Custom Function hooking (no api)

Aug 26, 2012 at 11:14 PM
Edited Aug 26, 2012 at 11:36 PM

hi, i would like to hook an internal function, modify (or not) params and  call the original function with the new params.

i got the offset but i dont know exactly how to do it

 

PUSH EAX   // param int

CALL Program.00A0CAF0        //offset 0x00A0CAF0 


and the code for dll filemoninect

 

 

namespace FileMonInject
{
    public class Main : EasyHook.IEntryPoint
    {
        IntPtr offset = new IntPtr(0x00A0CAF0);

        FileMon.FileMonInterface Interface;
        LocalHook CreateFileHook;
        Stack Queue = new Stack();

        public Main(
            RemoteHooking.IContext InContext,
            String InChannelName)
        {
            // connect to host...
            Interface = RemoteHooking.IpcConnectClient(InChannelName);

            Interface.Ping();
        }

        public void Run(
            RemoteHooking.IContext InContext,
            String InChannelName)
        {
            // install hook... 0x00A0CAF0

            
            try
            {

                CreateFileHook = LocalHook.Create(
                    offset,
                    new DPrintParam(prinraparamHook),
                    this);
               

                CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
            }
            catch (Exception ExtInfo)
            {
                Interface.ReportException(ExtInfo);

                return;
            }

            Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());

            RemoteHooking.WakeUpProcess();

            // wait for host process termination...
            try
            {
                while (true)
                {
                    Thread.Sleep(500);

                    // transmit newly monitored file accesses...
                    if (Queue.Count > 0)
                    {
                        String[] Package = null;

                        lock (Queue)
                        {
                            Package = Queue.ToArray();

                            Queue.Clear();
                        }

                        Interface.OnCreateFile(RemoteHooking.GetCurrentProcessId(), Package);
                    }
                    else
                        Interface.Ping();
                }
            }
            catch
            {
                // Ping() will raise an exception if host is unreachable
            }
        }

        IntPtr prinraparamHook(Int32 param)
        {

            Main This = (Main)HookRuntimeInfo.Callback;

            try
            {

                param = 50; 
                lock (This.Queue)
                {
                    This.Queue.Push(String.Format("[{0}]", param));
                }
            }
            catch
            {
                This.Queue.Push(String.Format("Error en catch de printparamhook"));
            }

            return offset; // how return a pointer to offset with the
new param?
        
        }

        [UnmanagedFunctionPointer(CallingConvention.Cdecl,
            CharSet = CharSet.Unicode,
            SetLastError = true)]
        delegate IntPtr DPrintParam(
            Int32 param/*push eax*/);

    
    }
}

so the question is, how to modify the param and send that to the function in 0x00A0CAF0 
edit: of course this program does not work at all

Coordinator
Aug 27, 2012 at 11:24 AM

First you have to resolve the offset to an absolute address, i.e. get the module address and then add the offset.

I'm assuming your method has the signature as outlined in the DPrintParam delegate.

Cheers,