APIHooking

Asif Bahrainwala

4.83/5 (14 votes)

2 May 2011CPOL5 min read

82.5K

2.6K

Snoop network using API hooking

Download source - 25.99 KB

Introduction

Network snoop introduces the basics of building a network sniffer to pick up all information being sent using TCP socket via send and recv API, obviously, these will be the two APIs to hook to get information about data being sent/received. This code is more about introducing the readers to API hooking using Network snoop as an example. The reader can modify the code to hook APIs related to socket using UDP (which is why readers require knowledge of sockets, networking).

Background

Before we start, reader will require basic knowledge of socket programming, windows hooks and a tad bit of assembly level programming.

Using the Code

The attached code is built using VS2010 express edition. The code must be referred to while going through this article. Also 64-bit API hooking code has been attached, but not tested.

We will start with the introduction of sockets APIs used to send and receive information, these are send and recv. The attached code will try to hook/Hijack these APIs and attempt to log all information passed through them.

The following code is mentioned in the DLL module:

C++

struct NetSnoop{
NetSnoop()
{
_beginthread(sendThread,0,0);
_beginthread(recvThread,0,0);
}
...
}
g_NetSnoop;

Notice the variable g_NetSnoop declared globally, this object will be created (and its constructor will be called which will call sendThread and recvThread) every time the DLL is loaded into a new/different process. To get the DLL to load in a different process, we use Windows hook API (mentioned in the code: NetSnoop.cpp).

C++

SetWindowsHookEx(WH_CBT,hookFunction,h,0);

Here the variable h holds the module handle of the DLL mentioned earlier. Calling SetWindowsHookEx will cause all threads that belong to the caller's desktop to load the DLL whose module is passed to it, in this case:

C++

HMODULE h=LoadLibraryA("NetSnoopDll.dll");

Reader will have to be aware of Windows hook.

Another way is to call (without using hook) CreateRemoteThread, you can call the above function sendThread and recvThread, please read up CreateRemoteThread on MSDN. (This method is not used in code.)

Now comes the best part: API hooking (APIHook.cpp).

We will discuss API hooking for send API, the rest are all the same, refer to the code at all times, this is important.

The function void sendThread(void*) will perform API hack, notice that this function is called from constructor of struct NetSnoop (via different thread) or via API CreateRemoteThread.

Follow the code.

We first start by getting the address of the function and use VirtualProtect.

Be sure to use VirtualProtect to alter the protection of a committed page, else you will get an exception (386 memory segment protection!). Look up MSDN for VirtualProtect.

C++

VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission);

The code after that is self explanatory.

Do use disassembly of function call to better understand how it works, you will notice the following code added at the function address:

ASM

MOV EAX,function adress; 
JMP EAX;

We are injecting the following code at the function call address using opcodes:

64 bit code is mentioned in attachment. Before we tamper with the instructions at the function address, we first store the original instructions so as to restore them when needed.

Remember: 32-bit DLL cannot be loaded/injected in 64-bit process space and vice-versa which is why you would require a separate 64-bit APP/DLL to snoop network traffic for 64-bit processes.

How It Works

When the hooked function (in this case send) is called, the instruction pointer (EIP) is taken to the function address and will start executing from there (well...this how any function call works).

We have decisively placed a JMP instruction at that very location. This will cause the EIP to move to the function Mysend, notice that this function has the very same signature, calling convection as the original function, this is to avoid any stack corruption.

Once the EIP is routed to function Mysend (as done in attached code):

Log whatever is needed
Restore the function's original instruction
Call the original function to complete the functionality

In API hooking of send function, please note that send function is called twice by the application:

Called by the application, through the JMP instruction, EIP is routed to Mysend
Inside Mysend, after restoring the original instructions (shown below)

Code snippet from APIHook.cpp, int WSAAPI Mysend(...)...

C++

DWORD dPermission=0;
VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission); 
memcpy(send,StoreOriginal_Send,sizeof(StoreOriginal_Send)); //restore it
int ret=send(s,buf,len,flags);  //we call the original function.

if(bExit==false)     //repatch the function (to trap the next call to it),
        //bExit is set to true to indicate exit. 
{
 memcpy(send, Trap_Send, sizeof(Trap_Send)); //repatch
}

Hence to maintain the stack, RET instruction is also called twice:

After it returns from the original send function called from inside Mysend
After it returns from Mysend

Restore (done in destructor)

Another important thing is to restore everything when the application exits.

This is important, when the application (NetworkSnoop) exits, the Hook will be released by code (or by OS if hook is active when application is closed/terminated).

When applications are being unhooked, the injected DLL is removed, if code is not restored, the JMP instruction will cause the EIP to jump to an invalid memory location (since DLL is removed) causing a crash.

The application restores all in a destructor of a global object, the destructor is called during DLL unload, refer to the code.

C++

~NetSnoop()
{
bExit=true;       //set this flag to true to indicate unloading is in progress 
        //(to avoid repatch indicated in previous code snippet)
while(uiInUse!=0)     //this maintains a count of trap function being called 
        //from different threads
    Sleep(500);
//restore original
DWORD dPermission=0;
VirtualProtect(send,sizeof(Trap_Send),PAGE_EXECUTE_READWRITE,&dPermission); 
memcpy(send,StoreOriginal_Send,sizeof(StoreOriginal_Send)); //restore it
VirtualProtect(recv,sizeof(Trap_recv),PAGE_EXECUTE_READWRITE,&dPermission); 
memcpy(recv,StoreOriginal_recv,sizeof(StoreOriginal_recv)); //restore it
}

Debug the Call

The reader will have to write a simple console based application mentioned below and debug the send call via disassembly to better understand the introduction of a JMP instruction.

C++

#include<windows.h>
#include<WinSock2.h>
int main()
{
MessageBoxA(0,"","",0); //provide a message processing loop via message box 
        //(for DLL injection via Hook, a message processing loop is required)
int z=send(0,0,0,0);     //function from Ws2_32.lib (add this to your lib section),
            //pass any dummy values, the idea is to understand via 
            //disassembly the introduction of JMP instruction 
            //after the hook has injected the DLL
return z;
}

Points of Interest

The best part is that NetworkSnoop introduces API hooking using Windows Hook. This allows you to hook any function in any process provided your hook injects the DLL into it, for the hook to work, the targeted thread must have a message loop. I do hope you enjoy this short article on Network snoop. API hook technique is widely used, most famous is FRAPS (www.fraps.com), it uses the technique to hook DirectX calls to get information about game performance.

History

11^th March, 2011: Initial post
2^nd May, 2011: Correction in code to perform logging after recv API is called

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)