Results 1 to 2 of 2
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,221
    Thanks
    211
    Thanked 2,224 Times in 289 Posts
    Rep Power
    10

    [C++] Hook process functions via dll injection

    Hook process functions via dll injection
    This tutorial on how to hook process functions via dll injection.
    What we want to accomplish here is overwrite the address of the function to either jmp, or call our own function in the dll file. Sounds really complicated, but it's not and with little knowledge of pointers and how programs work we can do this.

    We create a function that will render an instruction to jmp or call a specified offset. With this instruction we then assign appropriate permissions to access and write to the original function call, we then write our new instruction in place of the original.

    Here is the basic structure (Redirect.h):
     #define CALL(a) _asm call [a]  
    #define JMP(a) _asm jmp [a]

    class Redirect
    {
    public:
    void RenderJMPInstruction(LPVOID address, LPVOID jumpto, char *buf);
    void JMPFunction(DWORD address, DWORD jumpto);
    void RenderCALLInstruction(LPVOID address, LPVOID jumpto, char *buf);
    void CALLFunction(DWORD address, DWORD jumpto);
    Redirect();
    virtual ~Redirect();

    };

    The class consists of one constructor and four methods.

    With the structure there, there is nothing more to do but code what we wanted to do.
     #include "Redirect.h"  

    //////////////////////////////////////////////////////////////////////
    // Construction/Destruction
    //////////////////////////////////////////////////////////////////////

    Redirect::Redirect()
    { }
    Redirect::~Redirect()
    { }

    void Redirect::CALLFunction(DWORD address, DWORD jumpto)
    {
    char instruction[5];
    RenderCALLInstruction((LPVOID)address,(LPVOID)jump to,instruction);
    DWORD oldprot, dummy;
    VirtualProtect((void*)address,5,PAGE_EXECUTE_READW RITE,&oldprot);
    memcpy((LPVOID)address,(LPVOID)instruction,5);
    VirtualProtect((void*)address,5,oldprot,&dummy);
    }

    void Redirect::RenderCALLInstruction(LPVOID address, LPVOID jumpto, char *buf)
    {
    int offset = (int)jumpto - ((int)address + 5);
    buf[0] = (char)0xE8;
    *(DWORD*)(buf+1) = offset;
    }

    void Redirect::JMPFunction(DWORD address, DWORD jumpto)
    {
    char instruction[5];
    RenderJMPInstruction((LPVOID)address,(LPVOID)jumpt o,instruction);
    DWORD oldprot, dummy;
    VirtualProtect((void*)address,5,PAGE_EXECUTE_READW RITE,&oldprot);
    memcpy((LPVOID)address,(LPVOID)instruction,5);
    VirtualProtect((void*)address,5,oldprot,&dummy);
    }

    void Redirect::RenderJMPInstruction(LPVOID address, LPVOID jumpto, char *buf)
    {
    int offset = (int)jumpto - ((int)address + 5);
    buf[0] = (char)0xE9;
    *(DWORD*)(buf+1) = offset;
    }

    Redirecting the function is simple:
     /* This is just an example 
    * 0x600542A5 would be the offset of the call in the original program you would like to redirect.
    */
    Redirect Hook;
    Hook.CALLFunction(0x600542A5,(DWORD)OnZoneSend);

    Not done yet though, we still have to create the OnZoneSend function. This is where people can run into problems if they don't know instruction flow in applications, it may require a little knowledge of assembly.
     int WINAPI OnZoneSend(...) {  
    // ... your code here
    return ZoneSend(...);
    }

    We now call a naked function which will jmp to the original function entry point.
     DWORD lpZoneSend = 0x6005484F; // original function entry point.  
    int __declspec(naked) WINAPI ZoneSend(...)
    {
    JMP(lpZoneSend)
    }

    Thats it! Enjoy.
    Author: Specific
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following User Says Thank You to Dwar For This Useful Post:


  3. #2
    SaptaAgunk
    SaptaAgunk is offline
    New member SaptaAgunk's Avatar
    Join Date
    2010 Dec
    Posts
    13
    Thanks
    14
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    can I have some source code with DevC + + language?
    and not detected by HackShield

Visitors found this page by searching for:

C hook function

c hook process

c# hook process

C# virtualprotect

dll hook c

hook virtualprotect

hook function c

hook process C

virtualprotect hookhook dll c c hooking functionshook c functionc hookc hook virtualprotectc function hookingdll injection virtualprotecthooking a function in c c dll hookhook processc# hook injecthook injection c c hook functionsc dll injection hookc hook a functionhooking c

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •