[h=1]Extended code overwriting (ECO)[/h]This is an example of ECO (extended code overwriting) to intercept APIs.The basic concept is the same of simple code overwriting: "the concept of this approach is to locate the address of the original API function and to change first few bytes of this function with a JMP instruction that redirects the call to the custom supplied API function. This method is extremely tricky and involves a sequence of restoring and hooking operations for each individual call. It's important to point out that if the function is in unhooked mode and another call is made during that stage, the system won't be able to capture that second call.The major problem is that it contradicts with the rules of a multithreaded environment." (From CodeProject)in Extended code overwriting:We CAN'T have a loss of api interception while hooking, because there isn't any restoring the original Api.We create a new function that is able to perform the same operations of the API. So any time we need to call that API directly we call the new function.This a quick example that really gives you the idea. The console application applys the hook on itself on MessageBoxA, then calls a MessageBox, but it is (intercepted and) redirected to an other function that will ask you whether allow the MessageBox work or not. Then it shows you how to call the original API MessageBoxA from the new function, so to avoid the hook. (the executable is attached so try)This basic code contains all the infos to create a DLL that, after being injected in processes with any sort of injection that you like, can monitor the APIs that you want, so to report it to a file or maybe make it work such as an antivirus that blocks APIs that you consider malicious, like bind().//API INTERCEPTION: EXTENDED CODE OVERWRITING by RosDevil//compiler: VC++ (Windows XP 32bit)#include "stdafx.h"#include "windows.h"#include <iostream>#include "conio.h" //--> getch()using namespace std;__declspec() void CallMsg();__declspec() int MessageBox_M();_declspec()int call_MessageBox(HWND hwnd, char * text, char * caption, UINT types);char * text, * caption; //globals to contain the hook function'sDWORD Buttons_and_Icons; //parameters:HWND hWnd; //MessageBox(hwnd, text, caption, types)//This is really important not for the hook but to reperform the original API.//the first five NOPs (0x90) will be replaced with the first five bytes of the original API, then//the other 5 bytes (0xE9[jmp] and four 0x90) are there to perform a JMP exatly after our patch in the orginal//API, so it can run normally. The last four NOPs (0x90) will be replaced with the size of the jump to//the original API after the patch.unsigned char original_bytes_for_extendedF[10] = {0x90, 0x90, 0x90 ,0x90 ,0x90, 0xE9, 0x90, 0x90 ,0x90 ,0x90};//Hook function, when ever MessageBoxA is called it is suddenly redirected here.__declspec(naked) void CallMsg(){ _asm{ mov edi, edi push ebp mov ebp, esp mov eax, [ebp + 8] //first parameter HWND (handle window) mov hWnd, eax mov eax, [ebp + 12] //second parameter "i am free" mov text, eax mov eax, [ebp + 16] //third parameter "MSG" mov caption, eax mov eax, [ebp + 20]; //fourth parameter Buttons and Icons (unsigned int) mov Buttons_and_Icons, eax } char c; cout<<endl<<"---- Api intercepted (MessageBoxA) ----"<<endl; cout<<"Message: "<< text <<endl; cout<<"Caption: "<< caption <<endl; cout<<"Buttons/Icons: "<<hex<<Buttons_and_Icons<<endl; cout<<"Handle Window: "<<hWnd<<endl; cout<<"---- "<<endl; cout<<"Do you want to let the API work? (y/n)"<<endl; c = getch(); _asm{ cmp c, 'y' jne out1 push Buttons_and_Icons push caption push text push hWnd call MessageBox_M //eax is set by the original function MessageBoxA jmp finish out1: mov eax, -1 finish: pop ebp retn 10h //the called function is responsable for the stack cleanup }}//This is the EXTENDED function, in other words, it is exatly the same of MessageBoxA.__declspec(naked) int MessageBox_M(){ _asm{ NOP //mov edi, edi NOP //push ebp NOP //mov ebp, esp NOP //.. NOP //.. NOP //jmp to address of [MessageBoxA + 5] NOP NOP NOP NOP NOP NOP }}//When we want to call directly the MessageBox without hooks we call this.//Note: we could avoid this function and pass directly the parameters to MessageBox_M each time we need a MessageBox,//BUT there is a possible buffer overrun if parameters are passed outside a NAKED function because the compiler//is normally set to optimize the code, and when ASSEMBLY code is added directly, there are many possibilities//of a stack-crash._declspec(naked)int call_MessageBox(HWND hwnd, char * text, char * caption, UINT types){ _asm{ push ebp mov ebp, esp push [ebp + 20] push [ebp + 16] push [ebp + 12] push [ebp + 8] call MessageBox_M pop ebp ret }}int _tmain(int argc, _TCHAR* argv[]){ //this contains the jmp from the original api to the redirected function, the four 0x90 will be replaced //with the size of the jump to CallMsg() unsigned char redirect[] = { 0xE9, 0x90, 0x90, 0x90, 0x90, 0x90}; /* First let's get the address of the Api that we want to hook and then calculate the size of the relative jumps in and out of it. Formula to calculate size of JMP: pAddressTo - pAddressFrom; *we need to consider that the jump size must be calculated after the JMP not before. *moreover remember that the size of a jump is a SIGNED number. */ DWORD adr = (DWORD)GetProcAddress(GetModuleHandle("User32.dll"), "MessageBoxA"); long offset = (DWORD)CallMsg - adr - 5; long to_original_offset = (adr + 5) - ((DWORD)MessageBox_M + 10); DWORD oldP; //ALLOW and MODIFY MessageBoxA API if (VirtualProtect((void*)adr, 5, PAGE_EXECUTE_READWRITE, &oldP)==0) MessageBox(0, "Error VirtualProtect", "info", MB_OK); memcpy((void*)((unsigned long)&redirect + 1), &offset, 4); memcpy((void*)((unsigned long)&original_bytes_for_extendedF), (void*)adr, 5); memcpy((void*)adr, &redirect, 5); VirtualProtect((void*)adr, 5, oldP, 0); //ALLOW and MODIFY MessageBox_M VirtualProtect(&MessageBox_M, 10, PAGE_EXECUTE_READWRITE, &oldP); memcpy((void*)((unsigned long)&original_bytes_for_extendedF + 6), &to_original_offset, 4); memcpy((void*)MessageBox_M, &original_bytes_for_extendedF, 10); VirtualProtect((void*)MessageBox_M, 10, oldP, 0); /* Now we have enstablished a hook on MessageBoxA and we have created an extented function MessageBox_M that performs the real API MessageBoxA. */ int result = MessageBox(0, "I wanna be free. Do you let me?", "MSG", MB_YESNO | MB_ICONWARNING); if (result == IDYES){ cout<<"MessageBox: You have pressed YES!"<<endl; }else if (result == IDNO){ cout<<"MessageBox: You have pressed NO!"<<endl; }else if (result == -1) cout<<"MessageBox: Error, API BLOCKED!"<<endl; //When ever we need to call MessageBoxA directly we call call_MessageBox() that will //pass the parameters to MessageBox_M() call_MessageBox(0, "This is MessageBoxA performed by an extended function", "EXTENDED CODE OVERWRITING", MB_OK | MB_ICONWARNING); cout<<"Press to exit..."<<endl; getch(); return 0;}PUT LIKE IF YOU APPRECIATE [h=4]Attached Files[/h] ECO.rar 5.09K 11 downloads RosDevil Sursa: Extended code overwriting (ECO) - rohitab.com - Forums Quote