VB6 - Process injection/API hooking

[rm_03]

Part 1) IAT Hooking. All imported functions (like kernel32.sleep()) by a module
have an entry in its IAT (Import Address Table). By comparing the entry point of the
target function with all the entries in the IAT, you can overwrite the IAT entry with a new function pointer.
Next time the importing module calls the target function, it will be redirected to the new function.

Part 2) Function redirection. By overwriting a function with a JMP instruction you can redirect any function to a new one.

Part 3) Process injection and remote API hooking.
You can inject any module into a process by getting its size (=> PE header),
allocating memory in the remote process
and copy the whole module with WriteProcessMemory() to the remote process.
The aim now is to hook an API in the remote process.
Because CreateRemoteThread() will cause VB code to run in a new thread (not good, as we all know),
we simply do the same thing like in part 2, but with WriteProcessMemory().

Note: The remote process needs to be written in VB, too.

[moeur]

Perhaps you could explain a little bit more about what you are doing here. For example let's discuss #3. The example program when run shows all running processes. I assume you are supposed to highlight a processes let's say calc.exe, and click inject. Of course injection fails (in german) because I did something wrong.

Edit: i just saw the end of the post, the remote process needs to be written in VB. Why is that?

[rm_03]

Quote:

Perhaps you could explain a little bit more about what you are doing here

I'm afraid of writing long messages, not so much practice in writing English

Because of the runtime.
Almost every function you use (like the left/right/mid functions) is stored in the runtime,
but I guess, you know that.
When starting a VB app, the runtime does some stuff I don't really know about, which won't allow you to use these functions in a new thread (sure, with some tricks you can, but they're not safe, At least in a standard exe).
You could inject the VB runtime into the other process, but there's the risk that the address space is already used by another module.
But even if it worked - it wouldn't be initialized.

So what I did in example 3 was:
1) Overwrite the remote function with a JMP instruction
2) inject my own module to the remote process
but don't execute code with CreateRemoteThread
because it will executed in the first thread when the hooked API will be called.

[penagate]

Quote:

Originally Posted by rm_03

Because of the runtime.

Sounds familiar moeur

[unruledboy]

is it possible to hook CreateProcess/OpenProcess/CreateThread etc APIs in Kernel32.dll for shell32.dll module? I wish to intercept the execution of apps, before they really start to run, I need to decide whether I should let them run.

[moeur]

see this thread on how you can do that
http://www.vbforums.com/showthread.php?t=324133

[unruledboy]

yes, I've already read all threads realted to hook/inject etc. but some uses external dlls(third party ones), or uses vc++.

I wish to have all done in pure vb6

[abazabam]

Does anyone know how to intercept an API in all processes? The examples that I've seen only work with a specific process.

[Ixiodor]

A very good work but...there is a system for hook 1 API in all language?
This program if you hook a c++ program,the program crash T_T.
Can you explain me what change?

[mustiback]

Redirecthook is not working...
Error : Variable not defined on RealAddr