unknowncheats uc-forum.com ucdownloads ucdownloads.com

Go Back   UC-Tutorials - Multiplayer Game Hacking and Cheat Tutorials > Programming > C and C++
Reload this Page Pwning API Hooks
- Sponsored Advertisement -
http://www.myfpscheats.com/


Reply
 
Thread Tools Display Modes
  #1  
Old 06-15-2007, 12:21 PM
Neo_Reloaded Neo_Reloaded is offline
Tutorial Admin
  
Join Date: Dec 2006
Posts: 259
Default Pwning API Hooks
By Max_Power

FYI, I finally got off my ass and finished my theories + wrote some code on detecting and removing API hooks. Everything I have written in theory about detecting and removing IAT and Detour API hooks is right . I tested against a couple different detour methods and IAT hooks and it found and removed all of the API hooks fairly consistently, although there are still some stability issues. I am debating as to whether or not I should release the proof of concept (POC) code because I have bigger plans for it. I tested it in a VM against several user mode rootkits and it completely disabled the functionality of the rootkits for that session. I have thoughts that could lead to the complete generic detection and removal of user mode rootkits.

Anyway, as to not be too stingy, here is a custom GetProcAddress routine from the POC code you can use if you are afraid the kernel32 one is hooked:

Code:
//This function works like GetProcAddress 
//This function is useful in the event that GetProcAddress is not imported
//or when you are concerned it may be hooked
FARPROC GetProcedureAddress(HANDLE hModule, char* pszProcName)
{
	IMAGE_DOS_HEADER* pdhDosHeader = hModule;
	//Check if valid PE
	if (pdhDosHeader->e_magic != IMAGE_DOS_SIGNATURE) return 0;

	IMAGE_NT_HEADERS* pndNTHeader = (IMAGE_NT_HEADERS*)(pdhDosHeader->e_lfanew + (long)hModule);
	if (pndNTHeader->Signature !=IMAGE_NT_SIGNATURE) return 0;

	//Traverse the export table to see if we can find the export
	IMAGE_EXPORT_DIRECTORY* iedExports = (IMAGE_EXPORT_DIRECTORY*)(pndNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (long)hModule);
	long* pNames = (long*)(iedExports->AddressOfNames + (long)hModule);
	short wOrdinalIndex = -1;
	for (int i = 0; i < iedExports->NumberOfFunctions; i++)
	{
		char* pszFunctionName = (char *)(pNames[i] + (long)hModule);

		if (lstrcmpi(pszFunctionName, pszProcName) == 0)
		{
			wOrdinalIndex = i;
			break;
		}
	}

	if (wOrdinalIndex == -1) return 0;

	//wIndex now holds the index of the function name in the names array, which is the index of the ordinal.
	//The ordinal also acts as the index of the address
	short* pOrdinals = (short*)(iedExports->AddressOfNameOrdinals + (long)hModule);
	unsigned long* pAddresses = (unsigned long*)(iedExports->AddressOfFunctions + (long)hModule);

	short wAddressIndex = pOrdinals[wOrdinalIndex] ;
	return (FARPROC)(pAddresses[wAddressIndex] + (long)hModule);
}
PS. The source of the instability was found and fixed. It seems to be pretty solid now.
Reply With Quote
Reply

  • Submit Thread to Digg
  • Submit Thread to del.icio.us
  • Submit Thread to StumbleUpon
  • Submit Thread to Google
  • Submit Thread to Facebook
  • Submit Thread to My Yahoo!
  • Submit Thread to MySpace
  • Submit Thread to Twitter
  • Submit Thread to Reddit

Tags
api, hooks, pwning

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT. The time now is 03:13 PM.

Contact Us - Archive