Part 1) IAT Hooking. All imported functions (like kernel32.sleep()) by a module
have an entry in its IAT (Import Address Table). By comparing the entry point of the
target function with all the entries in the IAT, you can overwrite the IAT entry with a new function pointer.
Next time the importing module calls the target function, it will be redirected to the new function.
Part 2) Function redirection. By overwriting a function with a JMP instruction you can redirect any function to a new one.
Part 3) Process injection and remote API hooking.
You can inject any module into a process by getting its size (=> PE header),
allocating memory in the remote process
and copy the whole module with WriteProcessMemory() to the remote process.
The aim now is to hook an API in the remote process.
Because CreateRemoteThread() will cause VB code to run in a new thread (not good, as we all know),
we simply do the same thing like in part 2, but with WriteProcessMemory().
Note: The remote process needs to be written in VB, too.
Perhaps you could explain a little bit more about what you are doing here. For example let's discuss #3. The example program when run shows all running processes. I assume you are supposed to highlight a processes let's say calc.exe, and click inject. Of course injection fails (in german) because I did something wrong.
Edit: i just saw the end of the post, the remote process needs to be written in VB. Why is that?
Perhaps you could explain a little bit more about what you are doing here
I'm afraid of writing long messages, not so much practice in writing English
Because of the runtime.
Almost every function you use (like the left/right/mid functions) is stored in the runtime,
but I guess, you know that.
When starting a VB app, the runtime does some stuff I don't really know about, which won't allow you to use these functions in a new thread (sure, with some tricks you can, but they're not safe, At least in a standard exe).
You could inject the VB runtime into the other process, but there's the risk that the address space is already used by another module.
But even if it worked - it wouldn't be initialized.
So what I did in example 3 was:
1) Overwrite the remote function with a JMP instruction
2) inject my own module to the remote process
but don't execute code with CreateRemoteThread
because it will executed in the first thread when the hooked API will be called.
is it possible to hook CreateProcess/OpenProcess/CreateThread etc APIs in Kernel32.dll for shell32.dll module? I wish to intercept the execution of apps, before they really start to run, I need to decide whether I should let them run.
A very good work but...there is a system for hook 1 API in all language?
This program if you hook a c++ program,the program crash T_T.
Can you explain me what change?
WHY Run only compiled ?
RedirectHook.zip
MsgBox "Run only compiled!", vbExclamation
DLL function address DllFunAddr bound to VB module function
Code:
in ide it's also err,only run in exe,how to fix?
Public Function MakeFunction(DllFunAddr As Long, BackFunAddr As Long)
' (BackFunAddr)
Dim Code(5) As Byte, JmpBackAddr As Long, OldProtect As Long
VirtualProtect ByVal DllFunAddr, 5, 64, OldProtect '更改函数地址所在页面属性
JmpBackAddr = DllFunAddr - BackFunAddr - 5
Code(0) = &HE9
CopyMemory Code(1), JmpBackAddr, 4
WriteProcessMemory -1, ByVal BackFunAddr, Code(0), 5, 0
End Function
Reply With Quote
Originally Posted by rm_03
Re: VB6 - Process injection/API hooking
