[ASM] API Hooking Function

Nytro · October 25, 2010

Credits: Alan

.486
.MODEL FLAT, STDCALL
OPTION CASEMAP:NONE

INCLUDE C:\masm32\include\windows.inc
INCLUDE C:\masm32\include\kernel32.inc
INCLUDE C:\masm32\include\user32.inc

INCLUDELIB C:\masm32\lib\kernel32.lib
INCLUDELIB C:\masm32\lib\user32.lib

.DATA
LibName DB 'user32.dll', 0
APIName DB 'MessageBoxA', 0

.DATA?
OgMessageBoxA   DD ?

.CODE

HookAPI PROC Origin:DWORD, Destination:DWORD, CodeLength:DWORD
  LOCAL Protection:DWORD
  PUSH ESI
  PUSH EDI
  INVOKE VirtualProtect, Origin, CodeLength, PAGE_READWRITE, ADDR Protection
  MOV EAX, CodeLength
  ADD EAX, 5h
  INVOKE VirtualAlloc, NULL, EAX, MEM_RESERVE or MEM_COMMIT, PAGE_EXECUTE_READWRITE
  PUSH EAX
  MOV EDI, EAX
  MOV ESI, Origin
  MOV ECX, CodeLength
  REP MOVSB
  MOV BYTE PTR [EDI], 0E9h
  MOV ECX, Origin
  SUB ECX, EAX
  SUB ECX, 5h
  MOV [EDI + 1h], ECX
  MOV EDI, Origin
  MOV BYTE PTR [EDI], 0E9h
  MOV ECX, Destination
  SUB ECX, Origin
  SUB ECX, 5h
  MOV [EDI + 1h], ECX
  INVOKE VirtualProtect, Origin, CodeLength, Protection, ADDR Protection
  POP EAX
  POP EDI
  POP ESI
  RET
HookAPI ENDP

HkMessageBoxA PROC hWnd:DWORD, lpText:DWORD, lpCaption:DWORD, uType:DWORD
  .IF uType == NULL ;If user application provides NULL/MB_OK we will give them a nice icon too
    PUSH MB_ICONEXCLAMATION
  .ELSE
    PUSH uType
  .ENDIF
  PUSH lpCaption
  PUSH lpText
  PUSH hWnd
  CALL OgMessageBoxA
  ;EAX holds result we could change it here if we wished before returning to the user application
  RET
HkMessageBoxA ENDP

ENTRY:
  INVOKE MessageBoxA, NULL, OFFSET APIName, OFFSET LibName, NULL ;Non hooked MessageBoxA works as programmer made it
  INVOKE LoadLibraryA, OFFSET LibName
  INVOKE GetProcAddress, EAX, OFFSET APIName
  INVOKE HookAPI, EAX, OFFSET HkMessageBoxA, 0Bh
  MOV OgMessageBoxA, EAX ;Remember to save the offset for the hooked function to call the original
  INVOKE MessageBoxA, NULL, OFFSET APIName, OFFSET LibName, NULL ;Hooked MessageBoxA with our evil icon adding patch
  INVOKE ExitProcess, NULL
END ENTRY

COMMENT ^
Win2000SP4.USER32!MessageBoxA
77E38098 > 55                  PUSH EBP
77E38099   8BEC                MOV EBP,ESP
77E3809B   51                  PUSH ECX
77E3809C   833D 3892E677 00    CMP DWORD PTR DS:[77E69238],0
^

Sign In

[ASM] API Hooking Function

Recommended Posts

Nytro

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Pages