Intercept BIG application execution after DLL injection

StackOverflow https://stackoverflow.com/questions/3673266

Question

I must intercept execution in very big application in many places.

What programs I can use to do this? What techniques exists for this problems?

Manually reverse engineering and adding hooks is maybe not optimal solution for this problem, because application is very big and some part of application can be updated in some time, i think with some tools or good practices for this problem i can do this faster, anyone know how to do?

Anybody help me?

Was it helpful?

Solution

seeing as the tools part has been covered, here is something for the techniques.

Depending what it is you need to hook and whether or not there is protection invloved, there are a few methods:

  1. Relative call/jmp patching in the virtualized binary: this is the simplest, but also a lot of work if you can't automatically find all references to a function, this probably won't work in this cause due to your criteria.

  2. IAT/EAT hooking: this is use for imports(IAT) and exports(EAT), great if your targeting a known importted/exported set of API functions. a good example of this can be found here or here

  3. Hot-Patching: Windows XP SP2 introduced something called "hot-patching" (used for realtime system function updates), where all its (the WinAPI) functions start with a 'mov edi,edi', allowing a relative jump to be patched into the free space created above every hot-patchable function(one can do it too). this is generally used for programs that checksum there IAT's or have other funny forms of protection, more info can be found here and here

  4. Code-Caving: capturing execution flow by placing redirections in arbitrary code space. see here, here or here

  5. VFT/COM Redirection: basically overwriting entries in a objects virtual function table, useful for OOP/COM based applications. see this

There are a lot of 3rd party libraries, most famous would probably be MS Detours, one can also look at APIHijack or a mini-hook engine.

Ofcourse nothing can substitute for the initial poking you'll need to do with a debugger like ollydbg, but knowing the method your gonna use can drastically short them amount time time spent poking around

OTHER TIPS

Some details on what exactly you need to do (e.g. how do you determine where to break) would be nice. Depending on your situation, something like Pin might work.

I suggest using Deviare API Hook. It's the easiest way you can do what you need. It has some COM objects that you can use to hook an application from a different process. In your process you get full parameter information and you can use it in any programming language (I'm using C# and it works like a charm). If you need to intercept registry API I suggest using Deviare to debug what you need to intercept but then you will have to make your own hooks, otherwise, you'll find performance issues.

You can do API Hooking if you are interested in intercepting method calls.

Or use some disassembler like softice or ollydbg or win32dasm.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top