This makes a hook to MessageBoxExA in the selected process.
To hook another API, just change values.
#include <stdio.h>
#include <windows.h>
#include <Tlhelp32.h>
void error(char *err);
static DWORD WINAPI hookear(LPVOID data);
static INT WINAPI hookFunc(HWND hwnd, LPCSTR tit, LPCSTR txt, UINT flag, WORD ww);
void foo(void);
HANDLE myProc=NULL;
typedef int (WINAPI *datLoadLibrary)(LPCTSTR);
typedef int (WINAPI *datGetProcAddress)(HMODULE, LPCSTR);
int main(int argc, char *argv[])
{
if(argc<2) error("Usage: hook.exe PROCESO\n");
struct {
datLoadLibrary apiLoadLibrary;
datGetProcAddress apiGetProcAddress;
char libNames[5][16];
char funNames[5][16];
char MSG[50];
void *hook;
void *orApi;
} thData;
strcpy(thData.MSG, "Hi!");
strcpy(thData.libNames[0], "User32.dll");
strcpy(thData.libNames[1], "msvcrt.dll");
strcpy(thData.libNames[2], "Kernel32.dll");
strcpy(thData.funNames[0], "MessageBoxExA");
strcpy(thData.funNames[1], "malloc");
strcpy(thData.funNames[2], "memcpy");
strcpy(thData.funNames[3], "VirtualProtect");
strcpy(thData.funNames[4], "printf");
thData.apiLoadLibrary=GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
thData.apiGetProcAddress=GetProcAddress(GetModuleHandle("kernel32.dll"), "GetProcAddress");
HANDLE lista=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pInfo;
BOOL st=TRUE;
pInfo.dwSize=sizeof(PROCESSENTRY32);
Process32First(lista, &pInfo);
int myPid=0;
do
{
if(strcmp(pInfo.szExeFile, argv[1])==0)
{
myPid=pInfo.th32ProcessID;
break;
}
Process32Next(lista, &pInfo);
}
while(st!=FALSE);
int hookSize=(int)&hookFunc - (int)&hookear;
int reemSize=(int)&foo - (int)&hookFunc;
printf("[+] Opening process %i\n", myPid);
myProc=OpenProcess(PROCESS_ALL_ACCESS, FALSE, myPid);
if(myProc==NULL) error("[-] Error opening process.\n");
else printf("[+] Process opened.\n");
SIZE_T written=0;
LPVOID dirToHook=VirtualAllocEx(myProc, NULL, reemSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(dirToHook==NULL) error("[-] Error allocating hooks function's memory .\n");
else printf("[+] Memoria allocated for hook function (%i bytes).\n", reemSize);
LPVOID dirToArg=VirtualAllocEx(myProc, NULL, sizeof(thData), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(dirToArg==NULL) error("[-] Error allocating memory for arg.\n");
else printf("[+] Memory allocated for arg (%i bytes).\n", sizeof(thData));
DWORD prot;
BYTE *funcDir=(BYTE *)&hookFunc;
while(*(++funcDir) != 0x90);
VirtualProtect((LPVOID)funcDir, 4, PAGE_EXECUTE_READWRITE, &prot);
signed int *ddir=(signed int *)funcDir;
*ddir=(signed int)dirToArg;
LPVOID dirToWrite=VirtualAllocEx(myProc, NULL, hookSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(dirToWrite==NULL) error("[-] Error allocating main code's memory.\n");
else printf("[+] Memoria allocated for main code (%i bytes).\n", hookSize);
if(WriteProcessMemory(myProc, dirToHook, (LPVOID)&hookFunc, reemSize, &written)==0) error("[-] Error writing hook function.\n");
else printf("[+] Memory written (hook function %i bytes -> %.8X).\n", written, dirToHook);
thData.hook=dirToHook;
if(WriteProcessMemory(myProc, dirToArg, (LPVOID)&thData, sizeof(thData), &written)==0) error("[-] Error writing arg.\n");
else printf("[+] Memory written (arg %i bytes -> %.8X).\n", written, dirToArg);
if(WriteProcessMemory(myProc, dirToWrite, (LPVOID)&hookear, hookSize, &written) == 0) error("[-] Error writing main code.\n");
else printf("[+] Memory written (code -> %.8X).\n", dirToWrite);
HANDLE rThread=CreateRemoteThread(myProc, NULL, 0, (LPTHREAD_START_ROUTINE)dirToWrite, dirToArg, 0, NULL);
if(rThread==NULL) error("[-] Error starting thread.\n");
else printf("[+] Thread started.\n");
CloseHandle(myProc);
return 0;
}
void error(char *err)
{
if(myProc!=NULL) CloseHandle(myProc);
printf("%s", err);
exit(0);
}
static DWORD WINAPI hookear(LPVOID data)
{
struct {
datLoadLibrary apiLoadLibrary;
datGetProcAddress apiGetProcAddress;
char libNames[5][16];
char funNames[5][16];
char MSG[50];
void *hook;
void *orApi;
} *thData;
thData=data;
// Test Hook to MessageBoxA
void *dirApi=(void *)thData->apiGetProcAddress((HANDLE)thData->apiLoadLibrary(thData->libNames[0]), thData->funNames[0]);
// VirtualProtect
BOOL WINAPI (*myVirtualProtect)(LPVOID, SIZE_T, DWORD, PDWORD) = (void *)thData->apiGetProcAddress((HANDLE)thData->apiLoadLibrary(thData->libNames[2]), thData->funNames[3]);
// malloc
void *(*myMalloc)(size_t) = (void *)thData->apiGetProcAddress((HANDLE)thData->apiLoadLibrary(thData->libNames[1]), thData->funNames[1]);
// memcpy
void *(*myMemcpy)(void *, const void*, size_t) = (void *)thData->apiGetProcAddress((HANDLE)thData->apiLoadLibrary(thData->libNames[1]), thData->funNames[2]);
DWORD prot;
BYTE *dirYo;
dirYo=thData->hook;
BYTE *buffer = (BYTE *)myMalloc(10);
myVirtualProtect((void *)buffer, 12, PAGE_EXECUTE_READWRITE, &prot);
myMemcpy(buffer, dirApi, 5);
buffer+=5;
*buffer=0xE9;
buffer++;
*((signed int *)buffer)=((BYTE *)dirApi+1)-buffer;
myVirtualProtect((void *)dirApi, 5, PAGE_EXECUTE_READWRITE, &prot);
*((BYTE *)dirApi)=0xE9;
dirApi++;
*((signed int *)dirApi)=dirYo - ((BYTE *)dirApi+4);
thData->orApi=buffer-6;
return;
}
static INT WINAPI hookFunc(HWND hwnd, LPCSTR tit, LPCSTR txt, UINT flag, WORD ww)
{
signed int dataDir=(signed int)0x90909090;
struct {
datLoadLibrary apiLoadLibrary;
datGetProcAddress apiGetProcAddress;
char libNames[5][16];
char funNames[5][16];
char MSG[50];
void *hook;
void *orApi;
} *thData;
thData=(void*)dataDir;
INT WINAPI (*realMbox)(HWND, LPCSTR, LPCSTR, UINT, WORD) = (void *)thData->orApi;
return realMbox(hwnd, thData->MSG, thData->MSG, flag, ww);
}
void foo(void)
{
return;
}
