Hook not working, detour jmp installed, but managed hook never called

Mar 13, 2009 at 12:13 AM
Edited Mar 13, 2009 at 12:14 AM
Just playing around with easyhook, I've run into a problem I'm not sure about how to fix.
Starting from the FileMon example (which works great) I've tried hooking different function calls. The app I'm hooking uses OpenSSL and I tried hooking a method defined as

int SSL_read(SSL *s,void *buf,int num)

However, I can't get this to work, my hooked function never gets called.
I've confirmed that SSL_read is actually detoured, e.g. after installing the hook looks like:

ssleay32.dll:00AE7AC0 ssleay32_SSL_read:
ssleay32.dll:00AE7AC0 jmp     loc_1372238

and confirmed that execution now goes to EasyHook32.dll whenever the app calls SSL_read. However my managed hook is never executed. Instead after a while [1] execution jumps back to ssleay32.dll and the original SSL_read is executed.
I don't get error messages/event log messages (using a debug build of easyhook).
In my managed hook dll I do:

IntPtr address = LocalHook.GetProcAddress("ssleay32.dll", "SSL_read");
SslReadHook = LocalHook.Create(
address,
new DSSL_read(SSL_read_Hooked),
this);
[..]
[UnmanagedFunctionPointer(CallingConvention.Cdecl, SetLastError = true, CharSet = CharSet.Ansi)]
delegate int DSSL_read(UInt32 s, UInt32 buf, Int32 num);
[DllImport("ssleay32.dll", EntryPoint = "SSL_read", CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl, ExactSpelling = true, PreserveSig = true)]
public static extern int SSL_read(UInt32 s, UInt32 buf, Int32 num);

public Int32 SSL_read_Hooked(UInt32 s, UInt32 buf, Int32 num)
{
Console.Beep();
return -1;
// return SSL_read(s, buf, num);
}

Anything stupid I'm obviously doing wrong?

Anyway, this is a great tool, I am surprised it hasn't gained more publicity yet.

Ben
b.schwehn@gmx.net
[1]My assembly is pretty weak and I haven't managed to work out so far what exactly happens in EasyHook32 before it jumps back.
Mar 13, 2009 at 1:54 AM
Since EasyHook is open source you will probably find it easier to compile it yourself (just need Visual Studio 2005 or higher, express edition works) and then step through the EasyHook code instead of stepping through the assembly.  Just make sure Visual Studio loads the symbols from the PDB files that get built along side the binaries and you should be good.
Mar 13, 2009 at 1:55 AM
Do you set the ACL after LocalHook.Create?  I don't remember the exact function call, look at FileMon though, it's the line right after the LocalHook.Create call.  If you don't do it things wont work.
Mar 13, 2009 at 10:01 AM
Micah is right...

Make sure that you set a proper ACL! To make sure that it gets called just set something like "SslReadHook.SetExclusiveACL(new int[0]);" or just "null" as parameter but I am not sure about that. This means that ALL threads are intercepted...
Mar 13, 2009 at 10:06 AM
> My assembly is pretty weak and I haven't managed to work out so far what exactly happens in EasyHook32 before it jumps back.

Well even with more experience in assembly this would be pretty hard. Since the jumper code of EasyHook is no usual assembly, but tricky in some sense... Without the source code "guessing" what it does will be a rather dounting task :-D
Mar 13, 2009 at 1:46 PM
Thanks you both, indeed all that was wrong was that I didn't set the thread ACL, expecting it to default to "intercept all threads" (then getting thoroughly confused trying to understand the inner workings of easyhook). Which just shows no matter how good the manual is, you still have to read it :-P

"By default EasyHook sets an empty global exclusive ACL, which will grant access
for  all  threads,  and  an empty  inclusive  local ACL  for every hook, which will  finally deny  access  for  all
threads. All hooks are installed virtually suspended meaning no threads will pass access negotiation. This
is to prevent hook handler  invocation before you are able to  initialize possible structures,  like ACLs for
example."

> Without the source code "guessing" what it does will be a rather dounting task :-D
Even with source it's challenging (for me), good stuff!

Thanks,
Ben