WinAPI Hooking

Introduction

API calls interception is the task that allows you to get access to some parts of others' programs. Lots of programmers spend time developing and describing various methods that allow that access. Such methods are used in many anti-virus and anti-spyware applications. Besides, sometimes, intercepting can help you to find errors in your application. However, it is not a secret that some viruses use it too. I spent much time finding and understanding the technique of interception. I would like to describe the results of my research.

Method Description

First of all, you need to read the following article to understand the basics of the interception mechanism: HookSys (written by Ivo Ivanov). It was very helpful for me, and I used the sample code from it. However, it does not solve all my problems because Ivo's samples sometimes miss very important API calls. It happens when the application starts up too fast and the intercepting service has no time to inject the DLL. After some research, I found the actual problem; it was related to using the kernel mode function: SetCreateProcessNotificationRoutine. This function is used to receive notification events about new process creation. Such a notification is often fired when the process has already been started. Therefore, I needed to find a way to improve Ivo's code.

As far as I know, the execution of all Windows processes consists of the following steps:

  • Loading the process initially
  • Creating the main thread for the process in the suspended state
  • Mapping the NT.DLL into the address space of the process
  • Mapping all needed DLLs and calling their DllMain with DLL_PROCESS_ATTACH reason
  • Resuming the main process' thread.

The step right before the main thread resuming looks like the most comfortable for injection because the process is in suspended state and none of its instructions have been executed yet.

Most of the work on the process creation is done in the kernel mode. To change this algorithm, you need to intercept the kernel mode functions NtCreateProcess() and NtCreateThread(). The CONTEXT structure, the pointer to which is passed to the function NtCreateThread(), contains a member called EAX. I found that it equals the process' start address in user mode, so if you can change it, you can get the control right after process creation and before starting. To solve this task, I wrote a kernel mode driver. It starts while the system starts up.

There are some initialization steps:

  1. Starting
  2. Receiving configuration from the user mode
  3. Intercepting kernel mode functions such as: NtCreateProcess(), NtCreateThread(), NtTerminateProcess(), NewNtCreateProcessEx()—for Windows 2003 Server.

A handler to the NtCreateThread() function contains code that will do most of the interesting jobs. Here is a brief description of its algorithm:

  1. Allow access to the creating process by calling ObReferenceObjectByHandle()
  2. Remember the main thread start address (ThreadContext->EAX)
  3. "Jump" to the context of the creation process by calling KeAttachProcess()
  4. Allocate memory for my code by calling ZwAllocateVirtualMemory(), similar to the well-known technique for CreateRemoteThread() in user mode
  5. Copy the small code to the allocated memory that will load my DLL. This code looks like:
  6. push pszDllName
    mov  ebx, LoadLibraryAddr
    call [ebx]
    mov  eax, Win32StartAddr
    push eax
    ret
    pszDllName: db 'example.dll';
    
  7. "Jump" to the initial process
  8. Change the thread start address (ThreadContext->EAX) so it will point to the allocated memory.

That is all. You can download and compile the complete source code for this article.

Note: The sample is fully functional and quite enough for basic understanding, but for real usage it might be rewritten.

Compiling the Code

You need the NTDDK to be installed on your computer. I'm using MSVS 6.0 for compiling NtProcDrv, and MSVS 7.1 for the rest of the projects.

History

  • 2006-05-31 - Submitted.


About the Author

Andriy Oriekhov

Co-creator of Toleron Software. http://www.toleron.com

Downloads

Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: May 18, 2015 @ 1:00 p.m. ET / 10:00 a.m. PT While the idea of using facial and or gesture recognitions to create a modern, intuitive game seems attractive, some developers may want to leverage Unity 3D as a way to accelerate their development. There are many different ways in which Intel and Unity Technologies have been working together to helps speed the develop of games with the Intel® RealSense™ SDK (Software Developer Kit), so come hear from a panel of experts on what we've done …

  • You may not realize the complexity you could be creating when developing mobile apps – many companies don't initially. You could be doubling your IT costs for development and delivery; not to mention, risking sales, productivity and brand satisfaction. Read this IBM-commissioned Forrester Study to understand the key cost drivers of mobile app delivery -- for both customer-facing and enterprise applications. Find out how you could lower costs and increase success with the right strategy and investment.

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date