[info] Requests/suggestions?

[.::SCHiM::.]

Hey guys,

I'm making a hook library, containing the obvious features and the features discussed in my preview threads some time ago.
Do you have any suggestions of things I might add?
Here's a list of items the library already contains:

Code:

SetHook (Self explanatory)
OverrideHook(Call the Origional function from within the hook)
SetTrap( Hooks all functions that don't have a certain mark, if the mark is absent the call will be redirected to the hook, if the mark is present it will be removed, and the call will be forwarded to the real function)
ReturnHook(Does the same as OverrideHook() but returns execution to the 1st argument)
RemoveHook( Self explanatory)

The library is coded in assembler and can be used by VC++ series, the aim of the library is to make it easier to hook functions. And to improve the efficiency of hacks in general ( asm > C++, in terms of efficiency )

Here's hook a hook on the Sleep() function currently looks:

Code:

int HookTest(){


DWORD hKernel = (DWORD)	LoadLibrary("Kernel32.dll");
hSleep = (DWORD) GetProcAddress((HINSTANCE__ *)hKernel, "Sleep");

int Result = SetHook(hSleep, (unsigned int)&HookTarget, (unsigned int)RestoreBuffer);

if(Result == 0){
   MessageBox(0, "Something went wrong with setting the hook", "SCHiM", MB_OK);
   return 0;
} 

MessageBox(0, "The hook was set", "SCHiM", MB_OK);
return 0;

}

__declspec( naked ) void HookTarget(){

MessageBox(0, "Hook test", "SCHiM", MB_OK);

ReturnHook(hSleep+5, (unsigned int)RestoreBuffer);

}

So do you guys have any suggestions to what I might add to this awesome library ?

[SoWhat]

this is some good idea.. I dont know what you could add :O Good luck on making it

[Void]

And to improve the efficiency of hacks in general ( asm > C++, in terms of efficiency

The hooks people use right now are hard coded in C++, just writing a jump at the start of the function. I don't see how it makes it faster in assembly.

[.::SCHiM::.]

The hooks people use right now are hard coded in C++, just writing a jump at the start of the function. I don't see how it makes it faster in assembly.

I wasn't talking about the jump... I was talking about the functions placing those jumps. You must have noticed that an hello world program made in C++ is about 195 kb's big, one made in assembler comes in under 2.5 kb. Writing the hooking funcions in assembler is an improvement over the C++ ones.

Any suggestions?

[Void]

So you're expecting people to write their functions in assembly? Otherwise your reply makes no sense.

Even if they do write it in assembly, the function that's replacing the original will probably be the same size if it's written in C++. For example, if you hook EndScene or something and want to draw some text on your screen, you'd call DrawTextA, just because you write the call in assembly it doesn't mean the whole Direct3D API is converted into assembly, it will still be the same.

Hell, if we were writing flat binaries, I bet my function would be more efficient than yours if mine was in C++. Compilers do try to optimize, so if you're multiplying maybe the compiler will shift bits instead of executing 'mul' or 'imul'. Unless you're very fluent in assembly it really won't make a difference. And even if it does, you don't see any major changes in performance.

Disregarding everything I just said, the functions that are replacing the original are probably not meant to be written in assembly since you're posting this in the C++ section. So idk where you're getting at. \:

[.::SCHiM::.]

So you're expecting people to write their functions in assembly? Otherwise your reply makes no sense.

Even if they do write it in assembly, the function that's replacing the original will probably be the same size if it's written in C++. For example, if you hook EndScene or something and want to draw some text on your screen, you'd call DrawTextA, just because you write the call in assembly it doesn't mean the whole Direct3D API is converted into assembly, it will still be the same.

Hell, if we were writing flat binaries, I bet my function would be more efficient than yours if mine was in C++. Compilers do try to optimize, so if you're multiplying maybe the compiler will shift bits instead of executing 'mul' or 'imul'. Unless you're very fluent in assembly it really won't make a difference. And even if it does, you don't see any major changes in performance.

Disregarding everything I just said, the functions that are replacing the original are probably not meant to be written in assembly since you're posting this in the C++ section. So idk where you're getting at. \:

This is what I'm getting at:

Code:

  
      void *DetourFunc(BYTE *src, const BYTE *dst, const int len){
          BYTE *jmp = (BYTE*)malloc(len+5);
          DWORD dwBack;
          VirtualProtect(src, len, PAGE_READWRITE, &dwBack);
          memcpy(jmp, src, len);
          jmp += len;
          jmp[0] = 0xE9;
          *(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
          src[0] = 0x90; //50
          src[1] = 0x90; // 58
          src[2] = 0xE9;
          *(DWORD*)(&src[3]) = (DWORD)(dst - src) - 7;
          for (int i=7; i<len; i++) src&#91;i] = 0x90;
           VirtualProtect(src, len, dwBack, &dwBack);
          return (jmp-len);
      }

This is as you can see (and probably recognize) a function to place a hook.
Here's how this function looks when it's decompiled:

Code:

0040100C  |. 8B45 10        MOV EAX,DWORD PTR SS:[EBP+10]
0040100F  |. 83C0 05        ADD EAX,5
00401012  |. 50             PUSH EAX
00401013  |. E8 AD2E0000    CALL Void_ove.00403EC5
00401018  |. 83C4 04        ADD ESP,4
0040101B  |. 8945 F4        MOV DWORD PTR SS:[EBP-C],EAX
0040101E  |. 8D4D FC        LEA ECX,DWORD PTR SS:[EBP-4]
00401021  |. 51             PUSH ECX                                 ; /pOldProtect
00401022  |. 6A 04          PUSH 4                                   ; |NewProtect = PAGE_READWRITE
00401024  |. 8B55 10        MOV EDX,DWORD PTR SS:[EBP+10]            ; |
00401027  |. 52             PUSH EDX                                 ; |Size
00401028  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]             ; |
0040102B  |. 50             PUSH EAX                                 ; |Address
0040102C  |. FF15 00A04000  CALL DWORD PTR DS:[<&KERNEL32.VirtualPro>; \VirtualProtect
00401032  |. 8B4D 10        MOV ECX,DWORD PTR SS:[EBP+10]
00401035  |. 51             PUSH ECX
00401036  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
00401039  |. 52             PUSH EDX
0040103A  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
0040103D  |. 50             PUSH EAX
0040103E  |. E8 4D2B0000    CALL Void_ove.00403B90
00401043  |. 83C4 0C        ADD ESP,0C
00401046  |. 8B4D F4        MOV ECX,DWORD PTR SS:[EBP-C]
00401049  |. 034D 10        ADD ECX,DWORD PTR SS:[EBP+10]
0040104C  |. 894D F4        MOV DWORD PTR SS:[EBP-C],ECX
0040104F  |. 8B55 F4        MOV EDX,DWORD PTR SS:[EBP-C]
00401052  |. C602 E9        MOV BYTE PTR DS:[EDX],0E9
00401055  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00401058  |. 0345 10        ADD EAX,DWORD PTR SS:[EBP+10]
0040105B  |. 2B45 F4        SUB EAX,DWORD PTR SS:[EBP-C]
0040105E  |. 83E8 05        SUB EAX,5
00401061  |. 8B4D F4        MOV ECX,DWORD PTR SS:[EBP-C]
00401064  |. 8941 01        MOV DWORD PTR DS:[ECX+1],EAX
00401067  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
0040106A  |. C602 90        MOV BYTE PTR DS:[EDX],90
0040106D  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00401070  |. C640 01 90     MOV BYTE PTR DS:[EAX+1],90
00401074  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
00401077  |. C641 02 E9     MOV BYTE PTR DS:[ECX+2],0E9
0040107B  |. 8B55 0C        MOV EDX,DWORD PTR SS:[EBP+C]
0040107E  |. 2B55 08        SUB EDX,DWORD PTR SS:[EBP+8]
00401081  |. 83EA 07        SUB EDX,7
00401084  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00401087  |. 8950 03        MOV DWORD PTR DS:[EAX+3],EDX
0040108A  |. C745 F8 070000>MOV DWORD PTR SS:[EBP-8],7
00401091  |. EB 09          JMP SHORT Void_ove.0040109C
00401093  |> 8B4D F8        /MOV ECX,DWORD PTR SS:[EBP-8]
00401096  |. 83C1 01        |ADD ECX,1
00401099  |. 894D F8        |MOV DWORD PTR SS:[EBP-8],ECX
0040109C  |> 8B55 F8         MOV EDX,DWORD PTR SS:[EBP-8]
0040109F  |. 3B55 10        |CMP EDX,DWORD PTR SS:[EBP+10]
004010A2  |. 7D 0B          |JGE SHORT Void_ove.004010AF
004010A4  |. 8B45 08        |MOV EAX,DWORD PTR SS:[EBP+8]
004010A7  |. 0345 F8        |ADD EAX,DWORD PTR SS:[EBP-8]
004010AA  |. C600 90        |MOV BYTE PTR DS:[EAX],90
004010AD  |.^EB E4          \JMP SHORT Void_ove.00401093
004010AF  |> 8D4D FC        LEA ECX,DWORD PTR SS:[EBP-4]
004010B2  |. 51             PUSH ECX                                 ; /pOldProtect
004010B3  |. 8B55 FC        MOV EDX,DWORD PTR SS:[EBP-4]             ; |
004010B6  |. 52             PUSH EDX                                 ; |NewProtect
004010B7  |. 8B45 10        MOV EAX,DWORD PTR SS:[EBP+10]            ; |
004010BA  |. 50             PUSH EAX                                 ; |Size
004010BB  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]             ; |
004010BE  |. 51             PUSH ECX                                 ; |Address
004010BF  |. FF15 00A04000  CALL DWORD PTR DS:[<&KERNEL32.VirtualPro>; \VirtualProtect
004010C5  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
004010C8  |. 2B45 10        SUB EAX,DWORD PTR SS:[EBP+10]
004010CB  |. 5F             POP EDI
004010CC  |. 5E             POP ESI
004010CD  |. 5B             POP EBX
004010CE  |. 8BE5           MOV ESP,EBP
004010D0  |. 5D             POP EBP
004010D1  \. C3             RETN

Here's the assembler version (decompiled):

Code:

10001304 >   55             PUSH EBP
10001305     8BEC           MOV EBP,ESP
10001307     68 45BB0210    PUSH HookTest.1002BB45
1000130C     6A 40          PUSH 40
1000130E     6A 05          PUSH 5
10001310     FF75 08        PUSH DWORD PTR SS:[EBP+8]
10001313     E8 D4190100    CALL HookTest._VirtualProtect@16         ;  JMP to kernel32.VirtualProtect
10001318     83F8 00        CMP EAX,0
1000131B     74 43          JE SHORT HookTest.10001360
1000131D     8B5D 0C        MOV EBX,DWORD PTR SS:[EBP+C]
10001320     8D0D 40BB0210  LEA ECX,DWORD PTR DS:[1002BB40]
10001326     41             INC ECX
10001327     83EB 05        SUB EBX,5
1000132A     2B5D 08        SUB EBX,DWORD PTR SS:[EBP+8]
1000132D     8919           MOV DWORD PTR DS:[ECX],EBX
1000132F     49             DEC ECX
10001330     33F6           XOR ESI,ESI
10001332     8B45 10        MOV EAX,DWORD PTR SS:[EBP+10]
10001335     8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
10001338     33DB           XOR EBX,EBX
1000133A     8A1C16         MOV BL,BYTE PTR DS:[ESI+EDX]
1000133D     881C06         MOV BYTE PTR DS:[ESI+EAX],BL
10001340 >   46             INC ESI
10001341     83FE 05        CMP ESI,5
10001344    ^75 F4          JNZ SHORT HookTest.1000133A
10001346     33F6           XOR ESI,ESI
10001348     8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
1000134B     33DB           XOR EBX,EBX
1000134D     8A1C0E         MOV BL,BYTE PTR DS:[ESI+ECX]
10001350     881C06         MOV BYTE PTR DS:[ESI+EAX],BL
10001353     46             INC ESI
10001354     83FE 05        CMP ESI,5
10001357    ^75 F4          JNZ SHORT HookTest.1000134D
10001359     B8 01000000    MOV EAX,1
1000135E     C9             LEAVE
1000135F     C3             RETN

It essentially does the same thing, it actually does even more. But I'm not releasing it completely yet so I won't get into that. Having shown this, is it clear what I'm trying to do now?

[Void]

I have a detour function in assembly too. o_O

EDIT: hold up

EDIT again: K so what you're doing in all of this is trying to execute the detour function faster?

[.::SCHiM::.]

I have a detour function in assembly too. o_O

EDIT: hold up

EDIT again: K so what you're doing in all of this is trying to execute the detour function faster?

Yes, and to make it more easy to work with it. My ultimate goal is to enable programmers to use complicated hooks and schemes without having to spend ours on pondering the jumps and calls out. As of now a simple hook can be managed with only 2 function calls. 1 to establish the hook, and 1 to return it to wherever you want it to go, simply returning is also an option of course