -Raz0r-'s Avatar
    Join Date
    Aug 2010
    Gender
    male
    Location
    Australia
    Posts
    117
    Reputation
    15
    Thanks
    38
    My Mood
    Lurking
    Apparently it's also something you do to the dust when you reach 2,000 posts..

    If the game has its own exception handler (For a crash log, telling the player something bad happened, etc), would this method not work?
    I've not poked exception handlers enough. Is it limited to where the exception happens or something?
    Languages: C, C++, x86 ASM, PHP, Lua

  10. #8
    therofl's Avatar
    Join Date
    Feb 2008
    Gender
    male
    Posts
    76
    Reputation
    9
    Thanks
    9
    Quote Originally Posted by -Raz0r- View Post
    Apparently it's also something you do to the dust when you reach 2,000 posts..

    If the game has its own exception handler (For a crash log, telling the player something bad happened, etc), would this method not work?
    I've not poked exception handlers enough. Is it limited to where the exception happens or something?
    Well, the first parameter of AddVectoredExceptionHandler is to tell the exception handler whether its the first handler or the last handler to be called. So assuming this is the last handler created, it should be called first. But Idk too much about it. |:

    Edit: Mhm, MSDN: If the FirstHandler parameter is nonzero, the handler is the first handler to be called until a subsequent call to AddVectoredExceptionHandler is used to specify a different handler as the first handler.

    I was right.
    Last edited by therofl; 10-02-2010 at 08:16 AM.

  11. #9
    Hell_Demon's Avatar
    Join Date
    Mar 2008
    Gender
    male
    Location
    I love causing havoc
    Posts
    3,976
    Reputation
    343
    Thanks
    4,320
    My Mood
    Cheeky
    Still modifying bytes, thus you might as well use a jmp hook ;P
    Debug Registers
    Ah we-a blaze the fyah, make it bun dem!

  12. The Following User Says Thank You to Hell_Demon For This Useful Post:

    therofl (10-02-2010)

  13. #10
    therofl's Avatar
    Join Date
    Feb 2008
    Gender
    male
    Posts
    76
    Reputation
    9
    Thanks
    9
    Quote Originally Posted by Hell_Demon View Post
    Still modifying bytes, thus you might as well use a jmp hook ;P
    Debug Registers
    Yeah, I should have caused an exception in another way, shoulda' just used VirtualProtect and set the rights to page_guard or something..

  14. #11
    Hell_Demon's Avatar
    Join Date
    Mar 2008
    Gender
    male
    Location
    I love causing havoc
    Posts
    3,976
    Reputation
    343
    Thanks
    4,320
    My Mood
    Cheeky
    only problem is that a page spans across quite an address range, so it would trigger for other functions as well(and you can't return to the same function since it'd break again)
    Ah we-a blaze the fyah, make it bun dem!

  15. The Following User Says Thank You to Hell_Demon For This Useful Post:

    therofl (10-03-2010)

Similar Threads

  1. [Source Code] D3D9 Hooking Via Detours
    By Qmo in forum C++/C Programming
    Replies: 36
    Last Post: 12-09-2011, 02:12 PM
  2. [Tutorial] [C++] D3D9 Hooking via Detours
    By Qmo in forum Piercing Blow Hack Coding/Source Code
    Replies: 0
    Last Post: 09-21-2011, 01:40 AM
  3. [Preview] TF2 Source Hook (AIMBOT!) Still Works ?
    By Stan Smith in forum Team Fortress 2 Hacks
    Replies: 33
    Last Post: 08-30-2011, 01:51 PM
  4. [Tutorial] [Source] Hooking ! [Series part 0]
    By .::SCHiM::. in forum Combat Arms Hack Coding / Programming / Source Code
    Replies: 23
    Last Post: 08-03-2011, 06:13 AM
  5. [Detected] TF2 Source Hook (AIMBOT!)
    By willow925 in forum Team Fortress 2 Hacks
    Replies: 12
    Last Post: 07-01-2011, 07:07 AM