Description: When code debugging encounters a INT3 instruction, the Exception_breakpoint exception event is routed to the debugger, where control is passed to the debugger, which takes advantage of this feature to hook up the API.
Process: The starting part of the API to be hooked is modified to 0xCC (INT3), and after the control is moved to the debugger after executing the code you want to implement, then modify it back into the running state again.
LPVOID g_pfwritefile = NULL;
Create_process_debug_info g_cpdi;
BYTE G_chint3 = 0xCC, g_chorgbyte = 0;
int _stdcall initinect (void)
{
return 0;
}
BOOL oncreateprocessdebugevent (Lpdebug_event PDE)
{
G_pfwritefile = GetProcAddress (GetModuleHandle (L "kernel32.dll"), "Getcommandlinea");
memcpy (&g_cpdi, &pde->u.createprocessinfo, sizeof (Create_process_debug_info));
ReadProcessMemory (g_cpdi.hprocess, G_pfwritefile, &g_chorgbyte, sizeof (BYTE), NULL);
WriteProcessMemory (g_cpdi.hprocess, G_pfwritefile, &g_chint3, sizeof (BYTE), NULL);
return TRUE;
}
BOOL onexceptiondebugevent (Lpdebug_event PDE)
{
CONTEXT CTX;
Pbyte lpbuffer = NULL;
DWORD Dwnumofbytestowrite, Dwaddrofbuffer, I;
Pexception_record per = &pde->u.Exception.ExceptionRecord;
if (Exception_breakpoint = = Per->exceptioncode)
{
if (G_pfwritefile = = per->exceptionaddress)
{
WriteProcessMemory (g_cpdi.hprocess, G_pfwritefile, &g_chorgbyte, sizeof (BYTE), NULL);
CTx. Contextflags = Context_control;
GetThreadContext (G_CPDI.HTHREAD,&CTX);
MessageBox (0, L "ABCCBA", 0, 0);
/*readprocessmemory (G_cpdi.hprocess, (LPVOID) (CTX. ESP + 0x8),
&dwaddrofbuffer, sizeof (DWORD), NULL);
ReadProcessMemory (G_cpdi.hprocess, (LPVOID) (CTX. ESP + 0xC),
&dwnumofbytestowrite, sizeof (DWORD), NULL);
Lpbuffer = (pbyte) malloc (dwnumofbytestowrite + 1);
memset (lpbuffer, 0, dwnumofbytestowrite + 1);
ReadProcessMemory (G_cpdi.hprocess, (LPVOID) Dwaddrofbuffer,
Lpbuffer, Dwnumofbytestowrite, NULL);
for (i = 0; i < dwnumofbytestowrite; i++)
{
if (0x61 <= lpbuffer[i] && lpbuffer[i] <= 0x7A)
Lpbuffer[i]-= 0x20;
}
WriteProcessMemory (G_cpdi.hprocess, (LPVOID) Dwaddrofbuffer,
Lpbuffer, Dwnumofbytestowrite, NULL);
Free (lpbuffer); */
CTx. Eip = (DWORD) g_pfwritefile;
SetThreadContext (G_cpdi.hthread, &ctx);
Continuedebugevent (Pde->dwprocessid, Pde->dwthreadid, dbg_continue);
Sleep (0);
WriteProcessMemory (g_cpdi.hprocess, G_pfwritefile,&g_chint3, sizeof (BYTE), NULL);
return TRUE;
}
}
return TRUE;
}
void Debugloop ()
{
Debug_event de;
DWORD Dwcontinuestatus;
while (Waitfordebugevent (&de, INFINITE))
{
Dwcontinuestatus = dbg_continue;
Generated or attached events by the debug process
if (create_process_debug_event = = De.dwdebugeventcode)
{
Oncreateprocessdebugevent (&de);
}
Exception events
else if (exception_debug_event = = De.dwdebugeventcode)
{
if (Onexceptiondebugevent (&de)) continue;
}
Event terminated by the debug process
else if (exit_process_debug_event = = De.dwdebugeventcode)
{
Break
}
Run again by the debugger
Continuedebugevent (De.dwprocessid, De.dwthreadid, dwcontinuestatus);
}
}
BOOL apientry DllMain (hmodule hmodule,
DWORD Ul_reason_for_call,
LPVOID lpreserved
)
{
Switch (Ul_reason_for_call)
{
Case Dll_process_attach:
{
DWORD pid = GetCurrentProcessId ();
if (! DebugActiveProcess (PID))
{
wchar_t Buf[maxbyte] = {0};
wsprintf (buf, L "debugactiveprocess (%d) failed!!! \nerror Code =%d\n ", PID, GetLastError ());
MessageBox (0, buf, L "Err", 0);
}
Debugloop ();
}
Case Dll_thread_attach:
Case Dll_thread_detach:
Case Dll_process_detach:
Break
}
return TRUE;
}
Debugger mode for the hook-and-take API