Microsoft Research Institute detour Development Kit-API Interception Technology

Reprinted

Microsoft Research Institute detour Development Kit-API Interception Technology

 

 

The most direct purpose of intercepting function execution is to add functions, modify return values, add additional code for debugging and performance testing, or intercept input and output of functions for research and cracking. By accessing the source code, we can easily use the rebuilding operating system or application method to insert new features or perform function extensions between them. However, in today's Commercial Development World, and in systems with only binary code released, researchers have almost no chance to get source code. This article mainly discusses detour's API Interception Technology Based on Windows binary PE files. For the Linux platform, it will be very simple to do this, because the original operating system designer introduced ld_preload. If you set ld_preload = mylib. so, when the application loads the DLL, it first looks at mylib. so symbol table, mylib will be used preferentially during relocation. so. If you have a printf () in mylib. So, this printf will replace libc's printf. The printf in mylib. So can directly access the printf function pointer in libc. So to obtain the real printf entry address. In this way, all the dll api Hooks have been completed when the loader loads the DLL. Naturally, the platform-related parts are all handed over to the loader for processing.

I. Detour development database:
Introduction
Detours is a tool library that intercepts any Win32 function calls on the X86 platform. The interrupted code can be dynamically loaded at runtime. Detours uses an unconditional transfer command to replace the first few commands of the object function and transfer the control flow to a user-provided Interception Function. Some commands in the target function are stored in a function called "trampoline, here I think it is more appropriate to translate part of the target function into a clone/copy function. These commands include the replaced code in the target function and an unconditional branch that redirects to the target function again. The interception function can replace the target function, or extend the function by calling the target function as a subroutine when executing the "trampoline" function.
Detours is inserted during execution. The code of the target function in the memory is not modified on the hard disk, so it is easier to intercept the execution of the binary function at a good granularity. For example, a function in the DLL loaded when an application is executed can be inserted with a piece of interception code (detoured). At the same time, this dll can also be executed by other applications as normal (Note: The DLL binary file is not modified because it is not intercepted, so when the interception occurs, other process spaces will not be affected to load the DLL ). Unlike DLL relinking or static redirection, the interrupt technology used in the detours library ensures that the method in the application or the positioning of the target function by the system code is not affected.
If others attempt to modify binary code for debugging or internal use of other system detection techniques, detours will be a universally available development kit. As far as I know, detours is the first development kit that can retain unmodified target code on any platform as a subroutine that can be called through "trampoline. The previous system put the interception code in the object code in advance logically, instead of calling the original target code as a common subroutine. Our unique "Trampoline" design is crucial to extending the binary code of existing software.
For the purpose of using the basic function Interception Function, detours also provides the ability to edit any DLL import table to add any data section table to the existing binary code, inject a DLL into a new process or a running process. Once a DLL is injected into a process, this dynamic library can intercept any Win32 function, whether in an application or in a system library.
Basic Principles
1. Win32 process memory management
As we all know, Windows NT implements virtual memory. Each Win32 process has 4 GB of virtual storage space. For details about the Win32 process's virtual storage structure and operations, see the Win32 API manual, only the following points are related to detours:
(1) The commands to be executed by the process are also stored in the virtual storage space.
(2) You can use the queryprotectex function to change the page permission for storing commands to readable, writable, and executable, and then rewrite the content to modify the running program.
(3) You can use virtualallocex to allocate virtual memory to another running process from one process, and then use the queryprotectex function to change the page permission to readable, writable, and executable, and write the commands to be executed in the form of binary machine code, so as to inject arbitrary code into a running process.
2. How Win32 APIs are intercepted
Detours defines three concepts:
(1) Target function: the function to be intercepted, usually a Windows API.
(2) trampoline function: part of the target function. Because detours will rewrite the target function, we need to copy and save the first five bytes of the target function. On the one hand, we still save the process call semantics of the target function, and on the other hand, it facilitates future recovery.
(3) detour function: used to replace the target function.
Detours adds the JMP address_of _ detour _ FUNCTION command at the beginning of the target function (five bytes in total) to direct the call to the target function to its own detour function, add the 5 bytes starting with the target function with JMP address_of _ target _ FUNCTION + 5 to a total of 10 bytes as the trampoline function. See figure 1 and figure 2 below.
(Figure 1: Process of the detour function)

(Figure 2: Call the detour function)

Note:
Target function:
The object function has at least five bytes in binary format. According to Microsoft's instructions, the function body of the trampoline function is to copy the first five bytes and add an unconditional jump instruction (if there is no special processing of the inseparable instruction ), therefore, the first five bytes must be a complete command, that is, the command cannot contain 5th bytes or 6th bytes. Otherwise, the trampoline function is incorrectly executed, A complete command is hard to separate, causing program crash. For the 5th-byte and 6th-byte commands, you need to adjust the number of bytes copied to the acrobatics function (trampoline). This value can be obtained by checking the compilation code of the target function. This function is a modified version of the target function and cannot be called directly in the detour function. You need to call the trampoline function indirectly.
Trampoline functions:
By default, this function is allocated 32 bytes. The content of the function is the first five bytes of the copied target function, plus a JMP address_of _ target _ FUNCTION + 5 command, a total of 10 bytes.
This function is only called by your detour function. After the first five bytes of instruction are executed, the system will jump to the 6th bytes of the target function and continue to execute the original function.
Detour function:
This function is a simulated version of the API that the user needs to intercept. The call method and number of parameters must be consistent with that of the target function. If the target function is _ stdcall, the detour function declaration must also be _ stdcall, and the number and type of parameters must be the same; otherwise, the program will crash. This function will be called when the program calls the first instruction of the target function (jump unconditionally). If you want to continue calling the target function in this function, the trampoline function must be called (the trampoline function will jump to the 5 bytes of the target function unconditionally after the first 5 bytes of the target function are executed ), you cannot directly call the target function. Otherwise, it will enter infinite recursion (the target function jumps to the detour function, and the detour function jumps to the recursion of the target function, because the first five bytes of the target function in the memory have been modified to an absolute jump ). After calling the trampoline function, you can obtain the execution result of the target function. This feature is very useful for analyzing the target function, in addition, you can modify the output result of the target function and then return it to the application.
Detour provides two methods: injecting the detour function to a running application and injecting the detour function to a binary file. This chapter mainly discusses the second method of work. The Development Kit provided by detours allows you to add a node table named detour to the binary EXE file, as shown in figure 3, the main purpose is to automatically load your compiled detours DLL when the PE Loader loads the application, and complete the detour of the target function in the dllmain of detours DLL.
(Figure 3)

2. interfaces provided by detours to intercept APIs
The API provided by detours can be called as a shared DLL to external programs, or it can be linked to your program as a static Lib.
The trampoline function can be dynamically or statically created. If the target function itself is a link symbol, it is very easy to use the static trampoline function. If the target function cannot be visible at the link, you can use the dynamic trampoline function.
To use the static trampoline function to intercept the target function, the application must use
Detour_trampoline macro. Detour_trampoline has two input parameters: the prototype of the trampoline and the name of the target function.
Note: The correct interception model, including the target function, trampoline function, and interception function, must be completely consistent in the call form, including the parameter format and call conventions. It is the responsibility of the function to copy the correct parameters when calling the target function through the trampoline function. As the target function only intercepts a callable branch of a function (the function can call or not call the trampoline function), this responsibility is almost a kind of subconscious action.
The same call conventions can be used to ensure that the values in the registers are properly saved and that the call stack can be correctly created and destroyed when the function is intercepted to call the target function.
You can use the detourfunctionwithtrampoline function to intercept the target function. This function has two parameters: the trampoline function and the pointer to the intercepted function. Because the target function has been added to the trampoline function, you do not need to specify it in the parameter.
We can use the detourfunction function to create a dynamic trampoline function, which includes two parameters: a pointer to the target function and a pointer to the intercepted function. Detourfunction allocates a new trampoline function and inserts the appropriate interception code into the target function.
When the target function is not very easy to use, the detourfindfunction function can find the function, whether it is the function exported in the DLL or the debug symbol of the binary target function.
Detourfindfunction accepts two parameters: Library name and function name. If the detourfindfunction finds the specified function, a pointer to the function is returned. Otherwise, a null pointer is returned. Detourfindfunction first uses the Win32 functions loadlibrary and getprocaddress to locate the function. If the function is not found in the DLL export table, detourfindfunction uses the imagehlp library to search for valid debugging symbols: the debugging symbol here refers to the debugging symbol provided by Windows itself, which must be installed separately. For details, refer to the user diagnostic support information of windows ). The function pointer returned by detourfindfunction can be passed to detourfunction to generate a dynamic trampoline function.
We can call detourremovetrampoline to remove interception of a target function.
Note that the function in detours modifies the address space of the application. It is the programmer's responsibility to ensure that no other thread is executed in the process space when the Interception Function is added or removed. A simple method is to ensure that a single-threaded execution calls a function in dllmain when the detours library is loaded.
3. Use detours to intercept APIs
Create an MFC dialog box project, add the call to the messageboxa function to the Click Event of the OK button in the dialog box, And the compiled program name messageboxapp.

(Figure 4)
Static Method
Create a DLL project named apihook. Here we use the Visual C ++ 6.0 development environment to capture the messageboxa function of the ASCII version. Add the following to the DLL project:
Detour_trampoline (INT winapi real_messagebox (hwnd,
Lpcstr lptext,
Maid,
Uint utype),: messageboxa );
Generate a static trampoline function for messageboxa, and add the detour function of the target function to the DLL project:
Int winapi messagebox_mine (hwnd,
Lpcstr lptext,
Maid,
Uint utype)
{
Cstring TMP = lptext;
TMP + = "intercepted by detour ";
Return real_messagebox (hwnd, TMP, lpcaption, utype );
// Return: messageboxa (hwnd, TMP, lpcaption, utype); // Error
}
Add the following to the DLL loading event in the DLL entry function:
Detourfunctionwithtrampoline (pbyte) real_messagebox, (pbyte) messagebox_mine );
Add the following to the unload DLL event in the DLL entry function:
Detourremove (pbyte) real_messagebox, (pbyte) messagebox_mine );
Dynamic Method
Create a DLL project named apihook. Here we use the Visual C ++ 6.0 development environment to capture the messageboxa function of the ASCII version. Add the following to the DLL project:
// Declare a function prototype with the same messageboxa
Typedef int (winapi * messageboxsys) (hwnd,
Lpcstr lptext,
Maid,
Uint utype );
// Target function pointer
Messageboxsys systemmessagebox = NULL;
// Trampoline function pointer
Messageboxsys real_messagebox = NULL;
Add the detour function of the target function to the DLL project:
Int winapi messagebox_mine (hwnd,
Lpcstr lptext,
Maid,
Uint utype)
{
Cstring TMP = lptext;
TMP + = "intercepted by detour ";
Return real_messagebox (hwnd, TMP, lpcaption, utype );
// Return: messageboxa (hwnd, TMP, lpcaption, utype); // Error
}
Add the following to the DLL loading event in the DLL entry function:
Systemmessagebox = (messageboxsys) detourfindfunction ("user32.dll", "messageboxa ");
If (systemmessagebox = NULL)
{
Return fasle;
}
Real_messagebox = (messageboxsys) detourfunction (pbyte) systemmessagebox, (pbyte) messagebox_mine );
Add the following to the unload DLL event in the DLL entry function:
Detourremove (pbyte) real_messagebox, (pbyte) messagebox_mine );
Overwrite binary executable files
Use setdll.exe with detoursto overwrite the binary executable file. You can add a new detours PE section table to the program to be intercepted. Setdll.exe is used to create a new batch of processing files in this document.
@ Echo off
If not exist messageboxapp.exe (
Echo, decompress the file to the installation directory of messageboxapp.exe, and then execute the patch.
) Else (
Setdll/D: apihook. dll messageboxapp.exe
)
Pause
After the call, use depends.exe( vc)))))) messto observe the changes before and after messageboxapp.exe. You can see that setdllhas been rewritten by messageboxapp.exe
The dependency on apihook. dll is added.

(Before setdll.exe is executed) (after setdll.exe is executed)
Execute messageboxapp.exe behind setdll.exe. click OK and the result is as follows:
At this point, messageboxapp.exe's call to the messageboxa function has been intercepted, and the pop-up dialog box content has clearly stated this.

I am a person without tears. To protect myself, I can be cruel to anyone in the future!