Thread: [C++] Hook process functions via dll injection

Hook process functions via dll injection
This tutorial on how to hook process functions via dll injection.

What we want to accomplish here is overwrite the address of the function to either jmp, or call our own function in the dll file. Sounds really complicated, but it's not and with little knowledge of pointers and how programs work we can do this.

We create a function that will render an instruction to jmp or call a specified offset. With this instruction we then assign appropriate permissions to access and write to the original function call, we then write our new instruction in place of the original.

Here is the basic structure (Redirect.h):

 #define CALL(a) _asm call [a]  

#define JMP(a) _asm jmp [a]  

  

class Redirect    

{  

public:  

    void RenderJMPInstruction(LPVOID address, LPVOID jumpto, char *buf);  

    void JMPFunction(DWORD address, DWORD jumpto);  

    void RenderCALLInstruction(LPVOID address, LPVOID jumpto, char *buf);  

    void CALLFunction(DWORD address, DWORD jumpto);  

    Redirect();  

    virtual ~Redirect();  

  

}; 

The class consists of one constructor and four methods.

With the structure there, there is nothing more to do but code what we wanted to do.

 #include "Redirect.h"  

  

//////////////////////////////////////////////////////////////////////  

// Construction/Destruction  

//////////////////////////////////////////////////////////////////////  

  

Redirect::Redirect()  

{ }  

Redirect::~Redirect()  

{ }  

  

void Redirect::CALLFunction(DWORD address, DWORD jumpto)  

{  

    char instruction[5];  

    RenderCALLInstruction((LPVOID)address,(LPVOID)jump  to,instruction);  

    DWORD oldprot, dummy;  

    VirtualProtect((void*)address,5,PAGE_EXECUTE_READW  RITE,&oldprot);  

    memcpy((LPVOID)address,(LPVOID)instruction,5);  

    VirtualProtect((void*)address,5,oldprot,&dummy);  

}  

  

void Redirect::RenderCALLInstruction(LPVOID address, LPVOID jumpto, char *buf)  

{  

    int offset = (int)jumpto - ((int)address + 5);  

    buf[0] = (char)0xE8;  

    *(DWORD*)(buf+1) = offset;  

}  

  

void Redirect::JMPFunction(DWORD address, DWORD jumpto)  

{  

    char instruction[5];  

    RenderJMPInstruction((LPVOID)address,(LPVOID)jumpt  o,instruction);  

    DWORD oldprot, dummy;  

    VirtualProtect((void*)address,5,PAGE_EXECUTE_READW  RITE,&oldprot);  

    memcpy((LPVOID)address,(LPVOID)instruction,5);  

    VirtualProtect((void*)address,5,oldprot,&dummy);  

}  

  

void Redirect::RenderJMPInstruction(LPVOID address, LPVOID jumpto, char *buf)  

{  

    int offset = (int)jumpto - ((int)address + 5);  

    buf[0] = (char)0xE9;  

    *(DWORD*)(buf+1) = offset;  

} 

Redirecting the function is simple:

 /* This is just an example 

 * 0x600542A5 would be the offset of the call in the original program you would like to redirect. 

 */  

Redirect Hook;  

Hook.CALLFunction(0x600542A5,(DWORD)OnZoneSend); 

Not done yet though, we still have to create the OnZoneSend function. This is where people can run into problems if they don't know instruction flow in applications, it may require a little knowledge of assembly.

 int WINAPI OnZoneSend(...) {  

   // ... your code here  

   return ZoneSend(...);  

} 

We now call a naked function which will jmp to the original function entry point.

 DWORD lpZoneSend = 0x6005484F; // original function entry point.  

int __declspec(naked) WINAPI ZoneSend(...)  

{  

    JMP(lpZoneSend)  

} 

Thats it! Enjoy.

Author: Specific