Section:
|
|
1.Tools
used
|
SoftIce
(for tracing/debugging) - not really necessary but always handy
when coding
MASM (for coding our hooker/DLL)
Api reference (for the coding part of the reverseme)
resource editor (I used ExeScope)
|
2.Initial
approach (Introduction)
|
Well,
at first the task at hand (quoting from Rev1.txt):
All You have to do is:
Display a splash screen (it's in resource of Rev1.exe), when You
click on the Bitmap menu.
NO
PATCHING & PROCESSPATCHING ALLOWED!!!
Well, I must admit that it took me a couple of days till I thought
of a way how to do it, but then, all of a sudden, the answer hit
me: use a hook. What is a hook you might ask. Simple, it
is a callback procedure installed by a program either in its own
process (local hook, its code can reside inside the program) or
in some other program's process (remote hook, this time the code
of the hook procedure must reside in a DLL that will be loaded by
the target process). More simple, it is a procedure that gets called
whenever something happens that we want to be aware of (typing something
at the keyboard, moving the mouse etc.) So, the solution I thought
of was coding a DLL+a hook function that gets called whenever our
reverseme receives a message.
A
few api definitions:
HHOOK SetWindowsHookEx(
int idHook, // type of hook
to install
HOOKPROC hkprc, // address of hook procedure
HINSTANCE hMod, // handle of application instance
DWORD dwThreadID // identity of thread to install hook for
);
LRESULT CALLBACK GetMsgProc(
int code, // hook code
WPARAM wParam, // removal flag
LPARAM lParam // address of structure with message
);
typedef struct tagMSG { //
msg
HWND hwnd;
UINT message;
WPARAM wParam;
LPARAM lParam;
DWORD time;
POINT pt;
} MSG;
BOOL UnhookWindowsHookEx(
HHOOK hhook // handle of hook procedure to remove
);
|
3.Essay
|
So,
we need to hook a menu-click. This can be acomplished by setting
a hook with WH_GETMESSAGE as the idHook in the above definition.
The Api reference explains what this type of hook does: "installs
a hook procedure that monitors messages posted to a message queue.
" We'll simply check for WM_COMMAND messages that are produced
in a menu with the ID of 10001 (found using resource editor) and
have the same window handle as the reverseme. Looking at the above
defs, we see that the third parameter of our callback function will
be a pointer to a MSG structure (also defined above).
We'll also need an exit-function, that will un-hook the messages.
Another comment, when the callback function detects that the user
clicked the menu we want to hook, it will send a custom message
to
the main exe which, in turn, will display the splashscreen.
Also, using a resource editor, open up NEMO's reme, select the bitmap(splashscreen)
and save it to the disk. We will use it as a resource in our exe.
These are only a few hints, the rest is explained in the attached
sources.
|
4.Final
words
|
Interesting
reme, we learnt a little more about hooking. Once again, how does
our hooker work?
Step one: start it
Step two: start NEMO's reme
Step three: click File/Bitmap -> nothing happens
Step four: click Hook in my hooker
Step five: click File/Bitmap again -> result, a splashscreen
gets displayed
|
5.Greets
(Acknowledgements)
|
Greets
go to:
Crudd, extasy, amante4, SantMat, visions, Iczelion (win32asm.cjb.net),
the guys at #Cracking4Newbies, #win32asm, the guys in ID (your database
is really great), and everyone else I forgot. |
6.Contact
me
|
You
can mail me with questions/problems/queries/threaths and so on at
slashme@slashme.cjb.net
Also
make sure you visit my website at slashme.cjb.net
|
|