Hook Anywhere !

[theunknownguy]

Hook This !

Library for coders

Ok this is a simple, fast and modeable procedure that allows you to hook your own procedure in any part of code.

Yeah you hear well forgget about opening Ollydbg, make JMPs to other part of code for call your DLL and late restore them.

This fuction does it all, you can hook in any place of any program and without getting any error or modification of the actual code.
But what this means? lets see a example:

Code:

00401087   . 68 B80B0000        PUSH 0BB8                                                         ; |ControlID = BB8 (3000.)
0040108C   . FF75 08            PUSH DWORD PTR SS:[EBP+8]                                         ; |hWnd
0040108F   . E8 6A010000        CALL <JMP.&user32.SetDlgItemTextA>                                ; \SetDlgItemTextA

This is a part of a "X" program, after hooking with my fuction it will look like this:

Code:

0040106B   . E8 9D41C00F        CALL IndigoGS.1000520D                                            ; |Message
00401070   . E8 83010000        CALL <JMP.&user32.SendMessageA>                                   ; \SendMessageA

Yeah a call to your own procedure, and next when you dont need anymore you can call my fuction again and will look just like the original code:

Code:

00401087   . 68 B80B0000        PUSH 0BB8                                                         ; |ControlID = BB8 (3000.)
0040108C   . FF75 08            PUSH DWORD PTR SS:[EBP+8]                                         ; |hWnd
0040108F   . E8 6A010000        CALL <JMP.&user32.SetDlgItemTextA>                                ; \SetDlgItemTextA

This library support MASM32 and C++ compilator and its open source.

How use it:

First add into your source the Include file and the Library

Now you just need to call my library in your DLL or EXE program like this:

Code:

MASM32:
invoke HookThis, 0040106Bh, Offset MyProcedure, 1

C++:
HookThis(0040106B, MyProcedure, 1)

Resumed:

HookThis(HookOffset, MyProcedure, ID)

So in the first argument we have the addr of the part where we need to hook, the second argument we have the addr of our procedure when it needs to be called and last argument its the ID of the current hook we made, in this case 1.

Once the hooked code call your procedure you can do anything has usual, but just remember before exit your procedure call this:

Code:

MASM32:
invoke UnHookThis, 0040106B, 1

C++:
UnHookThis(0040106B, 1)

Resumed:
UnHookThis(HookedOffset, ID)

And thats all, the flow of execution will continue like nothing happen.

Limitations:

The only limitation is that you can only do 100 hooks, but i can expand to much more if you need, also its open source and you can do yourself.

Extras:

I can expand the fuction for you to choose between make a CALL to your procedure or a JUMP to a portion of code, but i will make this later in other update.

Example:

Code:

Invoke HookThis, 00401064h, Offset MyProcedure1, 1
Invoke HookThis, 00401074h, Offset MyProcedure2, 2
Invoke HookThis, 00401094h, Offset MyProcedure3, 3

MyProcedure1 Proc
 ;DO ALL YOU WANT HERE
 invok UnHookThis, 00401064, 1
MyProcedure1 Endp

MyProcedure2 Proc
 ;DO ALL YOU WANT HERE
 invok UnHookThis, 00401074, 2
MyProcedure2 Endp

MyProcedure3 Proc
 ;DO ALL YOU WANT HERE
 invok UnHookThis, 00401094, 3
MyProcedure3 Endp

Here another example how hooking your DLL with just using LoadLibrary, forget about using GetProcAddress and waist resource time:

Code:

In hooked program:

0041000: invoke LoadLibrary, "MyDLL"
0041005: Other instructions

In our DLL:

DllEntry Proc hInst:HINSTANCE, reason:DWord, reserved1:DWord
 .if (reason == DLL_PROCESS_ATTACH)
      invoke HookThis, 0041005h, Offset InitAll, 1       
 .endif
 mov eax, TRUE
 ret
DllEntry EndP

After DLL is loaded the CALL to InitAll procedure will be created down of the LoadLibrary call and we wont have to call GetProcAddress ^^.

Enjoy, source code + Library + Include file in attachment.

Credits: [INDG]FeN$x

[MentaL]

[iBimbo]

Approved.

[Brain]

Nice guide, thanks.

FeN$x, if You have the desire and opportunity, explain how to write in Assembler the event for example, but step by step explanation.

[theunknownguy]

Added in main post, in example section:

- How load a DLL without GetProcAddress just LoadLibrary and HookThis.

[toothpick]

Thanks for the guide, but I didnt quite get it, I am using Visual C++ and added the 3 files as Resource Files to my project.
how do i figure the 3 parameters for the hook? do i need to open the project in olly?

besides, Gameguard doesn't let me even run the EXE in visual c++ while it is open.

[theunknownguy]

Thanks for the guide, but I didnt quite get it, I am using Visual C++ and added the 3 files as Resource Files to my project.
how do i figure the 3 parameters for the hook? do i need to open the project in olly?

besides, Gameguard doesn't let me even run the EXE in visual c++ while it is open.

Has i explain in the guide the 3 arguments (parameters) are:

Code:

HookAddr -> The offset where you want to hook
YouProcedure -> The offset of your procedure in EXE or DLL
ID -> This ID is like a counter, if you use first time then use 1

Example:

Code:

HookThis 0041000h, Offset MyProcedure, 1
HookThis 0042000h, Offset MyProcedure2, 2

Note that GameGuard use CRC system on their games, this means you edit some byte in the game and youll get fucked up. But this hook can also be usefull agaisnt gameguard security, example:

- Do a thread and each 1 second Hook and UnHook the procedure, this will avoid the CRC since your thread has to be more fast than GameGuard CRC thread.

- If gameguard doesnt let you open your program probably you using some detected APIs or they patch your application (probably aimbot or something).

Follow this advices and tell me if you need more help, but in the thread. thanks.

[theunknownguy]

Updated first post, in attachment i add new version of HookThis:

Code:

- Increased clock cycle speed
- If you hook a CALL opcode, hook this library will detect the opcode and just edit the next 4 bytes addr, with your procedure, by this you save time execution without deleting unnecessary bytes.

[leetuser]

doesn't work for me..using masm32.

.486
.MODEL flat,stdcall
OPTION casemap:none

include c:\masm32\include\windows.inc
include c:\masm32\include\kernel32.inc
includelib c:\masm32\lib\kernel32.lib
include c:\masm32\include\user32.inc
includelib c:\masm32\lib\user32.lib



include HookThis.inc
includelib HookThis.lib

.data

MessageB db "MessageBoxA",0
user32 db "user32.dll",0
MessageBAddr dd 0

.code


MyProcedure1 Proc
invoke MessageBox,0,offset MessageB,0,0
invoke UnHookThis, 40106eh, 1
MyProcedure1 Endp


Main:

invoke LoadLibraryA,addr user32
invoke GetProcAddress,eax,addr MessageB
mov MessageBAddr, eax

invoke HookThis, 40106eh, Offset MyProcedure1, 1
invoke MessageBox,0,0,0,0
invoke ExitProcess,0

end Main

Get an access violation.

[dacharles]

like CDetour?

[xhacker5000]

How can use this lib and inc in VC++6.0?
I print this code

Code:

#pragma comment(lib, "HookThis.lib")

How to use .INC?

[remington]

I injected a dll into a program and want to hook winsocks function (send) please explain how can I do it?

oh, i am using masm32

[Brain]

please some mirrors, thanks

[VoidBringer]

Link don't work, mirror plz

[Diabolik]

thx for your share :)