Hot-Patching & Hook-Hopping

**Note: While hook-hopping and hot-patching can be done in any language, the examples here will be in C.

I was just hook-hopping SetCursorPos, and also someone asked me a question about hook-hopping, so i decided..hey, why not make a blogpost about it?  :]

Let’s begin with hot-patching first, since it is easier to understand hook-hopping after this.

Hot-Patching:

Since Windows XP SP2 and greater, Microsoft has implemented something called Hot-Patching, to make it easier for developers to hook functions. Hooking a function consists of redirecting the function to one of your own, and either intercepting or modifying information that is being used or returned.

Almost every function starts with something called a prologue, that looks like this:

mov edi,edi //no reason for this, just to make it an even 5 bytes

push ebp //save value of EBP

mov ebp,esp //store pointer to the stack in ebp

This prologue consists of a total of 5 bytes, and hey..what do you know?  Unconditional Jumps (JMP) are 5 bytes also !

With Hot-Patching, you can simply just replace this prologue (5 bytes) with a JMP (5 bytes) to your own function, and it will replace perfectly clean.

But wait..didn’t we say every function has a prologue? What if we just want some ASM commands in memory, not a function?

We can define the function with __declspec(naked) and the function will have no prologue, or epilogue (which ends the function).

Here is an example of a function with no prologue/epilogue, that will JMP to a function + 5, which is the address AFTER our unconditional jump that we place.

__declspec( naked ) void myFunction( ParametersOfFunction )
{
__asm
{
push ebp
mov ebp,esp
jmp dword ptr ds:[Function+5]
}

}

Soo..if you’re following this assembly, the first bytes will be a regular prologue (minus mov edi,edi which is, again, not needed).

In our hooked/hot-patched function, it will JMP to our own function, execute its own prologue, then JMP back to the address AFTER our JMP.  Make sense? Good.  In between our prologue, and the JMP back to the original function, we can execute our own code, or whatever we want. It can get fun :]

Now that you know how hot-patching works, Hook-Hopping will be a cinch.

Hook-Hopping will just bypass any hot-patch that has been placed.

With hook-hopping, all you have to do is make a function that executes a prologue, and then performs an unconditional jump to the address after the JMP in the hooked function..as we discussed, the address after the JMP will be the function’s address + 5, because an uncondition jump is 5 bytes long.

As we discussed, its easy to write a function with no prologue, that will just jmp to the originalfunction+5..

We can actually use the same code that we used in our own hook !

__declspec( naked ) void myFunction( ParametersOfFunction )
{
__asm
{
push ebp
mov ebp,esp
jmp dword ptr ds:[Function+5]
}
}

Using this, the original function will be executed, and the JMP in the beginning of the original function will never be taken !

That’s about it….but..

If you’re wondering how to get original addresses of the functions or anything like that, you can just use the GetProcAddress function:

FARPROC WINAPI GetProcAddress(
__in  HMODULE hModule,
__in  LPCSTR lpProcName
);

hModule – Handle to the DLL where the function resides, you can find this with MSDN. (Use LoadLibrary function to get a handle to the DLL you want)

lpProcName – Name of the process that is exported by the DLL you put in hModule..(just the function name)

Here is a full example of a hook-hopped PostMessage function :]

Global Variables:

DWORD myPostMessage = NULL;

Do this on run-time:

myPostMessage = (DWORD)GetProcAddress(LoadLibrary(“user32.dll”),”PostMessageA”) + 5; //Get the function’s address and add 5 to it, beforehand.

Our function’s definition:

__declspec(naked) BOOL WINAPI _PostMessageA(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
__asm
{
push   ebp
mov    ebp, esp
jmp    dword ptr ds:[myPostMessage]
}
}

As you can see, our function has the same exact definition as the regular PostMessage, but with the __declspec(naked)

All you’d have to do now is call _PostMessageA, the same as you would call PostMessageA (the A is just to say that the function is of Ansi character type)

side notes i might be forgetting:

  • your functions don’t need mov edi,edi because its just a useless opcode to take up space to make the prologue 5 bytes…this was done so it was easier to hotpatch..i think i mentioned that.
  • for any function you want to hookhop, just look up the definition on MSDN, and you can make your own function definitions easily.
  • that’s it i guess? have fun. :]
About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: