IAT Hooking without success. Some help me please?

[FL4SHC0D3R]

Hi,

I'm making a dll file for inject in a specific remote process and then make hook IAT inside this remote process in TerminateProcess function.

Have this code below, dll is injected with success in a simple executable portable, but i'm not receiving any message for success or fails.

PS: Code below was compiled Dev C++ and dll injection made using PH ( Process Hacker ).

Where is wrong?

thanks in advance for any suggestion.

main.cpp

Code:

#include "dll.h"
#include <windows.h>

BOOL WINAPI MyTerminateProcess(HANDLE hProcess,UINT uExitCode)
{
     SetLastError(5);
     return FALSE;
}

typedef BOOL (WINAPI *TERMINATEPROCESS_PROC)(HANDLE, UINT); 

TERMINATEPROCESS_PROC HookFunction(char *UserDll,TERMINATEPROCESS_PROC pfn,TERMINATEPROCESS_PROC HookFunc) 

{
    DWORD dwSizeofExportTable=0;
    DWORD dwRelativeVirtualAddress=0;
    HMODULE hm=GetModuleHandle(NULL);
    PIMAGE_DOS_HEADER pim=(PIMAGE_DOS_HEADER)hm;
    PIMAGE_NT_HEADERS pimnt=(PIMAGE_NT_HEADERS)((DWORD)pim + 
(DWORD)pim->e_lfanew); 
    PIMAGE_DATA_DIRECTORY 
pimdata=(PIMAGE_DATA_DIRECTORY)&(pimnt->OptionalHeader.DataDirectory);

    PIMAGE_OPTIONAL_HEADER pot=&(pimnt->OptionalHeader);
    PIMAGE_DATA_DIRECTORY 
pim2=(PIMAGE_DATA_DIRECTORY)((DWORD)pot+(DWORD)104);
    dwSizeofExportTable=pim2->Size;
    dwRelativeVirtualAddress=pim2->VirtualAddress;
    char *ascstr;
    PIMAGE_IMPORT_DESCRIPTOR 
pimexp=(PIMAGE_IMPORT_DESCRIPTOR)(pim2->VirtualAddress + (DWORD)pim);
    while(pimexp->Name)
    {
        ascstr=(char *)((DWORD)pim + (DWORD)pimexp->Name);
        if(_strcmpi(ascstr,UserDll) == 0)
        {
            break;
        }
        pimexp++;
    }
    PIMAGE_THUNK_DATA 
pname=(PIMAGE_THUNK_DATA)((DWORD)pim+(DWORD)pimexp->FirstThunk);
    LPDWORD lpdw=&(pname->u1.Function);
    DWORD dwError=0;
    DWORD OldProtect=0;
    while(pname->u1.Function)
    {
        if((DWORD)pname->u1.Function == (DWORD)pfn)
        {
            lpdw=&(pname->u1.Function);

VirtualProtect((LPVOID)lpdw,sizeof(DWORD),PAGE_READWRITE,&OldProtect);


            pname->u1.Function=(DWORD)HookFunc;

VirtualProtect((LPVOID)lpdw,sizeof(DWORD),PAGE_READONLY,&OldProtect);

            return pfn;
        }
        pname++;

    }
    return (TERMINATEPROCESS_PROC)0;
}

TERMINATEPROCESS_PROC CallHook(void) 
{
    TERMINATEPROCESS_PROC AddOfTerminateProcess;

    HMODULE hm=GetModuleHandle(TEXT("Kernel32.dll"));
    TERMINATEPROCESS_PROC fp=(TERMINATEPROCESS_PROC)GetProcAddress(hm,"TerminateProcess");
    
     AddOfTerminateProcess= HookFunction("Kernel32.dll",fp,MyTerminateProcess);
    
	 if(AddOfTerminateProcess == 0)
    {
        MessageBox(NULL,TEXT("Unable TO Hook Function."),TEXT("Parth"),MB_OK);
    }
    else
    {
        MessageBox(NULL,TEXT("Success Hooked."),TEXT("Parth"),MB_OK);
    }
    return 0;
}

BOOL APIENTRY DllMain (HINSTANCE hInst,
                       DWORD reason,
                       LPVOID reserved)
{
    switch (reason)
    {
      case DLL_PROCESS_ATTACH:
           CallHook();
        break;

      case DLL_PROCESS_DETACH:
        break;

      case DLL_THREAD_ATTACH:
        break;

      case DLL_THREAD_DETACH:
        break;
    }

    return TRUE;
}

dll.h

Code:

#ifndef _DLL_H_
#define _DLL_H_

#if BUILDING_DLL
# define DLLIMPORT __declspec (dllexport)
#else 
# define DLLIMPORT __declspec (dllimport)
#endif 


class DLLIMPORT DllClass
{
  public:
    DllClass();
    virtual ~DllClass(void);

  private:

};


#endif

[2kaud]

but i'm not receiving any message for success or fails.

Try writing to a file rather than using MesageBox(). If you are injecting into a process, for MessageBox() to have a chance of working the process needs to be configured to allow interaction with the desktop.

[FL4SHC0D3R]

@2Kaud, This code above is correct? mainly this part? =>

Code:

AddOfTerminateProcess= HookFunction("Kernel32.dll",fp,MyTerminateProcess); // REFERENCE TO MyTerminateProcess in HookFunction() call.

And also my APIENTRY DllMain not is recognized on DLL_PROCESS_ATTACH. Why? i think that the first error is this.

[2kaud]

dll injection made using PH ( Process Hacker )

How do you know dll was successfully injected into the .exe?

my APIENTRY DllMain not is recognized on DLL_PROCESS_ATTACH

How do you know? Is DLL_THEAD_ATTACH called?

[FL4SHC0D3R]

How do you know dll was successfully injected into the .exe?



How do you know? Is DLL_THEAD_ATTACH called?

How do you know dll was successfully injected into the .exe?

My trouble is only because code inside DLL_PROCESS_ATTACH not is executed

How do you know? Is DLL_THEAD_ATTACH called?

To say true, i'm don't know, only know that code of DLL_THEAD_ATTACH not is executed.

Here is my example in attachment.

[2kaud]

Is DLLMain() being called at all for any reason? If not, then the issue is with the hooking which is PH.

[FL4SHC0D3R]

Is DLLMain() being called at all for any reason? If not, then the issue is with the hooking which is PH.

Eg:

This code below don't works on my example attached above.

Code:

DWORD WINAPI MyFunction1(LPVOID pData) 
{ 

    std::ofstream out("output.txt");
    out << "Testing...";
    out.close();
    return 0;
    
} 

HANDLE hThread;         
DWORD nThread; 

...

case DLL_PROCESS_ATTACH:       
      
      if((hThread = CreateThread(NULL, 0, MyFunction1, NULL, 0, &nThread)) != NULL) 
      { 
         CloseHandle(hThread); 
      }

[2kaud]

You shouldn't call CreateThread() from within DllMain(). See https://msdn.microsoft.com/en-us/lib...(v=vs.85).aspx. This also provides a details of others which shouldn't be used within DllMain().

Why not first try

Code:

BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
{
   std::ofstream out("output.txt");
   out << "Testing...";
   out.close();
   return TRUE;
}

as file operations are allowed within DllMain().

If this doesn't work then the issue is with PH injecting the dll.

[FL4SHC0D3R]

@2kaud,

i'm have compiled with VC++ 2008 and now it's okay about Dll Entry Point, my problem now is because is failing the hook :-(

"Unable TO Hook Function."

Some suggestion?

My actual code below:

All this code was adapted from here

Code:

// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <windows.h>
#include <fstream>
#include <string>
#include <iostream>

using namespace std;

BOOL WINAPI MyTerminateProcess(HANDLE hProcess,UINT uExitCode)
{
     SetLastError(5);
     return FALSE;
}

typedef BOOL (WINAPI *TERMINATEPROCESS_PROC)(HANDLE, UINT); 

TERMINATEPROCESS_PROC HookFunction(char *UserDll,TERMINATEPROCESS_PROC pfn,TERMINATEPROCESS_PROC HookFunc) 

{
                        
    DWORD dwSizeofExportTable=0;
    DWORD dwRelativeVirtualAddress=0;
    HMODULE hm=GetModuleHandle(NULL);
    PIMAGE_DOS_HEADER pim=(PIMAGE_DOS_HEADER)hm;
    PIMAGE_NT_HEADERS pimnt=(PIMAGE_NT_HEADERS)((DWORD)pim + 
(DWORD)pim->e_lfanew); 
    PIMAGE_DATA_DIRECTORY 
pimdata=(PIMAGE_DATA_DIRECTORY)&(pimnt->OptionalHeader.DataDirectory);

    PIMAGE_OPTIONAL_HEADER pot=&(pimnt->OptionalHeader);
    PIMAGE_DATA_DIRECTORY 
pim2=(PIMAGE_DATA_DIRECTORY)((DWORD)pot+(DWORD)104);
    dwSizeofExportTable=pim2->Size;
    dwRelativeVirtualAddress=pim2->VirtualAddress;
    char *ascstr;
    PIMAGE_IMPORT_DESCRIPTOR 
pimexp=(PIMAGE_IMPORT_DESCRIPTOR)(pim2->VirtualAddress + (DWORD)pim);
    while(pimexp->Name)
    {
        ascstr=(char *)((DWORD)pim + (DWORD)pimexp->Name);
        if(_strcmpi(ascstr,UserDll) == 0)
        {
            break;
        }
        pimexp++;
    }
    PIMAGE_THUNK_DATA 
pname=(PIMAGE_THUNK_DATA)((DWORD)pim+(DWORD)pimexp->FirstThunk);
    LPDWORD lpdw=&(pname->u1.Function);
    DWORD dwError=0;
    DWORD OldProtect=0;
    while(pname->u1.Function)
    {
        if((DWORD)pname->u1.Function == (DWORD)pfn)
        {
            lpdw=&(pname->u1.Function);

VirtualProtect((LPVOID)lpdw,sizeof(DWORD),PAGE_READWRITE,&OldProtect);


            pname->u1.Function=(DWORD)HookFunc;

VirtualProtect((LPVOID)lpdw,sizeof(DWORD),PAGE_READONLY,&OldProtect);

            return pfn;
        }
        pname++;

    }
    return (TERMINATEPROCESS_PROC)0;
}

TERMINATEPROCESS_PROC CallHook(void) 
{
    TERMINATEPROCESS_PROC AddOfTerminateProcess;

    HMODULE hm=GetModuleHandle(TEXT("Kernel32.dll"));
    TERMINATEPROCESS_PROC fp=(TERMINATEPROCESS_PROC)GetProcAddress(hm,"TerminateProcess");
    
     AddOfTerminateProcess= HookFunction("Kernel32.dll",fp,&MyTerminateProcess);
    
	 if(AddOfTerminateProcess == 0)
    {
        MessageBox(NULL,TEXT("Unable TO Hook Function."),TEXT("Parth"),MB_OK);
    }
    else
    {
        MessageBox(NULL,TEXT("Success Hooked."),TEXT("Parth"),MB_OK);
    }
    return 0;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	     CallHook();
	   break;
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

[FL4SHC0D3R]

I updated my code on last answer. See.

[VictorN]

I updated my code on last answer. See.

But you are still calling MessageBox (indiretly) from within DllMain (case DLL_PROCESS_ATTACH).
As 2kaud already mentioned in his post#2 you should not do it!
Try some type of logging instead!

[2kaud]

All this code was adapted from here

Yes, but that question was started because the posted code didn't work!