[Help] List-edit-add hooks using MHS

Ask for Help on Using the Language With Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

[Help] List-edit-add hooks using MHS

Postby cobr_h » Wed Jan 12, 2011 4:42 am

Okay, so far I couldn't get too much out from it. Hooking looks similar to interrupt handling. I.e., its an event-driven code segment. It is run given an event happens. Alright.

So let's try the trivial: minesweeper. I would expect it to have no hooks at all but, still, it does trigger the F1 key for help, and MSDN says people might use hooks for binding the F1 key. Maybe this is just about not doing the default windows does (which is showing the corresponding help file), then if this is true, minesweeper could have absolutely no hooks.

But instead of getting one or none address, all I get is an error that according to the script happens only when someone makes a jump-table to an unknown module.

Things I am using:
- L.Spiro's suggested sample to find hooks on his help file
- Added the following code at the end:
Code: Select all
bool newscan=1;
VOID On_Open_WINMINE_EXE() {
PrintF("Opened Minesweeper.");
ListHooks(0x01000000,5,newscan);
if (newscan) newscan=0;
}

- I opened the hex editor (ctrl+h) to assure the first address number on the attached process is 01000000 (hex).
- Then ran listhooks with the said address.

Things I am expecting:
- By giving the first address, the script function ListHooks() should scan the entire code in search for hooks.
- If I were to know the addresses of each hook, what would be the usefulness of the function?
- To get a list of 0 or more address

Things I am presented with upon attaching to minesweeper:
- The following output from the script:
Success. (compiled)
Opened Minesweeper. (PrintF)
Internal error on address 01000000! (Inside ListHooks)

I feel like in the depths of the learning curve, it seems I did not catch yet the point of hooks. What I am thinking is on finding where hooks are set. Once I know where normal hooks are set, I can save the list and then, upon running another process (the anti-anti-cheat in the case), see which hooks were created and then I can go forward to the phase of hooking KiSwapThread() to delete and add back hooks.
Also, I expect the following from the anti-anticheat (aac): it sets hooks in the target game process. What I have to do is remove these hooks from the game process, but add them back once the aac is the active thread, so it does not detect the changes. Furthermore, as the freaking aac likes shutting down the machine, I might look for hooks on system DLLs like kernel32.dll (resident via rundll32.exe or svchost.exe).

Am I far too lost? :)
cobr_h
Acker
 
Posts: 72
Joined: Wed Dec 02, 2009 6:15 am

Re: [Help] List-edit-add hooks using MHS

Postby L. Spiro » Wed Jan 12, 2011 5:44 am

You can’t just randomly pick an address. Hooks are set on functions.
You have to pass an address to a function.

This is what ShowHooks() does in the source code; it uses GetKernelProcAddress() to get the addresses of kernel functions.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: [Help] List-edit-add hooks using MHS

Postby cobr_h » Wed Jan 12, 2011 6:26 am

I was with this address troubling my mind. I somewhat knew they were to be address to functions. Still it was cloudy.

See if I got the point now: The hooks I want then are calls to kernel functions from inside the anti-anticheat (aac) process/threads?

But now, a new question arises: the aac sets hooks on itself to call kernel functions to kill outside processes shall it detect malicious software or readings thru the memory? Or does it set hooks on the target game's process; the hooks point to aac's functions which, in turn call functions to kill processes or shutdown-at-once the machine?
If so, I would rather guess function names of the aac's DLL instead of kernel functions? Or I really have to care about the kernel function calls, find them on both the game process and the aac?

Would it suffice to get kernel calls on the AAC? If so, it would be useless to undo the hooks while the AAC is inactive and turn them back in place as the AAC is going to get the processor time slice from the OS...
cobr_h
Acker
 
Posts: 72
Joined: Wed Dec 02, 2009 6:15 am

Re: [Help] List-edit-add hooks using MHS

Postby L. Spiro » Wed Jan 12, 2011 6:41 am

If you are talking about the AAC in MHS, it recompiles your kernel and uses the copied functions.
There is no way to know where those functions are located and they have no relationship to your goal in any way.

The point is to see how X-Trap has modified kernel RAM with its hooks.
The point of X-Trap hooks is to reroute certain functions so that, before they execute normally, they perform checks to see if they are being executed on the game protected by X-Trap.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: [Help] List-edit-add hooks using MHS

Postby cobr_h » Wed Jan 12, 2011 6:49 am

Aside of that I posted before, continuing with the winmine example then, I just issued
Code: Select all
VOID On_Open_WINMINE_EXE() {
PrintF("Opened Minesweeper.");
ShowHooks();
}

And get a lot of output (what is great! I will have a thousand addresses on an actual production game lol). Alright, I know I have to deal with the calls you mentioned on your post, said 'ReadLocalMemory()' and 'WriteLocalMemory()'. Oh, things on your post in 'just asking' begin to become clearer now.

By reading the code I interpret from the output:
Code: Select all
==== Showing VirtualProtectEx ====
==== Showing NtOpenProcess ====
=== 805CB3FA (4) ===
20 hook(s) found in 805CB3FA!
   Address: NtOpenProcess+447 (805CB5B9)
   Size: 149
   Current Bytes: E9 AC 00 00 00 80 7D E7 00 0F 84 AB 00 00 00 89 75 D0 39 75 D8 74 25 8D 45 D0 50 8D 45 DC 50 8D 45 D4 50 E8 25 7A 00 00 8B F8 3B FE 7D 1C 8D 85 48 FF FF FF 50 E8 83 55 02 00 EB AC 8D 45 DC 50 FF 75 D4 E8 C1 7A 00 00 EB DE 8D 45 E0 50 FF 75 CC FF 35 B8 39 56 80 56 8D 85 48 FF FF FF 50 FF 75 C8 FF 75 DC E8 39 06 FF FF 8B F8 8D 85 48 FF FF FF 50 E8 45 55 02 00 8B 4D D0 3B CE 74 05 E8 71 B0 F5 FF 8B 4D DC E8 69 B0 F5 FF 3B FE 0F 8C 54 FF FF FF C7
   Real Bytes: 8B 75 08 3B 70 0C 72 08 8B 75 AC 3B 70 10 76 10 8B 00 3B C1 75 EA BF EF 00 00 C0 E9 AE 01 00 00 83 7D 10 00 0F 84 E3 01 00 00 8B 02 89 45 B0 8B 72 04 8B 55 DC 8B 02 3B 45 B0 0F 83 5F 01 00 00 8B D8 C1 EB 05 8B C8 83 E1 1F 8B 1C 9E D3 EB F6 C3 01 0F 84 47 01 00 00 6B C0 1C 03 05 C8 20 56 80 8D 48 08 83 39 01 0F 85 39 01 00 00 6A 03 5B 33 C0 40 F0 0F B1 19 83 F8 01 0F 85 26 01 00 00 83 C2 04 89 55 DC 3B 55 BC 72 AA 8B 45 E4 89 45 DC 8D 45 D4 89
   Type:  JMP (to 805CB66A)
   Hooker: C:\WINDOWS\system32\ntkrnlpa.exe (804D7000)
   Hooked Module: C:\WINDOWS\system32\ntkrnlpa.exe
=== 80561968 (3) ===
186 hook(s) found in 80561968!
=== 8062A098 (3) ===

1. There is no VirtualProtectEx call
2. There's a real call to NtOpenProcess on address 805CB3FA, 4 levels deep.
3. There's a jump table on 80561968, 3 levels deep, that is a false positive then this is not a relevant hook.

What I can do then is, opening minesweeper -- that might not make any relevant hook -- and verifying the current hooks for those functions inside kernel32.dll. Note (or store it on a structure) the hooks and treat them as authentic hooks. Then I let the aacp open, and check again for hooks (it makes no difference if I open aacp or minesweeper as the hooks are set inside the kernel32.dll space). The hooks that were not before then could be marked as 'bad' and then treated on:
1. if OS switches off AACP process, unset the hooks
2. if OS switches back to the AACP process (or any of its threads), set the hooks back.

Oh tell me I make a little sense now please! :) (yet, be honest)

p.s.: By AAC in the last post I meant anti-anti-cheat, in other words: X-trap, game guard, or any other game companion built to ban cheat software. From this post on, will call it AACP -- anti-anti-cheat program.
cobr_h
Acker
 
Posts: 72
Joined: Wed Dec 02, 2009 6:15 am

Re: [Help] List-edit-add hooks using MHS

Postby cobr_h » Wed Jan 12, 2011 7:08 am

L. Spiro wrote:If you are talking about the AAC in MHS, it recompiles your kernel and uses the copied functions.
There is no way to know where those functions are located and they have no relationship to your goal in any way.

The point is to see how X-Trap has modified kernel RAM with its hooks.
The point of X-Trap hooks is to reroute certain functions so that, before they execute normally, they perform checks to see if they are being executed on the game protected by X-Trap.


L. Spiro

First point:
I follow that idea posted before: I search for the hooks present before running x-trap, then search hooks again once let xtrap run. I don't get this part of 'kernel RAM'. According to MHS help, I can use what you said, 'ReadLocalMemory()' to read Kernel RAM (as well as the counterpart WriteLocalMemory() to write). [Read/Write]LocalMemory() are MHS specific functions, but we have [Read/Write]ProcessMemory() from kernel calls. So I search for hooks on these two calls by the AACP and undo the changes it makes (essentially the write one of course)?

Second point:
If I just remove the hooks, x-trap will never check if the functions are run from the protected game or from external injected dll or MHS scripts. But still, I have to put the hooks back once xtrap gets the processor time slice (the process becomes active).
cobr_h
Acker
 
Posts: 72
Joined: Wed Dec 02, 2009 6:15 am

Re: [Help] List-edit-add hooks using MHS

Postby L. Spiro » Wed Jan 12, 2011 7:12 am

X-Trap is not an anti-anti-cheat. It is an anti-cheat.

1. There is no VirtualProtectEx call

VirtualProtectEx() is empty because there are no hooks on it placed inside MHS by other software.
These checks have nothing to do with Minesweeper or any other target process.
Think about it: If your anti-cheat (X-Trap) has placed hooks that will trigger crashes when you try to read the memory of a certain process, it does not make sense to try to read the memory of a certain process to try to list hooks.

All checks are local.
That means non-kernel functions are checks for hooks that have been set specifically inside MHS (which is rare) and kernel functions are global checks; kernel RAM is shared, so any hook set on a kernel function acts across all processes. Thus we can check for all kernel hooks without going into any other process.

2. There's a real call to NtOpenProcess on address 805CB3FA, 4 levels deep.

NtOpenProcess() is at address 805CB3FA.

3. There's a jump table on 80561968, 3 levels deep, that is a false positive then this is not a relevant hook.

Nothing is posted from that address. I can verify nothing. But it tries not to report false positives.

First point:

Read above. ReadLocalMemory() and WriteLocalMemory() do not call ReadProcessMemory() or WriteProcessMemory(), so they will not trigger anti-cheats.
Thus they can be used to check for hooks that were set on WriteProcessMemory() and ReadProcessMemory().
And as stated above, you have to check for hooks on the kernel versions of these functions, not the local ones.


Again, using Minesweeper, or any other software, is irrelevant. In fact, MHS should not be attached to any processes while running these scripts.

As for NtOpenProcess(), it has hooked itself. You can ignore that hook


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: [Help] List-edit-add hooks using MHS

Postby cobr_h » Wed Jan 12, 2011 7:38 am

X-Trap is not an anti-anti-cheat. It is an anti-cheat.

Oh sure! lol what a confusion about this! Of course, it is an anti-cheat. lol I think I need some vacation. :P

Think about it: If your anti-cheat (X-Trap) has placed hooks that will trigger crashes when you try to read the memory of a certain process, it does not make sense to try to read the memory of a certain process to try to list hooks.

It does not only make sense but is logic!.. :) In the case, I have a vulnerable version of x-trap running the game, so I can search memory without fear. I just found out my computer is shutting down by itself -- it shut down now after the last post, and no x-trap were running.
Anyway, I mean to learn about hooks so I can explore these x-trap features and even be able to walk on my own feet shall I no longer be allowed to use vulnerable x-trap.

NtOpenProcess() is at address 805CB3FA.

Oh! Beats me. I will have a deeper look on this and get back to it later before I say anything else.

Nothing is posted from that address (80561968). I can verify nothing. But it tries not to report false positives.

From the log:
Code: Select all
=== 80561968 (3) ===
186 hook(s) found in 80561968!

What you mean then is that I can't say its a jump table. Cant say as well this is not a hook, so its a candidade to be a hook yet there's no programatic way to determine it?

As for NtOpenProcess(), it has hooked itself. You can ignore that hook

Did anything in the log indicate that it hooked itself? Hooker == Hooked module is that you mean? I shall look, for example, for Hooker == xtrap.xt and Hooked module the kernel32.dll (or some windows library) then?
cobr_h
Acker
 
Posts: 72
Joined: Wed Dec 02, 2009 6:15 am

Re: [Help] List-edit-add hooks using MHS

Postby cobr_h » Wed Jan 12, 2011 8:14 am

All checks are local.
That means non-kernel functions are checks for hooks that have been set specifically inside MHS (which is rare) and kernel functions are global checks; kernel RAM is shared, so any hook set on a kernel function acts across all processes. Thus we can check for all kernel hooks without going into any other process.


You state first: checks are local. On the following paragraph you say that kernel functions are global checks. The functions I am checking against are kernel functions, then how is the first statement correct? Not telling you are wrong, just saying what I could read, I probably did not understand something you said.

Let's say I change sulist in that script sample to:
Code: Select all
suList[] = {
        { FALSE, "Kernel32.dll",    "ReadProcessMemory",        4 },
        { FALSE, "Kernel32.dll",    "WriteProcessMemory",       4 }
    };

So, I am looking only for ReadProcessMemory and WriteProcessMemory, which are kernel functions. Results shown will be global checks.
Suppose no result is output from the script which I attached to a hotkey now (ON_HK_1) so I can run without openin any processes. It will mean no hook for reading or writing makes part of the kernel.
If I run the AC now, re-run the script (meaning, ShowHooks() script function is run), and get no hook from the result, I can assume the x-trap version (which is the vulnerable one) does not have any hook to memory i/o.
Otherwise (say there are some hooks once I scan again), I will have the hook addresses that I have to provide to another hook function (this time to KiSwapThread()) to have it to set/reset in order to fool xtrap? The result would have a x-trap running happily but unable to crash any client due to local memory scans?

EDIT: It turned out that, searching for these functions, always returns no result with any x-trap version. Still x-trap detects MHS and kills cabalmain.exe.
cobr_h
Acker
 
Posts: 72
Joined: Wed Dec 02, 2009 6:15 am

Re: [Help] List-edit-add hooks using MHS

Postby L. Spiro » Wed Jan 12, 2011 8:48 am

What you mean then is that I can't say its a jump table. Cant say as well this is not a hook, so its a candidade to be a hook yet there's no programatic way to determine it?

It has been too long since I wrote the code.
In any case if it does not print hooks you can generally not worry.


Did anything in the log indicate that it hooked itself? Hooker == Hooked module is that you mean? I shall look, for example, for Hooker == xtrap.xt and Hooked module the kernel32.dll (or some windows library) then?

The hooker will either be the name of a suspicious driver or simply an address.
In these cases it will usually just be an address, since the X-Trap kernel driver will try to hide itself.


You state first: checks are local. On the following paragraph you say that kernel functions are global checks.

Kernel RAM is shared among all processes, therefore local checks == global checks.


So, I am looking only for ReadProcessMemory and WriteProcessMemory, which are kernel functions. Results shown will be global checks.

No you are not.
You are searching for user-mode functions.
The kernel functions are NtReadVirtualMemory() and NtWriteVirtualMemory() (or ZwReadVirtualMemory() and ZwWriteVirtualMemory()).
These are annoyingly SDT functions.
I am pretty sure GetKernelProcAddress() will also return the addresses of these, but if not you can get them by opening any process in MHS, Ctrl-D to open the Disassembler, and check the SDT tab for the addresses of these functions, which can be hard-coded into the scripts (they do not change unless you update your computer).

If your SDT has been modified, MHS will show you the correct addresses and mark the items in read or green or some color (or something).


Hooks will certainly be placed on KeStackAttachProcess() and KeAttachProcess(); these are vital to ReadProcessMemory().
Also check PsLookupProcessByProcessId(), KeUnstackDetachProcess(), and KeDetachProcess().


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron