Our hook function will reverse the strings being sent to ExtTextOutW before invoking the original function. In order to make the demonstration very visual as well as simple, we will hook the GDI function responsible for displaying text. A very stealthy hook can also be implemented using RevEngX and the debugger, but this is beyond the scope of this article. Such a hook employs no stealth – it is easily detectable using RevEngX or other tools that can locate hooks (such as GMER).
This example will use a simple Import Address Table (IAT) hook. Note that while the example is using x86 assembly language, it could easily be done with 圆4 (amd64) assembly as well, given a bit of work rewriting the hook function mnemonics. Many of the RevEngX command are bit-immune, but some are not, and it is always best to match your debugger to the bitness of the application being debugged, unless you are debugging or reversing WOW64 thunks, etc. It is important to match of the RevEngX extension to the right bitness of the debugger, and to use the 32-bit version of windbg.exe for debugging 32-bit applications with RevEngX, and the 64-bit version for 64-bit applications. Newer versions of the Debugging Tools for Windows package install both the 32-bit and 64-bit versions of the tools. Obtain the most recent version and install RevEngX.dll in the winext directory for the matching bitness of the debugger. Obviously a basic understanding of Windows APIs is also necessary. The reader should also be familiar with x86 assembly language and have some understanding of the techniques used to hook APIs on Windows. Windbg.exe will be used in the example, but ntsd.exe and cdb.exe may also be used if preferred. It is expected that the reader is familiar with the basics of the Debugging Tools for Windows package.
The technique presented in this article is designed more for demonstrating the power of the tools being presented, and to introduce the reader to a new world of possibilities. In practice, it would be easier to code up hook functions in C++ in a DLL, inject the DLL using !loadlibrary (a RevEngX command), and then set hooks pointing to the injected code using any of a number of methods.
This article will demonstrate how one might produce and test a hook on-the-fly using the debugger alone. It offers several new commands to simplify the work of reverse engineering, code injection, hooking and other types of instrumentation that are useful when analyzing 3 rd party software, malware, or developing commercial Windows applications that utilize code injection and hooking. RevEngX is a freely available extension for the Debugging Tools for Windows.
0 kommentar(er)
