[VB6] UserMode Hooking Example/Tutorial

Learn or Teach General Knowledge Related to Coding or Hacking

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

[VB6] UserMode Hooking Example/Tutorial

Postby x4NG3L » Thu Nov 26, 2009 12:37 pm

To Hook:

Code: Select all
'----------------------------
'Hook Mdl
' by x4NG3L
'U Can use this in your aplication, more give-me the credits.
'----------------------------
Option Explicit

Private Declare Function VirtualProtect Lib "kernel32" ( _
            lpAddress As Any, _
            ByVal dwSize As Long, _
            ByVal flNewProtect As Long, _
            lpflOldProtect As Long) As Long

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" ( _
            pDest As Any, _
            pSource As Any, _
            ByVal dwLength As Long)

Private Declare Function GetProcAddress Lib "kernel32" ( _
            ByVal hModule As Long, _
            ByVal lpProcName As String) As Long

Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" ( _
            ByVal lpModuleName As String) As Long

Private Const PAGE_EXECUTE_READWRITE          As Long = &H40&

Private blnHooked       As Boolean      ' Função ta Hooked?
Private lpOldAddr       As Long         ' Address da funçao Hooked

Private btOldASM(4)     As Byte         ' Antigos 5 bytes da hooked
Private btReal(31)      As Byte         ' funçao hooked

' restore old hooked function
Public Function Unhook() As Boolean
    If Not blnHooked Then Exit Function

    ' overwrite new with the old instruction
    blnHooked = PutMem(lpOldAddr, VarPtr(btOldASM(0)), UBound(btOldASM) + 1)
    Unhook = blnHooked
End Function


Public Function RemoteHook(ByVal module As String, ByVal fnc As String, _
        ByVal NewAddr As Long, _
        Optional ProxyAddr As Long) As Boolean
       

    Dim hModule     As Long
    Dim hFnc        As Long

    'If blnHooked Then Exit Function

    hModule = GetModuleHandle(module)
    If hModule = 0 Then Exit Function

    hFnc = GetProcAddress(hModule, fnc)
    If hFnc = 0 Then Exit Function
    lpOldAddr = hFnc

    ' save old instructions
    If Not GetMem(hFnc, VarPtr(btOldASM(0)), UBound(btOldASM) + 1) Then
        Exit Function
    End If

    ' redirect ProxyAddr to target function
    If ProxyAddr <> 0 Then
        CopyMemory btReal(0), btOldASM(0), UBound(btOldASM) + 1
        Redirect VarPtr(btReal(UBound(btOldASM) + 1)), lpOldAddr + UBound(btOldASM) + 1
        Redirect ProxyAddr, VarPtr(btReal(0))
    End If

    ' redirect the target function to the replacement function
    blnHooked = Redirect(hFnc, NewAddr)
    RemoteHook = blnHooked

End Function

' write a JMP near instruction to an address
Private Function Redirect(ByVal OldAddr As Long, ByVal NewAddr As Long) As Boolean
    Dim btAsm(4)    As Byte
    Dim lngNewAddr  As Long

    ' relative jump address
    lngNewAddr = NewAddr - OldAddr - (UBound(btAsm) + 1)

    btAsm(0) = &HE9                     ' JMP near
    CopyMemory btAsm(1), lngNewAddr, 4  ' rel. addr

    Redirect = PutMem(OldAddr, VarPtr(btAsm(0)), UBound(btAsm) + 1)

End Function

Private Function GetMem(ByVal lpAddr As Long, ByVal pData As Long, ByVal dlen As Long) As Boolean
    Dim lngOldProtect   As Long

    If 0 = VirtualProtect(ByVal lpAddr, dlen, PAGE_EXECUTE_READWRITE, lngOldProtect) Then
        Exit Function
    End If

    CopyMemory ByVal pData, ByVal lpAddr, dlen
    VirtualProtect ByVal lpAddr, dlen, lngOldProtect, lngOldProtect

    GetMem = True
End Function

Private Function PutMem(ByVal lpAddr As Long, ByVal pData As Long, ByVal dlen As Long) As Boolean
    Dim lngOldProtect   As Long

    If 0 = VirtualProtect(ByVal lpAddr, dlen, PAGE_EXECUTE_READWRITE, lngOldProtect) Then
        Exit Function
    End If

    CopyMemory ByVal lpAddr, ByVal pData, dlen
    VirtualProtect ByVal lpAddr, dlen, lngOldProtect, lngOldProtect

    PutMem = True
End Function



Example of One Function to use with Hook:

Code: Select all
Function NovaMsgBox() As Long
    Call MsgBox("Hooked MessageBoxA", vbCritical, "hooked!")
End Function


Example of Use:
Code: Select all
Call RemoteHook("user32.dll", "MessageBoxA", AddressOf NovaMsgBox)



Explaining:
For example, in this example, I are Hooking in the lib User32 the "MessageBoxA" function! (This Function is Called to Show MsgBoxes)

I'm redirecting to another function, called "NovaMsgBox"

Now, If I declare "MessageBoxA" API, ant Try to use this, My
Function Called "NovaMsgBox" aew Automaticaly Called ^^

U can Hook Any API Call in User-Mode with this code.

I'm my example, my function "NovaMsgBox" show a msg box Too.
This have the same effect of the original Function. more u can put
Any code or procedure call in this function.

Is possible to inject this code in another aplications Too, and hook what u need in user-mode ^^

Sorry for Bad English ^^



Edit: Improving spelling.
Last edited by x4NG3L on Fri Nov 27, 2009 3:14 am, edited 1 time in total.
Knowledge is evolving.
User avatar
x4NG3L
Sir Hacks-A-Lot
 
Posts: 31
Joined: Fri Nov 20, 2009 5:20 am

Re: [VB6] UserMode Hooking Example/Tutorial

Postby L. Spiro » Thu Nov 26, 2009 4:20 pm

This may be useful for users of Visual Basic.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: [VB6] UserMode Hooking Example/Tutorial

Postby horya » Wed May 12, 2010 2:06 am

hello
please how can i use this code to another process
any small samble to inject the code to another process ???
horya
I Have A Question
 
Posts: 1
Joined: Wed May 12, 2010 2:02 am

Re: [VB6] UserMode Hooking Example/Tutorial

Postby denispn » Wed May 26, 2010 2:41 am

Hi!

I saw some words written in brazillian portuguese. Are you from Brazil?

I am (Eu sou).

Cheers
denispn
Hacker Smacker
 
Posts: 43
Joined: Wed Dec 26, 2007 9:45 am


Return to Knowledge Base

Who is online

Users browsing this forum: No registered users and 0 guests

cron