An explanation of API hooks and their injection technology

Have you ever wondered how some system monitoring software knows what we are doing? How does the kill soft heuristic analysis intercept and monitor the virus behavior? How to read the internal data of the game? The implementation of these features, basically have API hooks exist. API Hook is divided into ring0 and Ring3 layer, here we use the Ring3 API hook to explain the analysis.

API HOOK in the Ring 3 implementation, divided into inline and modify the Import table 2 methods, so-called inline, refers to directly write and overwrite the function at the beginning of the byte sink encoding method, this method has a problem is that he was killed soft key monitoring, the success rate is very low, and modify the method of import table, Refers to directly through the modification of the import table, interception of specific function call sequence method, advantages and disadvantages, because this article only focus on the Import Table modification method API HOOK, so this article focuses on modifying the import table method.

First let's talk about the structure of the import table, the purpose of this table is to record the external DLL import function address, by modifying the Import Table table key pointer, can make the user's actual call sequence into your function, at this time, for the user, your function is his call "API", image data directory structure is as follows:

typedef struct _IMAGE_DATA_DIRECTORY {DWORD virtualaddress; DWORD Size;} Image_data_directory, *pimage_data_directory;

According to this structure, we know that the import table each item, there are 2 data composition, one is the address of the relative virtual address , the size of a table item, the structure of the import table is:

typedef struct _IMAGE_THUNK_DATA32 {union {pbyte forwarderstring;        Pdword Function;        DWORD Ordinal;    Pimage_import_by_name Addressofdata; } U1;} Image_thunk_data32;

The import table separately records:

• Forwarderstring the RVA pointing to the string of a steering person

• function is entered in the memory place of functions

• Ordinal the ordinal of the API being entered

• Addressofdata Point to Image_import_by_name

First, the first question, how to get image_data_directory pointers, can be obtained by imagedirectoryentrytodata, the function is defined as

PVOID WINAPI imagedirectoryentrytodata (_in_ PVOID Base, _in_ BOOLEAN mappedasimage, _in_ USHORT DirectoryEntry, _out_ Pulong Size);

function altogether 4 parameters for each of the meanings:

• Base: Image Base Address

• Mappedasimage: When it is true, the system maps the module as an image file, otherwise it is mapped in the form of a data file.

• DirectoryEntry: The index of the segment to get, which can be the following value

• Size: This is an output parameter that represents the size of the output information

In the form of a function, we will execute

Import= (Pimage_import_descriptor) imagedirectoryentrytodata (module,true,image_directory_entry_import,&size) ;

Now that we have the import table, if the return value is valid, we will execute a loop to iterate through the import table, first look at this loop:

while (Import->name) {    pstr modulename= (PSTR) ((pbyte) module+import->name);     if (Lstrcmpa (modulename,apimodulename) ==0)     {         pimage_thunk_data thunk= (Pimage_thunk_data) ((PBYTE) Module+Import-> Firstthunk); while (THUNK->U1. Function) {    proc *proc= (proc *) &thunk->u1. Function;    bool bfound= (*proc==apifunname);     if (BFound)      {        if (! WriteProcessMemory (GetCurrentProcess (), proc,&function,sizeof (Function), NULL) && (error_noaccess== GetLastError ())) {    dword oldprotect=0;                 if (VirtualProtect (proc,sizeof (Function), PAGE_WRITECOPY, &oldprotect)) {    writeprocessmemory (GETCURrentprocess (), proc,&function,sizeof (Function), NULL);                                  virtualprotect (Proc,sizeof (Function), oldprotect,&oldprotect);}} break;   }   thunk++;      }   }    import++;}

This code translates into a UML activity diagram:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6D/61/wKioL1Vi6N3T5fDDAAGsIxgoUuU722.jpg "title=" API HOOK "alt=" Wkiol1vi6n3t5fddaagsixgouuu722.jpg "/>

At this point, an API Hook basic logic has been implemented, but this code is only valid for this program, then, how to make other programs effective? This requires the DLL injection technology, to implement a lot of methods of DLL injection, you can use the operating system message hooks, remote thread injection and other methods to complete the injection, warm hints, to inject into the remote process to intercept, because of the need for DLL injection technology, so the API HOOK code needs to be written to the DLL, To complete the interception operation by loading the DLL remotely, remember to restore the API hook settings before the non-DLL, otherwise it will cause an exception.

See here, I believe you generally know the API hook technology implementation of the specific details, and now move your fingers, I believe you can also implement an API hook yourself

This article from "Ouyang Chunhui" blog, please be sure to keep this source http://jack960330.blog.51cto.com/1438952/1655030

An explanation of API hooks and their injection technology