• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Page 1 of 2 12 LastLast
    Results 1 to 10 of 15
    1. #1
      Hacker
      ^.^
       
      Eating
       
      NTvalk's Avatar
      Join Date
      Jul 2013
      Location
      Your RAM
      Posts
      512
      Thanks (-->)
      176
      Thanks (<--)
      145

      Cool Hooking tutorial (Vtable/JMP/UNIX/etc)

      John Kittz
      HALLO, some people had questions about hooking so i decided to write a tutorial covering the basics, it was too long to post here so i had to create a page. If there is a way to extend the limit of characters that would be nice so i could post it here instead.
      Anyway here it is
      It covers Vtable hooking, normal JMP hooking, hooking in UNIX(linux/mac),using MS-Detours and Mhook, and i will maybe also add IAT hooking. it also has a few examples.
      You can c/p alot of code but sometimes u need to change a few things to apply it to game hacking, also not all code is tested 100%.



      Oftentimes, it can be useful to modify the behavior of an application without making extensive changes to the source code of the application. Specifically, one might want to intercept calls of certain functions to execute custom code before or after the execution of the original code, or one might want to retrieve or modify the parameters passed to a function. For example, it might be necessary to instrument the application for performance analysis or to add additional features to a program. In these cases when one does not have the source code available for the program, it is still possible to modify the code. Here i will present the techniques i use for the different operating systems.
      Please note that i don't claim that these techniques are the best solutions for all cases.

      Appendix A: Windows DLL Injection
      Appendix B: Import Address Table Hooking (IAT)
      Appendix C: MS-Detours 1.5 (Direct3d)
      Appendix D: virtual table patching
      Appendix E: Example : hiding process(es) under windows

      §1 Shared Libraries &amp; Injection/Loading

      Shared libraries are code objects that may be loaded during execution into the memory space associated with a process. Library code may be shared in memory by multiple processes as well as on disk. If virtual memory is used, processes execute the same physical page of RAM, mapped into the different address spaces of each process. This has advantages. For instance on some systems, applications were often only a few hundred kilobytes in size and loaded quickly; the majority of their code was located in libraries that had already been loaded for other purposes by the operating system.

      To change code in another process we must load our own shared library in the address space of the other process. On UNIX platforms (Linux/MAC-OSX) this can be achieved using the LD_PRELOAD environment variable, which instructs the loader to load the specific shared libraries. Function and other symbol definitions in the specified libraries will be used instead of the original ones.
      However on Windows systems there is no such thing as LD_PRELOAD, to achieve the same result we must use a little exploit called DLL Injection (On Windows shared libraries are .DLL's, on Linux .so's and on MAC-OSX .dylib's). See Appendix A below for more information.

      §2 Hooking/Detouring function calls

      §2.1 UNIX/Linux

      UNIX offers a simple way to override functions in a shared library with the LD_PRELOAD environment variable. When you make a twin brother of a function that is defined in an existing shared library, put it in your shared library, and you register your shared library name in DYLD_INSERT_LIBRARIES, your function is used instead of the original one. It is exactly the same as MAC-OSX (see below) but use LD_PRELOAD instead of DYLD_INSERT_LIBRARIES .

      §2.2 MAC-OSX

      Since MAC-OSX is also UNIX based it's almost exactly the same as in Linux, only they have renamed LD_PRELOAD to DYLD_INSERT_LIBRARIES and .so to .dylib. In this example I've detoured fopen from a test program. In 2003 Jonathan Rentzsch showed ways of detouring in MAC-OSX and released mach_star, but this method is way easier.

      The dummy program:

      Just a simple program that calls fopen.

      int main(int argc, char** argv) {
      printf("original program start\n");
      FILE* fileptr = fopen("hey.txt", "w"); // create a new file
      fclose(fileptr);
      printf("original program quit");
      return 0;
      }


      Our detour library:
      This function will get called instead of the original one (see the intro), but we still need to call the original afterwards that's what we use dlsym for.


      #include &lt;stdio.h&gt;
      #include &lt;dlfcn.h&gt;
      FILE* fopen(const char *path, const char *mode)
      {
      printf("Detoured fopen\n");
      FILE* (*real_fopen)(const char*, const char*) =
      (FILE* (*)(const char*, const char*)) dlsym(RTLD_NEXT, "fopen");
      return real_fopen (path, "r"); // note r instead of w, this will prevent the program from creating files
      }


      Compiling the library:

      gcc -fno-common -c fopenwrap.c
      gcc -dynamiclib -o libhook.dylib fopenwrap.o


      Running the program with DYLD_INSERT_LIBRARIES.

      DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=libhook.dylib ./DummyFopen

      You also need to define DYLD_FORCE_FLAT_NAMESPACE (doesn't matter what value it has).You can use the same technique to override a method in a class. Say there's a method named "libfff" in a class AAA.

      class AAA
      {
      public:
      int m;
      AAA(){m = 1234;}
      void libfff(int a);
      };

      To override it, you first need to know the mangled symbol name of the method.

      $ nm somelibrary.dylib | grep "T "
      00000ed6 T __ZN3AAA3fffEi
      Then what you need to define is _ZN3AAA3fffEi. Don't forget removing the first '_'. If you see multiple symbols in the shared library and not sure which one to override, you can check it by de-mangling a symbol.
      $ c++filt __ZN3AAA3fffEi
      AAA::libfff(int)

      Now we can detour it like this.

      #include &lt;stdio.h&gt;
      #include &lt;dlfcn.h&gt;
      #include &lt;unistd.h&gt;
      typedef void (*AAAlibfffType)(AAA*, int);
      static void (*real_AAAlibfff)(AAA*, int);
      extern "C"{
      void _ZN3AAA3fffEi(AAA* a, int b){
      printf("--------AAA::libfff--------");
      printf("%d, %d", b, a-&gt;m);
      void* handle = dlopen("sharedlib.dylib", RTLD_NOW);
      real_AAAlibfff = (AAAfffType)dlsym(handle, "_ZN3AAA3fffEi");
      if (real_AAAlibfff) printf("OK");
      real_AAAlibfff(a, b);
      }
      }

      §2.3 Microsoft Windows

      This is the framework of a standard API hook. All of this resides in a DLL that will be injected into a process. For this example, I chose to hook the MessageBoxW function. Once this DLL is injected, it will get the address of the MessageBoXW function from user32.dll, and then the hooking begins. In the BeginRedirect function, an unconditional relative jump (JMP) opcode (0xE9) instruction will contain the distance to jump to. The source is fully commented.

      #include &lt;windows.h&gt;
      #define SIZE 6
      typedef int (WINAPI *pMessageBoxW)(HWND, LPCWSTR, LPCWSTR, UINT); // Messagebox protoype
      int WINAPI MyMessageBoxW(HWND, LPCWSTR, LPCWSTR, UINT); // Our detour
      void BeginRedirect(LPVOID);
      pMessageBoxW pOrigMBAddress = NULL; // address of original
      BYTE oldBytes[SIZE] = {0}; // backup
      BYTE JMP[SIZE] = {0}; // 6 byte JMP instruction
      DWORD oldProtect, myProtect = PAGE_EXECUTE_READWRITE;
      INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
      {
      switch(Reason)
      {
      case DLL_PROCESS_ATTACH: // if attached
      pOrigMBAddress = (pMessageBoxW)
      GetProcAddress(GetModuleHandle("user32.dll"), // get address of original
      "MessageBoxW");
      if(pOrigMBAddress != NULL)
      BeginRedirect(MyMessageBoxW); // start detouring
      break;
      case DLL_PROCESS_DETACH:
      memcpy(pOrigMBAddress, oldBytes, SIZE); // restore backup
      case DLL_THREAD_ATTACH:
      case DLL_THREAD_DETACH:
      break;
      }
      return TRUE;
      }
      void BeginRedirect(LPVOID newFunction)
      {
      BYTE tempJMP[SIZE] = {0xE9, 0x90, 0x90, 0x90, 0x90, 0xC3}; // 0xE9 = JMP 0x90 = NOP oxC3 = RET
      memcpy(JMP, tempJMP, SIZE); // store jmp instruction to JMP
      DWORD JMPSize = ((DWORD)newFunction - (DWORD)pOrigMBAddress - 5); // calculate jump distance
      VirtualProtect((LPVOID)pOrigMBAddress, SIZE, // assign read write protection
      PAGE_EXECUTE_READWRITE, &amp;oldProtect);
      memcpy(oldBytes, pOrigMBAddress, SIZE); // make backup
      memcpy(&amp;JMP[1], &amp;JMPSize, 4); // fill the nop's with the jump distance (JMP,distance(4bytes),RET)
      memcpy(pOrigMBAddress, JMP, SIZE); // set jump instruction at the beginning of the original function
      VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL); // reset protection
      }
      int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uiType)
      {
      VirtualProtect((LPVOID)pOrigMBAddress, SIZE, myProtect, NULL); // assign read write protection
      memcpy(pOrigMBAddress, oldBytes, SIZE); // restore backup
      int retValue = MessageBoxW(hWnd, lpText, lpCaption, uiType); // get return value of original function
      memcpy(pOrigMBAddress, JMP, SIZE); // set the jump instruction again
      VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL); // reset protection
      return retValue; // return original return value
      }

      The reason why we restore the backup before getting the return value is because if we don't do it we will get an infinite loop, we call a function that jumps to the function that calls the function again etc etc.. If you change the parameters of the call to MessageBoxW inside MyMessageBoxW every messagebox that the DLL is injected to will have those parameters. See appendix C for the MS-Detours method which is way easier and recommended.
      See the diagram:

      Appendix A: Windows DLL injection

      NOTE: the easy way is at the end of this appendix, i will start with the hardcore method first.
      Welcome to appendix A, here i will explain how to make another process load our DLL. What we do is allocate a chunk of memory in the target process with our assembly function which calls LoadLibrary, we also need to allocate space for our DLL path name. Next we suspend the main thread of our target and modify the register that holds the next instruction to be executed. Than we patch our allocated function to return/call the right addresses. When we are done we resume the main thread.

      #define PROC_NAME lorem.exe // block A-1
      #define DLL_NAME ipsum.dll

      // main()
      void *dllString, *vfunc;
      unsigned long ulproc_id, threadID, funcLen, oldIP, oldprot, loadLibAddy;
      HANDLE hProcess, hThread;
      CONTEXT ctx;

      funcLen = (unsigned long)loadDll_end - (unsigned long)loadDll;
      loadLibAddy = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

      // This code is pretty straightforward
      ulproc_id = GetProcIdFromName(PROC_NAME); // see A-4
      hProcess = OpenProcess((PROCESS_VM_WRITE | PROCESS_VM_OPERATION), false, ulproc_id);
      vdllString = VirtualAllocEx(hProcess, NULL, (strlen(DLL_NAME) + 1), MEM_COMMIT, PAGE_READWRITE);
      vfunc = VirtualAllocEx(hProcess, NULL, funclen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
      WriteProcessMemory(hProcess, vdllString, DLL_NAME, strlen(DLL_NAME), NULL);

      To continue we'll need a handle to a thread in the process, to achieve this one can use this function show in block A-2.

      unsigned long GetThreadFromProc(char *procName) { // block A-2
      PROCESSENTRY32 pe;
      HANDLE thSnapshot, hProcess;
      BOOL retval, ProcFound = false;
      unsigned long pTID, threadID;
      thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
      if(thSnapshot == INVALID_HANDLE_VALUE) {
      MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);
      return false;
      }
      pe.dwSize = sizeof(PROCESSENTRY32);
      retval = Process32First(thSnapshot, &amp;pe);
      while(retval) {
      if(StrStrI(pe.szExeFile, procName) ) {
      ProcFound = true;
      break;
      }
      retval = Process32Next(thSnapshot,&amp;pe);
      pe.dwSize = sizeof(PROCESSENTRY32);
      }
      CloseHandle(thSnapshot);
      _asm {
      mov eax, fs:[0x18]
      add eax, 36
      mov [pTID], eax
      }
      hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID);
      ReadProcessMemory(hProcess, (const void *)pTID, &amp;threadID, 4, NULL);
      CloseHandle(hProcess);
      return threadID;
      }

      This is a prototype for the function we are going to allocate in the target process which will call loadlibrary, the addresses are left blank because we patch them later on when we have the right values.

      __declspec(naked) loadDll(void) { // prototype function
      _asm{
      push 0xFFFFFFFF // Placeholder for the return address
      // Save the flags and registers
      pushfd
      pushad
      push 0xFFFFFFFF // Placeholder for the string address
      mov eax, 0xFFFFFFFF // Placeholder for loadlibrary
      call eax // Call LoadLibrary with the string parameter
      // Restore the registers and flags
      popad
      popfd
      ret
      }
      }
      __declspec(naked) loadDll_end(void){
      }

      Now, we need to pause the thread in order to get it's "context". The context of a thread is the current state of all of it's registers, as well as other peripheral information. However, we're mostly concerned with the EIP register, which points to the next instruction to be executed. So, if we don't suspend the thread before retrieving its context information, it'll continue executing and by the time we get the information, it'll be invalid. Once we've paused the thread, we'll retrieve it's context information using the GetThreadContext() function. We'll grab the value of the current next instruction to be executed, so that we know where our function should return to. Then it's just a matter of patching up the function to have all of the proper pointers, and forcing the thread to execute it. (A-3)

      unsigned long threadID; // block A-3
      HANDLE hThread;
      threadID = GetThreadIdFromProc(PROC_NAME);
      hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, threadID);
      SuspendThread(hThread);

      ctx.ContextFlags = CONTEXT_CONTROL;
      GetThreadContext(hThread, &amp;ctx);
      oldIP = ctx.Eip;

      //Set the EIP of the context to the address of our stub
      ctx.Eip = (DWORD)stub;
      ctx.ContextFlags = CONTEXT_CONTROL;
      // patch the prototype
      VirtualProtect(loadDll, funclen, PAGE_EXECUTE_READWRITE, &amp;oldprot);
      //Patch the first push instruction
      memcpy((void *)((unsigned long)loadDll + 1), &amp;oldIP, 4);
      //Patch the 2nd push instruction
      memcpy((void *)((unsigned long)loadDll + 8), &amp;dllString, 4);
      //Patch the mov eax, 0xDEADBEEF to mov eax, LoadLibrary
      memcpy((void *)((unsigned long)loadDll + 13), &amp;loadLibAddy, 4);

      WriteProcessMemory(hProcess, vfunc, loadDll, funcLen, NULL);
      //Set the new context of the target's thread
      SetThreadContext(hThread, &amp;ctx);
      //Let the target thread continue execution, starting at our function
      ResumeThread(hThread);
      // clean up
      Sleep(8000);

      VirtualFreeEx(hProcess, dllString, strlen(DLL_NAME), MEM_DECOMMIT);
      VirtualFreeEx(hProcess, stub, stubLen, MEM_DECOMMIT);
      CloseHandle(hProcess);
      CloseHandle(hThread);

      unsigned long GetProcIdFromName(char *procName) { // block A-4
      PROCESSENTRY32 pe;
      HANDLE thSnapshot;
      BOOL retval, ProcFound = false;
      thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
      if(thSnapshot == INVALID_HANDLE_VALUE) {
      MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);
      return false;
      }
      pe.dwSize = sizeof(PROCESSENTRY32);
      retval = Process32First(thSnapshot, &amp;pe);
      while(retval) {
      if(StrStrI(pe.szExeFile, procName) ) {
      ProcFound = true;
      break;
      }
      retval = Process32Next(thSnapshot,&amp;pe);
      pe.dwSize = sizeof(PROCESSENTRY32);
      }
      CloseHandle(thSnapshot);
      return pe.th32ProcessID;
      }

      There is another way using the CreateRemoteThread call. It is extremely easy, and relatively efficient. Before starting though, it is important to actually find the process to inject into. The Windows API provides a great function for doing this – CreateToolhelp32Snapshot.

      #undef UNICODE
      #include &lt;vector&gt;
      #include &lt;string&gt;
      #include &lt;windows.h&gt;
      #include &lt;Tlhelp32.h&gt;
      using std::vector;
      using std::string;
      int main(void) {
      vector&lt;string&gt;processNames;
      PROCESSENTRY32 pe32;
      pe32.dwSize = sizeof(PROCESSENTRY32);
      HANDLE hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
      BOOL bProcess = Process32First(hTool32, &amp;pe32);
      if(bProcess == TRUE) {
      while((Process32Next(hTool32, &amp;pe32)) == TRUE)
      processNames.push_back(pe32.szExeFile); // store every process name
      }
      CloseHandle(hTool32);
      return 0;
      }

      I didn’t bother storing the value after I called Process32First because that will always be “[System Process]”, so there’s really no need. Process32Next returns TRUE on success, so just simply putting it in a loop and pushing the name of the process it received in a vector is what is needed. Once the loop is finished, every single process should be stored in processNames. This is great and all, but where does the DLL injection come in? Well, the PROCESSENTRY32 structure also has a member that holds the Process ID. Inside that loop, while we’re pushing the process names in our vector, we’re also going to inject the DLL.

      while((Process32Next(hTool32, &amp;pe32)) == TRUE) {
      processNames.push_back(pe32.szExeFile);
      if(strcmp(pe32.szExeFile, "notepad.exe") == 0) // if we found our target process
      {
      char* DirPath = new char[MAX_PATH];
      char* FullPath = new char[MAX_PATH];
      GetCurrentDirectory(MAX_PATH, DirPath); // get current directory
      sprintf_s(FullPath, MAX_PATH, "%s\\testdll.dll", DirPath); // append our dll to the current directory
      HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
      PROCESS_VM_WRITE, FALSE, pe32.th32ProcessID); // open process with extended access
      LPVOID LoadLibraryAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),
      "LoadLibraryA"); // get address of loadlibrary
      LPVOID LLParam = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(FullPath),
      MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); // allocate some space for the dll path we made
      WriteProcessMemory(hProcess, LLParam, FullPath, strlen(FullPath), NULL); // write path to process
      CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryAddr, // create new thread and call loadlibrary with our dll path as parameter
      LLParam, NULL, NULL);
      CloseHandle(hProcess);
      delete [] DirPath; // clean up
      delete [] FullPath;
      }

      The code above is pretty straightforward, we first get the current directory and append our dll name to it so we can later allocate it in the target process memory. Then we create a new thread which calls loadlibrary with our dll path as parameter.

      Appendix B: Import Address Table (IAT) Hooking

      Appendix C: MS-Detours 1.5 (Direct3d)

      First of all you need to make sure you have MS-Detours 1.5 downloaded and added the corresponding files to your project. I am using version 1.5 because it's the simplest to use, and it does the job nicely.
      There is one important function we are going to use, its called DetourFunction. First we are going to need a typedef of the function we are going to hook (endscene in this case, since it gets called AFTER the drawing so we can add code right before that).

      #pragma comment(lib, "d3d9.lib")
      #pragma comment(lib, "d3dx9.lib")
      // not the device is a parameter you can check this by reversing the calls of a real d3d program
      typedef HRESULT(WINAPI* tEndScene)(LPDIRECT3DDEVICE9 pDevice);
      tEndScene oEndScene = NULL;

      Now to actually hook endscene we need to retrieve the address of the original function, this can be done in two ways, the first way is to reverse a sample direct3d program to find the address of the endscene call and add that to the module base of d3d9.dll. And the second way is to use the GetProcAddress function. The problem with the first way is that it is platform dependent, the address is different on 64bit Windows from the 32bit version.

      HMODULE hd3d9 = GetModuleHandle("d3d9.dll");
      // detourfunction from ms-detours, the first parameter is the original address and the second is our detour function
      oEndScene = (tEndScene)DetourFunction( (LPBYTE)GetProcAddress(hd3d9, "EndScene" ), (LPBYTE)&amp;mEndScene);
      // where our detour function would look something like this
      HRESULT WINAPI hkEndScene(LPDIRECT3DDEVICE9 pDevice){
      // do evil
      return oEndScene(pDevice);
      }

      What we did here is retrieve the address with GetProcAddress and pass it as the first parameter, the second parameter is a pointer to our own detour function (hkEndScene). Now you can add drawing function to the original program, benchmarking programs make good use of this.

      Appendix D: Virtual Table (Vtable) Patching

      Whenever a class defines a virtual function (or method), most compilers add a hidden member variable to the class which points to a so called virtual method table (VMT or Vtable). This VMT is basically an array of pointers to (virtual) functions. At runtime these pointers will be set to point to the right function, because at compile time, it is not yet known if the base function is to be called or a derived one implemented by a class that inherits from the base class. The code below shows an example of a VMT hook, if you want to implement this in direct3d you need to create a new device, and use that to replace the original function in the original device.

      class VirtualTable { // example class
      public:
      virtual void VirtualFunction01( void );
      };
      void VirtualTable::VirtualFunction01( void ) { // just a function as example
      cout &lt;&lt; "VirtualFunction01 called" &lt;&lt; endl;
      }
      // pointer to original function
      typedef void ( __thiscall* VirtualFunction01_t )( void* thisptr );
      VirtualFunction01_t g_org_VirtualFunction01;
      //our detour function
      void __fastcall hk_VirtualFunction01( void* thisptr, int edx ) {
      cout &lt;&lt; "Custom function called" &lt;&lt; endl;
      //call the original function
      g_org_VirtualFunction01(thisptr);
      }
      int _tmain(int argc, _TCHAR* argv[]) {
      VirtualTable* myTable = new VirtualTable();
      //get the pointer to the actual virtual method table from our pointer to our class instance
      void** base = *(void***)myTable;
      DWORD oldProtection;
      // protection
      VirtualProtect( &amp;base[0], 4, PAGE_EXECUTE_READWRITE, &amp;oldProtection );
      //save the original function
      g_org_VirtualFunction01 = (VirtualFunction01_t)base[0];
      //overwrite
      base[0] = &amp;hk_VirtualFunction01;
      //restore page protection
      VirtualProtect( &amp;base[0], 4, oldProtection, 0 );
      //call the virtual function (now hooked) from our class instance
      myTable-&gt;VirtualFunction01();
      return 0;
      }

      Appendix E: Example : Hiding process under Windows

      In this example i will show how one can hook the system call that retrieves the list of processes and modify it so it will skip our process. For this i will use the mhook library but you can also use any other hooking method described in this article. The system call that the task manager uses to retrieve the list of processes is called NtQuerySystemInformation msdn. On msdn we can also find the appropriate structures needed for this call.

      enum SYSTEM_INFORMATION_CLASS
      {
      SystemProcessInformation = 5
      };
      struct SYS_PROCESS_INFO
      {
      ULONG NextEntryOffset; // next entry
      ULONG NumberOfThreads;
      LARGE_INTEGER Reserved[3];
      LARGE_INTEGER CreateTime;
      LARGE_INTEGER UserTime;
      LARGE_INTEGER KernelTime;
      UNICODE_STRING ImageName; // Process name
      };
      NTSTATUS (__stdcall *origNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); // original functon pointer

      Now all is left is define our detour function and use mhook to hook it.
      First i will show our detour function.

      NTSTATUS WINAPI myNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SysInfoClass, PVOID SysInfo, ULONG SysInfoLength, PULONG RetLength)
      {
      NTSTATUS Return = origNtQuerySystemInformation(SysInfoClass, SysInfo, SysInfoLength, RetLength);
      if((SysInfoClass == SystemProcessInformation) &amp;&amp; (Return == STATUS_SUCCESS))
      {
      SYS_PROCESS_INFO* CurrentStructure = (SYS_PROCESS_INFO*)SysInfo;
      SYS_PROCESS_INFO* NextStructure = (SYS_PROCESS_INFO*)((int)CurrentStructure + CurrentStructure-&gt;NextEntryOffset);
      while(CurrentStructure-&gt;NextEntryOffset != 0){
      if((wcsncmp(NextStructure-&gt;ImageName.Buffer, L"explorer.exe", NextStructure-&gt;ImageName.Length) == 0) || ((wcsncmp(NextStructure-&gt;ImageName.Buffer, L"notepad.exe", NextStructure-&gt;ImageName.Length) == 0)))
      {
      if(NextStructure-&gt;NextEntryOffset == 0) {
      CurrentStructure-&gt;NextEntryOffset = 0;
      }
      else {
      CurrentStructure-&gt;NextEntryOffset = CurrentStructure-&gt;NextEntryOffset + NextStructure-&gt;NextEntryOffset;
      NextStructure = CurrentStructure;
      }
      }
      CurrentStructure = NextStructure;
      NextStructure = (SYS_PROCESS_INFO*)((int)CurrentStructure + CurrentStructure-&gt;NextEntryOffset);
      }
      }
      return Return;
      }

      What we basically do here is create a loop that checks every process name, once we found our process name we skip our process and return the original call (without our process). Now we hook it using mhook.

      HMODULE hNTDLL = NULL;
      while(hNTDLL == NULL) {
      hNTDLL = GetModuleHandle("ntdll.dll");
      }
      origNtQuerySystemInformation = (NTSTATUS (__stdcall*)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG))GetProcAddress(hNTDLL, "NtQuerySystemInformation");
      Mhook_SetHook((PVOID*)&amp;origNtQuerySystemInformation, myNtQuerySystemInformation);
      Last edited by Spock; 11-28-2013 at 01:49 PM.

    2. Thanks N/A, Liduen, Fleep, TastyHorror, squeenie, Marcus, Truth, pet29 thanked for this post
    3. #2
      Learning to hack games!
       
      Feeling Normal
       
      's Avatar
      Join Date
      Jan 1970
      Posts
      0
      Thanks (-->)
      294
      Thanks (<--)
      328
      Nicely done. Thanks for sharing!

    4. Thanks kess thanked for this post
    5. #3
      Hacker
      shell toes yes
       
      Lagging
       
      squeenie's Avatar
      Join Date
      Mar 2013
      Posts
      717
      Thanks (-->)
      598
      Thanks (<--)
      221
      All I see is blog not found ;(

    6. #4
      Hacker
      ^.^
       
      Eating
       
      NTvalk's Avatar
      Join Date
      Jul 2013
      Location
      Your RAM
      Posts
      512
      Thanks (-->)
      176
      Thanks (<--)
      145
      Quote Originally Posted by squeenie View Post
      All I see is blog not found ;(
      Should be fixed now

      EDIT: thanks to agent smith u can read it here now too
      Last edited by NTvalk; 11-28-2013 at 01:52 PM.

    7. #5
      Hacker
      Turning to page 394...
       
      Coding
       
      Liduen's Avatar
      Join Date
      May 2013
      Location
      Germany
      Posts
      713
      Thanks (-->)
      161
      Thanks (<--)
      225
      Thanks for sharing mate!!!
      Exactly what I was looking for
      My contributions
      UrbanTerror | OpenGL - ModelLogger | Polymorphic junk code | Tutorial/Article Collection
      Admiring technological singularity

    8. #6
      Hacker
      ^.^
       
      Eating
       
      NTvalk's Avatar
      Join Date
      Jul 2013
      Location
      Your RAM
      Posts
      512
      Thanks (-->)
      176
      Thanks (<--)
      145
      Quote Originally Posted by Liduen View Post
      Thanks for sharing mate!!!
      Exactly what I was looking for
      No problem glad i helped.

    9. #7
      Learning to hack games!
       
      Feeling Normal
       
      's Avatar
      Join Date
      Jan 1970
      Posts
      0
      Thanks (-->)
      294
      Thanks (<--)
      328
      Is what I added correct or do you want to change some stuff?

    10. #8
      Hacker
      ^.^
       
      Eating
       
      NTvalk's Avatar
      Join Date
      Jul 2013
      Location
      Your RAM
      Posts
      512
      Thanks (-->)
      176
      Thanks (<--)
      145
      Quote Originally Posted by Agent Smith View Post
      Is what I added correct or do you want to change some stuff?
      Its correct i'll tell you on skype about updates. thanks.

    11. #9
      Hacker
      Learning to hack games!
       
      Pawning
       
      Fleep's Avatar
      Join Date
      May 2012
      Posts
      626
      Thanks (-->)
      208
      Thanks (<--)
      727
      Great article, thanks for sharing!

      Fleep

    12. #10
      Coder
      Creating UE3 x86/x64 tut
       
      Coding
       
      TastyHorror's Avatar
      Join Date
      Oct 2012
      Location
      Canada
      Posts
      184
      Thanks (-->)
      54
      Thanks (<--)
      81
      Cheats'n'Trainers
      Bookmarked, will have to check this out later. Looks good btw, thanks for sharing.
      Quote Originally Posted by squeenie View Post
      And just like Jesus did on easter Monday, he returns!

    Page 1 of 2 12 LastLast

    Similar Game Hacker Threads

    1. [VideoTutorial] C++ Mid Function Hooking Codecaving Tutorial DIFFICULTY [6/10]
      By Fleep in forum GH Hack Video Tutorials
      Replies: 53
      Last Post: 09-08-2015, 01:58 AM
    2. [Help] C++ Mid Function Hooking/Codecaving Tutorial
      By Brackston in forum GH Tutorials Help
      Replies: 12
      Last Post: 12-04-2013, 03:19 PM
    3. [Tutorial] vTable Hooking / VMT hooking
      By c5 in forum Game Hacking Tutorials
      Replies: 4
      Last Post: 11-06-2013, 12:25 AM
    4. Hooking with detours tutorial
      By konsowa in forum Tutorials and Snippets
      Replies: 18
      Last Post: 09-24-2012, 11:44 AM

    Tags for this Thread