API Hooking

 

API Hooking is a hacking technique that steals an API call during normal operation. A simple API Hooking program can be build using the functionality provided by Pydbg.

API Hooking

API Hooking can be used to store data in the Notepad program. Let’s make a program that swaps out the user-created content. When you click the "Save" button to create a Notepad file, the content changes. In this case, the user wrote “love” in Notepad, but “hate” is stored in the file.

Import utils, sys from pydbg import * from pydbg.defines import *   ‘’’ BOOL WINAPI WriteFile(   _In_         HANDLE hFile,   _In_         LPCVOID lpBuffer,   _In_         DWORD nNumberOfBytesToWrite,   _Out_opt_    LPDWORD lpNumberOfBytesWritten,   _Inout_opt_  LPOVERLAPPED lpOverlapped ); ‘’’ dbg = pydbg() isProcess = False   orgPattern = "love" repPattern = "hate" processName = "notepad.exe"   def replaceString(dbg, args):                                                                                 #(1)     buffer = dbg.read_process_memory(args[1], args[2])                                           #(2)       if orgPattern in buffer:                                                                                     #(3)         print "[APIHooking] Before : %s" % buffer         buffer = buffer.replace(orgPattern, repPattern)                                                #(4)         replace = dbg.write_process_memory(args[1], buffer)                                      #(5)         print "[APIHooking] After : %s" % dbg.read_process_memory(args[1], args[2])       return DBG_CONTINUE   for(pid, name) in dbg.enumerate_processes():                                                          #(6)     if name.lower() == processName :           isProcess = True         hooks = utils.hook_container()                  dbg.attach(pid)                                                                                         #(7)         print "Saves a process handle in self.h_process of pid[%d]" % pid           hookAddress = dbg.func_resolve_debuggee("kernel32.dll", "WriteFile")                #(8)           if hookAddress:             hooks.add(dbg, hookAddress, 5, replaceString, None)                                  #(9)             print "sets a breakpoint at the designated address : 0x%08x" % hookAddress             break         else:             print "[Error] : couldn't resolve hook address"             sys.exit(-1)   if isProcess:     print "waiting for occurring debugger event"     dbg.run()                                                                                                      #(10) else:     print "[Error] : There in no process [%s]" % ProcessName     sys.exit(-1)

APIHooking.py

The APIHooking.py program is used to learn about the API hooking technique through Pydbg. The Pydbg module is internally implemented with the ctype that calls the Win32 API. A programmer can easily use functions provided by Pydbg.

(1) Callback Function Declaration: Declare the callback function that is to be called when a Debug Event occurs. The hooking code is inside of this function.

(2) Reading Memory Value: Read a certain length of data in a specified address. This value is stored in memory and is written to a file. (kernel32.ReadProcessMemory)

(3) Checking Pattern in Memory Value: Check the desired pattern that is to be changed in the memory value

(4) Changing of the Value: The hacker changes the value when the desired pattern is detected.

(5) Writing Memory Value: Save the changed value in memory. "love" has been changed to "hate" in memory. (kernel32.WriteProcessMemory)

(6) Getting Process ID List: Get a list of all the Process IDs running on the Windows operating system. (kernel32.CreateToolhelp32Snapshot)

(7) Obtaining Process Handle: Get a handle and store it in the class. The operating system provides a process with a handle to use resources. (kernel32.OpenProcess, kernel32.DebugActiveProcess)

(8) Obtaining the Address of the Function to Install a Breakpoint: Use the handle to investigate the value of the memory of the process. Locate the Win32 API function returns the address you want

(9) Set Breakpoint: Set a breakpoint in the target function and register a callback function to handle when a debug event occurs.

(10) Starting Debug: waiting for a debug event in an endless loop, if the Event has occurred, call the callback function.

It is a simple example, but if you expand the callback function, it can be used in a variety of fields. If you set a breakpoint on a function in particular to process the input data​​, the callback function stores the password in a separate file, and another hacking program can send the file to a third site.

TIP

• Handle If you want to handle the resources with the Win32 API on a Windows operating system, first, you should know the handle pointing to the physical address of that resource. The physical address where the resource is located may vary according to the time, and it is possible to conveniently use Windows resources through an intermediate medium handle.

The result of the program is as follows.

User Input Screen	The file that is actually stored

Results for APIHooking.py