Windows hook programming with VirtualProtect,SetWindowHookEx and beginthread

Download NetSnoop - 25.84 KB

Introduction

Network snoop introduces basics of building a network sniffer to pick up all information being sent using TCP socket via send and recv API, obviously, these will be the two APIs to hook to get information about data being sent/received. This code is more about introducing the readers to API hooking using Network snoop as an example. The reader can modify the code to hook APIs related to socket using UDP (which is why readers require knowledge of sockets, networking)

Background

Before we start, reader will require basic knowledge of socket programming, windows hooks and a tad bit of assembly level programming.

First time here?

Product Tour
E-XD++ Workflow Component product walkthrough

Screenshots
Applications built on E-XD++ Workflow Component

Product feature comparison

Powerful, flexible, and easy to use Diagram Components.
Powerful and flexible enough to create diagrams exactly the way you want them to appear. So easy to use that you will be able to prototype your application in just a few minutes.

Feature rich.
With features such as automatic layout, multiple layers, collapsible sub-graphs, snap-to connection points, XML, SVG, and more, E-XD++ Have the power and flexibility you need to create sophisticated diagrams, quickly and easily. Events such as click, double-click, hover, select, rubber-band select, copy, delete, resize and move are supported. Operations such as drag-and-drop, unlimited undo/redo, and clipboard operations are common and complex, and are expected by today's sophisticated users. it full supports importing ArcGis, SVG and DXF File format.

Performance and Scalability.
UCanCode E-XD++ Capable of handling many thousands of nodes and edges, up to hundreds of thousands depending upon the complexity of the nodes you wish to draw and the operations you wish to allow. Our graphical classes are extremely lightweight objects enabling outstanding performance.

Save Time and Money and gain Reliability.
A diagram is worth 1,000 words, and E-XD++ is shipped with more than 500,000 lines of well designed and well tested code! It is used by hundreds of the world's most quality conscious companies. It will saves you thousands of hours of complex coding and years of maintenance.

Using the code

The attached code is built using VS2010 express edition. The code must be referred to while going through this article. Also 64-bit API hooking code has been attached but not tested.

We will start with introduction of sockets APIs used to send and receive information, these are send and recv. The attached code will try to hook/Hijack these APIs and attempt to log all information passed through them.

The following code is mentioned in the DLL ,module

Collapse | Copy Code

struct NetSnoop{
NetSnoop()
{
_beginthread(sendThread,0,0);
_beginthread(recvThread,0,0);
}
...
}
g_NetSnoop;

Notice the variable g_NetSnoop declared globally, this object will be created (and its constructor will be called which will call sendThread and recvThread) every time the DLL is loaded into a new/different process. To get the DLL to load in a different process, we use Windows hook API (mentioned in the code: NetSnoop.cpp).

Collapse | Copy Code

SetWindowsHookEx(WH_CBT,hookFunction,h,0);

Here the variable h holds the module handle of the DLL mentioned earlier. Calling SetWindowsHookEx will cause all threads that belong to the callers desktop to load the DLL whose module is passed to it, in this case: HMODULE h=LoadLibraryA("NetSnoopDll.dll"); Reader will have to be aware of Windows hook.

Another way is to call (without using hook) CreateRemoteThread, you can call the above function sendThread and recvThread , please read up CreateRemoteThread on MSDN. (This method is not used in code).

Now comes the best part:- API hooking (APIHook.cpp).

We will discuss API hooking for send API, the rest are all the same, refer to the code at all times, this is important.

The function : void sendThread(void*) will perform API hack, notice that this function is called from constructor of struct NetSnoop (via different thread) or via API CreateRemoteThread.

Follow the code:-

We first start by getting the address of the function and use VirtualProtect.

Be sure to use VirtualProtect to alter the protection of a committed page else you will get an exception (386 memory segment protection!). Look up MSDN for VirtualProtect .

Collapse | Copy Code

VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission);

The code after that is self explanatory.

Do use disassembly of function call to better understand how it works, you will notice the following code added at the function address:-

Collapse | Copy Code

MOV EAX,function adress; 
JMP EAX;

We are injecting the following code at the function call address using opcodes:

64 bit code is mentioned in attachment. Before we tamper with the instructions at the function address, we first store the original instructions so as to restore them when needed.

Remember: 32-bit DLL cannot be loaded/injected in 64-bit process space and vice-versa which is why you would require a separate 64-bit APP/DLL to snoop network traffic for 64-bit processes.

How it works:

When the hooked function (in this case send) is called, the instruction pointer (EIP) is taken to the function address and will start executing from there (well...this how any function call works).

We have decisively placed a JMP instruction at that very location. This will cause the EIP to move to the function : Mysend, notice that this function has the very same signature, calling convection as the original function, this is to avoid any stack corruption.

Once the EIP is routed to function Mysend (as done in attached code):-

Log what ever is needed ,
restore the function's original instruction ,
call the original function to complete the functionality.

In API hooking of send function, please note that send function is called twice by the application:-

called by the application , through the JMP instruction , EIP is routed to Mysend
Inside Mysend, after restoring the original instructions. (shown below)

Code snippet from APIHook.cpp, int WSAAPI Mysend(...)...

Collapse | Copy Code

DWORD dPermission=0;
VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission); 
memcpy(send,StoreOriginal_Send,sizeof(StoreOriginal_Send)); //retore it
int ret=send(s,buf,len,flags);  //we call the original function.

if(bExit==false) //repatch the function (to trap the next call to it),bExit is set to true to indicate exit. 
{
 memcpy(send, Trap_Send, sizeof(Trap_Send)); //repatch
}

hence to maintain the stack, RET instruction is also called twice

After it returns from the original send function called from inside Mysend
After it returns from Mysend

Restore (done in destructor):

Another important thing is to restore everything when the application exits.

This is important, when the application (NetworkSnoop) exits, the Hook will be released by code (or by OS if hook is active when application is closed/terminated).

When applications are being unhooked, the injected DLL is removed, if code is not restored, the JMP instruction will cause the EIP to jump to an invalid memory location (since DLL is removed) causing a crash.

The application restores all in a destructor of a global object, the destructor is called during DLL unload, refer code .

Collapse | Copy Code

~NetSnoop()
{
bExit=true;       //set this flag to true to indicate unloading is in progress (to avoid repatch indicated in previous code snippet)
while(uiInUse!=0)   //this maintains a count of trap function being called from different threads
    Sleep(500);
//restore original
DWORD dPermission=0;
VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission); 
memcpy(send,StoreOriginal_Send,sizeof(StoreOriginal_Send)); //retore it
VirtualProtect(recv,sizeof(Trap_recv),PAGE_EXECUTE_READWRITE,&dPermission); 
memcpy(recv,StoreOriginal_recv,sizeof(StoreOriginal_recv)); //retore it
}

Debug the call

The reader will have to write a simple console based application mentioned below and debug the send call via dissambly to better understand the introduction of a JMP instruction.

Collapse | Copy Code

#include<windows.h>
#include<WinSock2.h>
int main()
{
MessageBoxA(0,"","",0); //provide a message processing loop via message box (for DLL injection via Hook, a message processing loop is required)
int z=send(0,0,0,0); function from Ws2_32.lib (add this to your lib section) ,pass any dummy values , the idea is to understand via dissambly the introduction of JMP instruction after the hook has injected the DLL
return z;
}

Points of Interest

The best part is that NetworkSnoop introduces API hooking using Windows Hook, this allows you to hook any function in any process provided your hook injects the DLL into it, for the hook to work, the targeted thread must have a message loop. I do hope you enjoy this short article on Network snoop. API hook technique is widely used, most famous is FRAPS, it uses the technique to hook DirectX calls to get information about game performance.

News:

1 UCanCode Advance E-XD++ CAD Drawing and Printing Solution Source Code Solution for C/C++, .NET V2024 is released!

2 UCanCode Advance E-XD++ HMI & SCADA Source Code Solution for C/C++, .NET V2024 is released!

3 UCanCode Advance E-XD++ GIS SVG Drawing and Printing Solution Source Code Solution for C/C++, .NET V2024 is released!

Contact UCanCode Software

To buy the source code or learn more about with:

Product Inquiry
E-mail to (sales@ucancode.net)
Or call us at: +86-28-8535-4545
Fax us at: +86-28-8535-4645
Technical support online with msn messager: ucancode@hotmail.com
Download a trial solution

Get Ready to Unleash the Power of UCanCode .NET

Introduction

Background

First time here?

Using the code

How it works:

Restore (done in destructor):

Debug the call

Points of Interest

Contact UCanCode Software

To buy the source code or learn more about with:

Ask any questions by MSN: ucancode@hotmail.com Yahoo: ucan_code@yahoo.com