Can I get some opinions?

I am writing a library for hooking and injecting and wanted to share it with this community. I would like some external feedback, I would ask friends, but most of them just aren't that much into hacking games...

http://www.mpgh.net/forum/31-c-c-pro...echniques.html

VTable hooking would be a nice thing to add, other then that: looking good.

So the advantage that VMT hooking has over other forms is that you can have only a specific instance of an object be hooked? I have never heard of VMT hooking until you mentioned it and I read http://www.mpgh.net/forum/289-allian...t-hooking.html. This looks interesting... Is it something that is really useful?

---------- Post added at 08:12 PM ---------- Previous post was at 08:09 PM ----------

Oh and I was thinking about some other stuff to add, like NopInstructions(Location,NumberOfInstructions) could use the disassembly engine to determine the length of nops to write, and maybe even take a variable to copy of original bytes off to somewhere to safe keeping.

Code:

/**
	@brief	Write 0x90's to create a NOP sled at the specified address.

	@param	[IN] pInstructions - A pointer to the instructions to overwrite with a nop sled.
	@param	[IN] dwInstructionCount - The number of instructions to overwrite with NOPs.
	@param	[OUT] pOriginalInstructions - (optional) A buffer to receive the instructions that were at 
		the address before they get overwritten with NOPs. If this is NULL, the parameter is ignored.

	@return	DWORD number of BYTES written.
**/
DWORD writeNopSled(PVOID pInstructions, DWORD dwInstructionCount, PBYTE pOriginalInstructions){
	PVOID pAddr = pInstructions;

	// Count the bytes.
	for(DWORD i=0;i<dwInstructionCount;i++){
		 pAddr = (PVOID)((DWORD)pAddr + getInstructionLength(pAddr));
	}

	// This gets optomized out, but its nice to look at in C.
	DWORD byteCount = (DWORD)pAddr - (DWORD)pInstructions;

	// Just a nice way to look at things.
	PBYTE pOpCode = (PBYTE)pInstructions;

	// Save off the old bytes.
	if(pOriginalInstructions != NULL){
		for(DWORD i=0;i<byteCount;i++){
			pOriginalInstructions[i] = pOpCode[i];
		}
	}

	// Write out NOP Sled.
	for(DWORD i=0;i<byteCount;i++){
		pOpCode[i]=0x90;
	}

	return byteCount;
}

Now people can write NOP sleds based on number of instructions. So for x64/x86 its the same function call (except the address ofc).

Also, posted an ASM/C snippet for DLL self unloading. So people can use Inject to unload their injected DLL from within itself...

http://www.mpgh.net/forum/31-c-c-pro...ml#post5871535

Updated Injex SVN, here are the notes: http://code.google.com/p/injex/source/detail?r=28

Originally Posted by megamandos

So the advantage that VMT hooking has over other forms is that you can have only a specific instance of an object be hooked? I have never heard of VMT hooking until you mentioned it and I read http://www.mpgh.net/forum/289-allian...t-hooking.html. This looks interesting... Is it something that is really useful?

---------- Post added at 08:12 PM ---------- Previous post was at 08:09 PM ----------
Oh and I was thinking about some other stuff to add, like NopInstructions(Location,NumberOfInstructions) could use the disassembly engine to determine the length of nops to write, and maybe even take a variable to copy of original bytes off to somewhere to safe keeping.

No, it doesn't just work for 1 instance of a class. Function code isn't duplicated for every instance of a class. The function addresses are in the virtual function table, so by modifying these to point to your hook, the next time a class looks up the address of a function, it'll redirect to your function instead. It's pretty neat.

Yes, but you could just use the EntryStub_hook functionality from Injex to do exactly the same thing, in a MUCH less detectable way. Right? Other than altering single instances of class' VMTs, I don't see much of an advantage.

Originally Posted by megamandos

It's not necessarily less detectable. With even basic checks your hook would be detected, as would a VTable hook. However, with a VTable hook you don't even need to install a stub.

Originally Posted by Jason

However, with a VTable hook you don't even need to install a stub.

Now there is the advantage I was looking for. Thanks

From what I gather each instance of the class has a pointer in it to the VMT. So you could copy the VMT and change the pointer in just that instance, so it would be less detectable...

Originally Posted by megamandos

From what I gather each instance of the class has a pointer in it to the VMT. So you could copy the VMT and change the pointer in just that instance, so it would be less detectable...

Except then you need to locate the class instances BEFORE you hook, which is a lot more of a pain, especially when dealing with constantly recreated objects.

Oh ic. I just need to find out the layout of the VTables themselves in VC++, because I cant seem to find anywhere listing if they are just pointer arrays or if there is some sort of metadata and its an array of basic data structs or something. You know somewhere I might find this? Or do you, possibly, know and could tell me? I could do some RE i guess, but someone telling me would be so much easier lol.

The VTable itself is just a linear array of function addresses. The only time I've used VTable hooking was with D3D, and that has a lot of source code publicly available so I didn't actually have to do a lot of the work myself. Essentially someone found a byte-pattern for the D3D VTable which you scan for at runtime, then use indices into the array to find the function addresses.

Released 1.1.0 and added a crap ton of documentation.

Docs: injexhelp.chm

Some Release Notes:
New Features:
* Injex.exe can now locate processes by image name. (ie. 'notepad.exe')
* Added a crap ton of documentation.
* Low level keyboard hooking added to hooklib. (Thanks Jason for your snippet that I based this on)

Bugs:
* None

Misc:
* Removed useless "ReadMe.txt" files that are generated by Visual Studio.

Some new files in this release include:
* injexhelp.chm - Documentation for most of the Injex Framework.
* injex.exe - The compiled dll injector.
* hooklib.lib/.h - The hooking library (see injexhelp.chm for usage details).

Oh yeah here's a D3D Vtable hook if you're interested in seeing how it's done:

http://www.mpgh.net/forum/31-c-c-pro...ml#post5682845

Can I get some opinions?

Post a Reply

Similar Threads

Tags for this Thread