search
About Me
githubEdit

API Hooking - Detours I

hashtag
Theory

API hooking is a technique used to intercept and alter the behavior of different API calls. This can be done to monitor or modify the function of an application (used a lot in Game Hacking), etc. AV Vendors / EDR's also use it to monitor suspicious API calls and look at the parameters being passed to them, thereby detecting them before they get a chance to run. There are many different ways to do this which I'll explain in the following posts. For now, I'll use the Detours library provided officially by Microsoft (rewritten unofficially in Rust).

Detours intercepts Win32 functions by re-writing the in-memory code for target functions. Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation.

hashtag
Detours

I'll be using the Process Injection code given earlier as an example to show the API hooking.

First we have to add detour library, there are a few libraries related to this, but most of them are quite old so I went with the retour package. we can type cargo add retour (note: you might have to install Nightlyarrow-up-right). I will start initially hooking the OpenProcess function, and then hook all the general functions used in Process Injection. We can take a look at an example to hook a Windows API herearrow-up-right. So basically, we first need to define a type for our function. We know what the arguments this function take, we can take a look at the official MSDN page for OpenProcessarrow-up-right. Then we need to define the hook in which we will be hooking the function and giving it our own custom variation of it, and then finally defining the custom function.

// FUNCTION TYPE DEFINITION
type fn_OpenProcess = unsafe extern "system" fn(u32, BOOL, u32) -> HANDLE;

// DEFINING OUR HOOK
static hook_OpenProcess: Lazy<GenericDetour<fn_OpenProcess>> = Lazy::new(|| unsafe {
    let addr = get_module_symbol_address("Kernel32.dll", "OpenProcess").unwrap();
    let og: fn_OpenProcess = std::mem::transmute(addr);
    GenericDetour::new(og, custom_OpenProcess).unwrap()
});

// CUSTOM OpenProcess API
unsafe extern "system" fn custom_OpenProcess(dwDesiredAccess: u32, bInheritHandle: BOOL, dwProcessId: u32) -> HANDLE {
    println!("\n####### [ OpenProcess ] ########\n");
    let access = get_process_flags(dwDesiredAccess);
    println!("[*] PID: {}", dwProcessId);
    // println!("[*] Access: 0x{:X}", dwDesiredAccess);
    println!("[*] Access: {}", access);
    println!("\n####### ############### ########\n");

    hook_OpenProcess.disable().unwrap();
    let result = hook_OpenProcess.call(dwDesiredAccess, bInheritHandle, dwProcessId);
    hook_OpenProcess.enable().unwrap();
    result
}

It is important to disable our hook before calling the actual OpenProcess function. Think of it like this

This leads to an infinite loop where the functions call each other and keep doing it until eternity. Now that we have defined our hook, we can enable it and try running the process injection code. We can add a small update in our previous code.

Running the code, we can see that when It calls the OpenProcess function , it actually instead calls our custom function which we defined.

Note: If it gives error stating something like xyz can't be run in a stable release, you would have to build/run it using nightly, its just cargo +nightly run command. You can check out what's nightly herearrow-up-right.

Great, Now that we have successfully hooked an API, it shouldn't be too hard to do the same with others, or so did I thought, but when hooking the VirtualAllocEx API , for whatever reason, the process was crashing every single time. And after a lot of debugging I realized, Rust didn't like me passing the lpAddress parameter directly to the function and it crashed every single time with STATUS_ACCESS_VIOLATION.

After a lot of debugging, I came to the conclusion that this could probably be either because of how the Rust language handles NULL valuesarrow-up-right or maybe something related to process space. It works when the parameter is None or Some(null()) else fails when giving the lpAddress as is.

So I eventually had to update the code for it and use Some(null()) instead. I'll dive deeper into this behavior later when doing it in C. For now, this works in Rust

Apart from this particular thing, every thing else was smooth and here's how the output looks like when I have hooked all those functions, I've removed all the print statements from the actual process injection code, so whatever we see here is the output from our custom functions.

As Usual, I have uploaded the code on githubarrow-up-right. Thank you. Next, I'll show how we can achieve the same thing with a DLL, then we can inject this DLL into any process to monitor the API calls in it.

hashtag
References

PreviousProcess InjectionNextPE Structure

Last updated