Friday, October 26, 2007

My hook doesn't work :-(

A few days ago I rummaged through my old code snippets and sources on my harddisk. I noticed that I coded quite many PE tools, especially with Delphi, but something I have never created - an Api hook!
I read pretty much about it (there are many code snippets in the net about this), but most of them are complicated and badly commented so that it's difficult to undertstand what's going on. So I tried myself and began coding the most simple and clean api hook possible (in c cause it's better to read than asm): a little Messagebox hook which should alter the caption of all messageboxes.
Ok I thought, the most simple approach is to code a loader which starts a target process and loads my selfcoded 'hook dll file' into the address space with the well-known CreateRemoteThread trick. Inside the dll file is all the work: as soon as injected and attached, it travels through the import table of the process, searches for MessageBoxA API from user32.dll and replaces the RVA (called Thunk) with the RVA of my own function I declared in my dll file. Hm... sounds not bad although I know that this works just with exes with a straightforward import table - even loading the MessageBox API with GetProcAddress would bypass my approach. But that's not bad - if it would work.... Damn!
With some targets it works, but in others it corrups the stack!? That's a bit strange to me - either it should work always or never. Of course, I took special care about the arguments and the stack. And debugging with olly is quite boring and not that easy... I think I give up and I put up with the fact that I'm never gonna code a nice Api hook :-(

Moreover, studies suck also -> 'thank god it's friday' and I will relax the whole weekend!

No comments: