Details about hook api technology

Hook api is an eternal topic. Without hook, many technologies will be hard to implement and may not be implemented at all. The API mentioned here is a generalized API, which includes dos interruptions, Windows APIs, interrupt services, ifs and NDIS filtering, etc. For example, the familiar real-time translation software is implemented by using the hook textout () or exttextout () functions. Before the operating system uses these two functions to output text, replace the corresponding English with Chinese to achieve real-time translation. The same is true for filtering ifs and NDIS. Before Reading and Writing disks and sending and receiving data, the system will call the callback function provided by a third party to determine whether the operation can be released. Unlike normal hooks, the callback function is allowed by the operating system and installed through interfaces provided by the operating system.

Even if there is no hook, there will be no virus, because whether it is a DOS virus or a Windows virus, the hook system service is used to implement its own functions: the virus in DOS is infected by hook int 21 (file-type virus), and The Boot Sector (BOOT virus) is infected by hook INT 13 ); in Windows, viruses are infected by hook system APIs (including ring0 and ring3), Or ifs (the method used by CIH viruses. Therefore, we can say that "without hook, there will be no colorful Software world today ".

Because it involves patents, intellectual property rights, or trade secrets, Microsoft has never advocated hook its system APIs and provide other filtering interfaces such as IFs and NDIS, it is only available to meet the needs of anti-virus software and firewall. Therefore, in most cases, the hook api depends on its own strength.

The hook api has a principle that the original functions of the hooked API cannot be affected. It is like a doctor saving lives. If the virus in the patient's body is killed and the patient is dead, it makes no sense to save lives. If you hook the API, your goal is achieved, but the original function of the API is invalid, this is not the hook, but the replace, the normal function of the operating system will be affected, even crashes.

The hook api technology is not complex, that is, the technology that changes the program process. In CPU commands, there are several commands that can change the process of the program: JMP, call, Int, RET, retf, iret and other commands. Theoretically, you can hook any machine code that changes the API entry and exit, but the actual implementation is much more complicated because the following problems must be handled:

1. CPU instruction length. In a 32-bit system, the length of a JMP/call instruction is 5 bytes, therefore, you only need to replace the machine code with more than five bytes in the API (or replace the five-byte instruction ), otherwise, several commands after the changed machine code smaller than 5 bytes will be affected, and even program processes will be disrupted, resulting in unpredictable consequences;

2. parameter problems. To access the parameters of the original API, you must reference the parameters through EBP or ESP, therefore, you must be very clear about the value of EBP/ESP in your hook code;

3. Timing: some hooks must start with the API, and some must end with the API, such as hook createfilaa (). If you hook the API at the end of the API, at this time, you can't write files, or even access files; hook Recv (). If you hook the file in the API header and haven't received the data, you can view Recv () of course, there is no data you want in the receiving buffer. After Recv () is executed normally, hook it at the end of Recv () and check the buffer zone of Recv, only the desired data is available;

4. context problems. Some hook codes cannot perform certain operations. Otherwise, the context of the original API is damaged and the original API becomes invalid;

5. For synchronization problems, use local variables instead of global variables in the hook code, which is also required by modular programs;

6. Note that the original functions of the replaced CPU commands must be simulated somewhere in the hook code.

The following uses send () in ws2_32.dll as an example to illustrate how to hook this function:

Exported FN (): Send-ord: 0013 H

Assembly Code of address machine code

: 71a21af4 55 push EBP // machine code to be hooked (1st methods)

: 71a21af5 8bec mov EBP, esp // machine code to be hooked (2nd methods)

: 71a21af7 83ec10 sub ESP, 00000010

: 71a21afa 56 push ESI

: 71a21afb 57 push EDI

: 71a21afc 33ff xor edi, EDI

: 71a21afe 813d1c20a371931ca271 cmp dword ptr [71a3201c], 71a21c93 // machine code to be hooked (4th methods)

: 71a21b08 0f84853d0000 je 71a25893

: 71a21b0e 8d45f8 Lea eax, dword ptr [ebp-08]

: 71a21b11 50 push eax

: 71a21b12 e869f7ffff call 71a21280

: 71a21b17 3bc7 CMP eax, EDI

: 71a21b19 8945fc mov dword ptr [ebp-04], eax

: 71a21b1c 0f85c4940000 JNE 71a2afe6

: 71a21b22 ff7508 push [EBP + 08]

: 71a21b25 e826f7ffff call 71a21250

: 71a21b2a 8bf0 mov ESI, eax

: 71a21b2c 3bf7 cmp esi, EDI

: 71a21b2e 0f84ab940000 je 71a2afdf

: 71a21b34 8b4510 mov eax, dword ptr [EBP + 10]

: 71a21b37 53 push EBX

: 71a21b38 8d4dfc Lea ECx, dword ptr [ebp-04]

: 71a21b3b 51 push ECx

: 71a21b3c ff75f8 push [ebp-08]

: 71a21b3f 8d4d08 Lea ECx, dword ptr [EBP + 08]

: 71a21b42 57 push EDI

: 71a21b43 57 push EDI

: 71a21b44 ff7514 push [EBP + 14]

: 71a21b47 8945f0 mov dword ptr [ebp-10], eax

: 71a21b4a 8b450c mov eax, dword ptr [EBP + 0C]

: 71a21b4d 51 push ECx

: 71a21b4e 6a01 push 00000001

: 71a21b50 8d4df0 Lea ECx, dword ptr [ebp-10]

: 71a21b53 51 push ECx

: 71a21b54 ff7508 push [EBP + 08]

: 71a21b57 8945f4 mov dword ptr [ebp-0C], eax

: 71a21b5a 8b460c mov eax, dword ptr [ESI + 0C]

: 71a21b5d ff5064 call [eax + 64]

: 71a21b60 8bce mov ECx, ESI

: 71a21b62 8bd8 mov EBX, eax

: 71a21b64 e8c7f6ffff call 71a21230 // machine code to be hooked (3rd methods)

: 71a21b69 3bdf cmp ebx, EDI

: 71a21b6b 5B pop EBX

: 71a21b6c 0f855f940000 JNE 71a2afd1

: 71a21b72 8bda-8 mov eax, dword ptr [EBP + 08]

: 71a21b75 5f pop EDI

: 71a21b76 5E pop ESI

: 71a21b77 C9 leave

: 71a21b78 c21000 RET 0010

Here are four methods to hook this API:

1. Replace the first command of the API entry with the push EBP command (machine code 0x55) with INT 3 (machine code 0xcc), and then use the debug function provided by windows to execute your own code, this method is widely used by debuger such as soft ice. It uses BPX to set an int 3 command in the corresponding place to break points. However, this method is not recommended because it may conflict with windows or debugging tools, and assembly code must be debugged;

2. Replace the second mov EBP and ESP command (machine code 8bec, 2 bytes) with int F0 command (machine code cdf0), and set an interrupt gate in IDT, point to our code. Here is a hook code:

Lea EBP, [esp + 12] // simulate the functions of the original command mov EBP and ESP

Pushfd // Save the site

Pushad // Save the site

// Do what you want to do here

Popad // restore the site

Popfd // restore the site

Iretd // return the next command of the original command to continue executing the original function (71a21af7 address)

This method is good, but the disadvantage is that you need to set an interrupt gate in the IDT, that is, to enter ring0.

3. Change the relative address of the Call Command (call is in 71a21b12, 71a21b25, and 71a21b64 respectively, but there is a conditional jump command before the first two calls, which may not be executed, so we need to hook the call command at 71a21b64 ). Why do I need to get started with the call command? Because they are both 5-byte commands and call commands, as long as the operation code 0xe8 remains unchanged, you can change the relative address after the change to our hook code for execution, go to the target address to execute the hook code.

Suppose our hook code is at 71a20400, then we change the call command at 71a21b64 to call 71a20400 (the original command is like this: Call 71a21230)

The hook code at 71a20400 is as follows:

71a20400:

Pushad

// Do what you want to do here

Popad

JMP 71a21230 // jump to the target address of the original call command. The original command is as follows: Call 71a21230

This method is well concealed, but it is difficult to find this 5-byte call command, and the calculation of the relative address is also complicated.

4. Replace the cmp dword ptr [71a3201c] And 71a21c93 commands (machine code: 813d1c20a371931ca271, 10 bytes) on the 71a21afe address with the call 71a20400 command.

NOP

NOP

NOP

NOP

NOP

(Machine code: E8 xx 90 90 90, 10 bytes)

The hook code in 71a20400 is: pushad

MoV edX, 71a3201ch // simulate the original command cmp dword ptr [71a3201c], 71a21c93

Cmp dword ptr [edX], 71a21c93h // simulate the original command cmp dword ptr [71a3201c], 71a21c93

Pushfd // do what you want here

Popfd

Popad

RET

This method is best concealed, but not every API has such commands. You need to perform specific operations according to the specific situation.

The above methods are commonly used. It is worth mentioning that many people change the 5 bytes starting with the API. However, many anti-virus software uses this method to check whether the API is hooked, if you change the first five bytes for other virus Trojans, they will overwrite each other. The last hook api operation is effective. Therefore, we recommend 3rd and 4th methods.