Post: Hook Technology Analysis

From: http://hi.baidu.com/oder/blog/item/12cd0e5559a547c1b645aedb.html

 

HOOK: (Hook) is a system mechanism provided in Windows to replace "interrupt" in DOS ".

The Application of hooks in software can be said to be very extensive. I want to learn about hooks, what IAT hooks, inline hooks ......

I read other articles about this topic on the internet, and I feel that it is not applicable to people I just came into contact with. So I will share my experience with you today (you don't have to read it here ...... haha .)

What is the use of Windows Hook? The clear point is to give a specific event. The specific point is to hook a function (our own function ), let it execute the hook we mounted (the function we mounted) before execution, so as to intercept events and function calls.
Iat hook: IAT (import Address Table) means to import the address table, some friends do not understand ,! What is an import address table. you can download an exclusive file and use it to open an EXE file to check the import column. During execution of a program, the function called by it (static call, that is, the loadlibrary method is not used, when it is compiled into an executable file, the function addresses of these modules will be written into the import table. The IAT hook replaces these addresses in the IAT table with their own function addresses, then, when the program calls this address, it will jump to our function. Here, the replacement is not to say that we want to replace the IAT table in the file, but to replace the IAT table in the memory, after an executable file is run, its program body is loaded into the memory as a module. When you need to call a function, it queries the called function address in the IAT table, we only need to modify the IAT table address in the memory. The specific modification method is very simple. We will not introduce it here. How can we modify it? In other words, how can we know when to modify it? At this time, you need to use a Windows system function setwindowshookex (of course, this method is not only applicable, such as remote injection. If you are interested, you can query it online ), this function will take our DLL files to all programs related to the hooks we have registered (note the user permissions of the Process) at runtime ), this is why the global hook of user State is made into DLL (the reason for dynamic link library ).

For example, we use setwindowshookex to register a mouse hook and use. the DLL module is linked to it, then all programs in the Windows system that respond to the mouse event will first load. DLL. when loading the DLL initialization (execute the dllmain function), we can first find the function address in IAT in the memory, and then modify it to a by using writeprocessmemory or memcpy. a function in the DLL module (the function we hook), the program will first execute the one we hung up in a when responding to the mouse event. A function of DLL is in our hands at this time. We can let it continue to execute, or let it immediately return invalid results. similarly, we can hook all the programs that respond to Keyboard Events to load our modules to monitor keyboard records, you can also hook all Response Message programs to hook ntopenprocess and ntterminateprocess to prevent our programs from being terminated by other programs. you can also hook up many API functions to monitor system API calls. However, there is a misunderstanding here: Set Windowshookex is only responsible for loading your DLL to other execution programs (not executed), so our replacement action must be completed (or called) in the dllmain function. note that IAT hook only modifies the IAT table, not the function itself. The method below is to directly modify the function itself to implement hook. Likewise, you can use setwindowshookex to add a hook to another process. So how does it implement hook? We need to prepare a byte (or char) variable of five bytes, and then set its first byte to 0xe9 (hexadecimal ), then, write (our function address-Original Function address-5) (long type) to the four bytes after the first byte, we all know that the space occupied by the long type is exactly four bytes (in many types, no matter how its type changes, it has the size in bytes. In my opinion, call a variable 'int' or 'long' to make it easy to write a program, because we can define 'intx byte X [2]). then copy the five bytes to the 5 bytes starting from the address of the original function (the function to be linked) in the memory. What does this mean? Some people may not know that 0xe9 is equivalent to the JMP command in the Assembly. (Of course, people who have a bit of disassembly basics know that 0xc3 = ret, 0xe9 = JMP, and many) in the Assembly, JMP is a jump command. Here, it is redirected to the position indicated by the next four bytes (our function address) to achieve the hook goal, this is why inline hook is called a 5-byte jump Method. The same method is not only applicable to the user State, but also to the core State. This is the SDT inline hook.
There is a kernel file loaded image (kernel module) in the system kernel. ntoskrnl, ntkrnlpa, ntkrnlmp, ntkrnlup, and ntkrpamp are all OS kernel files. It provides a complete set of core State functions, for user-state and core-state calls, most of the functions called in the user-State enter the OpenProcess of the core State such as kernel32.dll at the end. After the OpenProcess is called, NTDLL will be entered. the ntopenprocess in DLL then calls the system function call number to enter the ntopenprocess of the core state, so the core State hook is king. The core State hooks include ssdt hook and SDT inline hook. As mentioned above, the kernel exports a series of functions for user-mode calling. The exported function table is ssdt (system service description table). Its address can be queried by the kernel-exported variable keservicedescriptortable, each 4 bytes (Long SIZE) is an address. During ssdt hook, we only need to modify the address in the ssdt table to our address, which is quite simple.

For example, modify ntopenprocess:
* (Ulong *) (keservicedescriptortable + (0x7a * 4) = (ulong) myopenprocess
0x7a is the system call number of ntopenprocess. Each call number occupies 4 bytes. keservicedescriptortable + (0x7a * 4) represents the storage location of the ntopenprocess address. myopenprocess is our custom function, in this way, the system will jump to myopenprocess when executing ntopenprocess. In addition, the inline hook directly modifies the first five bytes of the function just like the user State. However, the inline hook in the core State is dangerous, which involves multi-threaded calling. If you are interested, you can check this information.
We have already discussed the implementation principles of these hooks. How can we prevent them. In user mode, we can hook (inlinehook) loadlibraryexw to judge. There are a lot of information on the Internet, and friends can find it by themselves. Another point is that online methods cannot prevent remote hook injection, when loadlibrary is used, adding Ted or peb can be prevented. If you do not understand the above principles or have specific implementation methods, contact me QQ: 233276111. Reprinted, please ensure the integrity of the article.