Use of hooks

The Chinese meaning of the hook is "hook", which is very closely related to the message. Hooks are a part of message processing that monitors the delivery of messages in the system and processes certain messages before they reach the final message processing process. It melts its code into the target process, a call from the target process will call your hook DLL first, and then the hook DLL invokes the function or method that the target process wants to invoke;

What is API hook?

In Windows system programming, should be exposed to the use of API functions, commonly used API functions about 2000 or so.

Today, with the advent of high-efficiency programming techniques such as controls and STL, the probability of using the API is becoming smaller in ordinary user programs.

We also need the use of APIs when features such as controls that are not readily available can be implemented.

At first some people were not very satisfied with the function of some API functions, which resulted in the idea of how to modify these APIs to better serve the program, so that the API hooks naturally appeared.

We can change the original functionality of a system API via API hooks. The basic method is to "touch" the entry point of the API function through the hook, changing its address to point to the new custom function.

API hooks do not belong to any of the 13 types of hooks described on MSDN. So, API Hook is not a very different hook, it also need to improve their permissions through the basic hooks, across the different process of access restrictions, to modify the API function address. It is not necessary to use API Hook technology to modify the address of API function used in the process space.

Hooks in several ways:

1. Use the registry HKLM\Software\Microsoft\Windows Nt\currentversion\windows\appinit_dlls

Appinit_dlls the value of this item should be a null value. The Registry's system Setup Entry "Appinit_dlls" can call a DLL list for either process, is an early process plug-in Trojan trick, by modifying the key_local_machine\software\microsoft\windows in the registry Nt\currentversion\windows\appinit_dlls to achieve the purpose of the insert process. The disadvantage is that it is not real-time, and a restart is required after the registry is modified to complete process insertions. Appinit_dlls this item, normally its value should be empty. This project indicates that whenever a program starts, the DLL files in the appinit_dlls are injected into the program to start.

For example: If Appinit_dlls=qhbpri.dll, then after logging in to Windows, the system loads the Explorer.exe, then Qhbpri.dll will appear in it. DLL file Although can not run itself, but so he injected into the application, where the code will still be executed, some QQ password theft Trojan is the principle of the above work. Because the DLL is running in the EXE, it is not visible in the process manager.

However, this method should be warned by most of the current anti-virus software;

2. Call SetWindowsHookEx (wh_getmessage, ..., 0)

SetWindowsHookEx (wh_getmessage, ..., 0) is a global message hook, although it is possible that your program does not use a message hook, but one side effect of the hook is to load the corresponding DLL into all of the GUI threads (which will undoubtedly slow down the running of the program). Similarly, only processes that use the GUI will be hooked up. Despite this limitation, this approach is still the most common method of hooking up processes.

3. Use the CreateRemoteThread function to create a remote thread in the target process
This method can create a remote thread in any target process and can execute arbitrary code in the remote thread, so that we can inject our code into the target process. This approach has the greatest flexibility, but also the highest level of difficulty:
A) Remote thread code must be self-locating
b) to be able to monitor the start and end of a process so that it can be hooked up to all processes
In this way, the following are highlighted:

1. Find the process you want to mount;

2. Get the handle of the process to be injected, openprocess (...);

3. Allocate memory for the following DLLs:: VirtualAllocEx (...);

4. Load the DLL into the requested memory, WriteProcessMemory (...);

5. Obtain the specific location of the LoadLibraryA in the kernel, GetProcAddress (...);

6. Whenever you call LoadLibraryA, create a remote line preempted Dll,createremotethread (...).

7. Wait for the remote thread to terminate, WaitForSingleObject (...);

8. Close the handle, freeing the allocated space in the requested remote thread;

However, this method can only be started after the target, and then successfully mount our hook program, then how to detect whether the target program has been opened?

The following is done in detail: first of all, the first idea is Hook zwcreateprocess, the results of debugging when found that many of the actions of the creation process, and did not execute through this API, so naturally there is no way to monitor the creation of the process, so back to the essence, from the process of creating the action process to analyze, To create a new process, it is roughly going through the following steps:

(1) Open executable file, open with File_execute permission;

(2) Load the executable file into the memory space;

(3) The activity structure of the process will be created, such as (eprocess,kprocess and PEB structures);

(4) Assigning the address space for the newly created process;

(5) Create thread activity structures for the main threads of the process, such as (Ethread,kthread and TEB structures);

(6) The stack of the main thread will be allocated;

(7) The context of the main thread of the process will be created;

(8) Notify Windows subsystem;

Summarized above, there are several ways to get the message created by the process:

(1) HOOK zecreatesection, when creating a virtual memory block, according to the file handle to get the handle of the corresponding file name is an EXE executable file;

(2) Hook ntreadvirtualmemory, for the newly created process to allocate address space and other operations, the need to read the process space, so that capture, you can get the process creation action;

(3) Registering callback events through the callback function provided by Windows;

Method Comparison:

(1) This method can accurately obtain the operation created by the process, but because the process has not been created at this time, some of the basic structure of the process has not been created, so the process ID and other information can not be obtained;

(2) This method can get the process creation operation, but is not accurate. Because in addition to the process's creation calls this operation, some human actions, such as an external application want to read the memory space of another process, will also call this function, there will be event response, so the results are inaccurate;

(3) The third method is more intuitive and simple. Because the callback event used does not directly hook the API, it is more stable.

The third kind of callback method is analyzed emphatically.

The registration callback event is implemented by Pssetcreateprocessnotifyroutine, whose function prototype is as follows:

NTSTATUS Pssetcreateprocessnotifyroutine (
In Pcreate_process_notify_routine notifyroutine,
In BOOLEAN Remove
);

Notifyroutine is a registered callback function, when a process is created, it will call this notifyroutine corresponding function, its function definition prototype is as follows:

VOID (*pcreate_process_notify_routine) (
In HANDLE ParentID,
In HANDLE ProcessId,
In BOOLEAN Create
);  

Where ParentID is the parent process Id,processid is the child process ID, and create indicates whether the process is created or ended, where true indicates the process was created and false indicates the end process.

With this function, we are able to complete the monitoring of process creation and exit, first call the Pssetcreateprocessnotifyroutine registration process to monitor the callback function, and then in the callback function, judge the Create parameter and handle the process creation and exit operations respectively.



Use of hooks