Hooking the offical way?

Forum for discussion about kernel-mode development.
Post Reply
rrr_rrr_111
Posts: 3
Joined: Mon Aug 06, 2018 8:15 pm

Hooking the offical way?

Post by rrr_rrr_111 » Mon Aug 06, 2018 8:23 pm

Hi guys, I've got a question on how to be able to hook various WinAPI functions like VirtualQuery and be able to see the parameters being passed to a certain process.

I've tried using the user-defined/system-defined callbacks but there are apparently only like 4 functions you can "hook" on (GetSystemTime, etc)...

I want an official Microsoft provided way to see WinAPI functions called in a process in a 64bit machine running Win 10...

User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: Hooking the offical way?

Post by Brock » Thu Aug 09, 2018 5:01 pm

You can inject a DLL into your target process(es) and use Microsoft Detours hooking engine if you don't want to use 3rd party hooking engines. However, there really isn't any "official" method, Detours just happens to be Microsoft's own hooking solution for various tasks over the years.
Accept nothing less than STATUS_SUCCESS

rrr_rrr_111
Posts: 3
Joined: Mon Aug 06, 2018 8:15 pm

Re: Hooking the offical way?

Post by rrr_rrr_111 » Thu Aug 09, 2018 8:14 pm

Brock wrote:
Thu Aug 09, 2018 5:01 pm
You can inject a DLL into your target process(es) and use Microsoft Detours hooking engine if you don't want to use 3rd party hooking engines. However, there really isn't any "official" method, Detours just happens to be Microsoft's own hooking solution for various tasks over the years.
What about methods from kernel mode? I've read about ssdt hooking but apparently it results in a BSOD. I'm trying to find a way to hook those functions from kernel mode.

User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: Hooking the offical way?

Post by Brock » Thu Aug 09, 2018 11:25 pm

Should have mentioned previously that v4.0.1 is now open source and supports both x86 and x64 and will work with all NT-based operating systems. Years ago this wasn't the case, the source for licensing v4.0 was (iirc) $10,000 USD

https://github.com/Microsoft/Detours
Accept nothing less than STATUS_SUCCESS

vivid
Posts: 1
Joined: Wed Dec 17, 2014 7:02 am

Re: Hooking the offical way?

Post by vivid » Sat Aug 11, 2018 10:53 pm

Brock wrote:
Thu Aug 09, 2018 11:25 pm
Should have mentioned previously that v4.0.1 is now open source and supports both x86 and x64 and will work with all NT-based operating systems. Years ago this wasn't the case, the source for licensing v4.0 was (iirc) $10,000 USD

https://github.com/Microsoft/Detours
Wow that's nice to hear! I have a repo for my own version of Detours I made when the license was still restrictive. Releasing it under MIT license puts a smile on my face.

FWIW Detours [hotpatching] is the preferred method because it doesn't require updating other modules, so it can do on-the-fly OS updates. You also need to know the parameters/convention. Using your own hook/naked function only requires you to know what you want to manipulate.

rrr_rrr_111
Posts: 3
Joined: Mon Aug 06, 2018 8:15 pm

Re: Hooking the offical way?

Post by rrr_rrr_111 » Sun Aug 12, 2018 5:08 am

I don't understand how detours is related to hooking in kernel mode? I posted this inside "kernel mode development" section...

User avatar
Vrtule
Posts: 459
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Hooking the offical way?

Post by Vrtule » Sun Aug 12, 2018 9:24 am

What about methods from kernel mode? I've read about ssdt hooking but apparently it results in a BSOD. I'm trying to find a way to hook those functions from kernel mode.
Well, hooking based on code modification is not possible (in most cases) because 64-bit Windows employs Kernel Patch Protection (KPP) that BSODs the system when it detect code/data (and other) changes. Sometimes, you can still do some hooking in places where pointers to routines are used rather than calling the routines directly. However, it may be quite tricky to find such places and since they are quite deep in the kernel, they may exist only on some versions of Windows (or be different on others).

What you can do is to trick KPP into thinking that none of the protected code and data changed by employing a hardware virtualizacion. For example, see DDiMon
https://github.com/tandasat/DdiMon

Unfortunately (or fortunately, it depends), none of these approaches is as simple as the "good" old SSDT hooking, so popular (ineffective and BSOD generating) during the XP era.

User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: Hooking the offical way?

Post by Brock » Sun Aug 12, 2018 4:30 pm

Originally you posted this regardless of the Kernel Mode Development section of the forum
I've got a question on how to be able to hook various WinAPI functions like VirtualQuery and be able to see the parameters being passed to a certain process
Your question, I assumed after your mentioning of a usermode API, wasn't in fact kernel related but I see now that's what you meant all along.

VrTule has already provided you the answer. If you want to try a 3rd party hooking library that can (from what I've read) hook kernel functions you can read about EasyHook. Keep in mind however that it still will not disable Patch Guard (KPP) for you so you're back to square one on x64.

https://easyhook.github.io
Accept nothing less than STATUS_SUCCESS

User avatar
tangptr
Posts: 28
Joined: Mon Nov 14, 2016 11:14 am
Location: People Republic of China
Contact:

Re: Hooking the offical way?

Post by tangptr » Mon Aug 13, 2018 7:09 am

You may hook MSR-LSTAR (ecx=0xC0000082) and hide your hook using hardware-accelerated virtualization (Intel VT-x or AMD-V).
This can be accomplished by rdmsr interception. It requires the least virtualization feature - no address-translation (Intel EPT or AMD NPT) required.
HyperBone written by DarthTon can be a significant example of doing MSR hook filtering using hardware-accelerated virtualization - which is, writing assembly code to redo KiSystemCall64 and interception of rdmsr. However, its way of hooking is not perfect - which is, using wrmsr instruction to change MSR value.
Only via chaos and excellence can beauty and success be respectively created and achieved.

Post Reply