• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Results 1 to 8 of 8
    1. #1
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      Zuva's Avatar
      Join Date
      Oct 2015
      Posts
      16
      Thanks (-->)
      10
      Thanks (<--)
      18

      VEH Hooking (aka PageGuard Hooking) - An In-depth Look

      John Kittz
      I recently saw @Kilo bring this up in the ChatBox and spent a lot of time figuring it all out. I've decided to create a further detailed tutorial so that everyone can benefit from it.

      VEH hooking is a method of hooking into your target program without having to modify any of its bytes, thus bypassing CRC checks. It's slow and cannot be used for hooks that would be called often, though it is extremely stealthy. It works by causing an exception at the desired soon-to-be-hooked address, and creating a hook within the exception handler. We cause the exception by changing the memory protection of the memory page where our desired hook address is located. (PAGE_GUARD & PAGE_NOACCESS are two memory protections that will cause an exception to be thrown whenever any of the code within the page is executed.) And the exception handler that we create, which is outside of our target program's code, catches the exception and checks to see if the address that's currently being executed is the one we want to hook. If it is, we change the EIP (instruction pointer) to point to our function instead. When our function is done, we JMP back to wherever we need to be.

      Here's an example of an allocated memory page. Let's say we want to create our hook at 0x08048fb7.

      VEH Hooking (aka PageGuard Hooking) - An In-depth Look

      With VirtualProtect() we can change that memory page's protection to include PAGE_GUARD, which will cause the exception STATUS_GUARD_PAGE_VIOLATION to be thrown whenever any of its memory is executed.

      However, as you can tell from MSDN, once the exception is thrown "the system also clears the PAGE_GUARD modifier, removing the memory page's guard page status." So we'll be constantly re-applying the PAGE_GUARD modifier in order to keep getting exceptions all throughout the page, to get to the address we're specifically after.

      Credits to Ch40zz from rohitlab. (I modified it as I saw needed.)


      DWORD dwOld;
      VirtualProtect((void*)0x08048fb7, 1, PAGE_EXECUTE | PAGE_GUARD, &dwOld); // This sets the protection for whatever memory page that 0x08048fb7 is located in to PAGE_EXECUTE & PAGE_GUARD.
      // Which is going to cause an exception for any address accessed in that memory page, including the one we're after.

      AddVectoredExceptionHandler(true, (PVECTORED_EXCEPTION_HANDLER)UnhandledExceptionFilter); // Registers our vectored exception handler which is going to catch the exceptions thrown.

      unsigned long UnhandledExceptionFilter(EXCEPTION_POINTERS *pExceptionInfo)
      {
      if (pExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_GUARD_PAGE_VIOLATION) // This is going to return true whenever any of our PAGE_GUARD'ed memory page is accessed.
      {
      if (pExceptionInfo->ContextRecord->Eip == 0x08048fb7) // Here we check to see if the instruction pointer is at the place where we want to hook.
      {
      dwJmpBack = (DWORD*)(pExceptionInfo->ContextRecord->Esp + 0); // Find the return address for the JMP/EIP back into the target program's code.
      dwJmpBack = (DWORD)pExceptionInfo->ContextRecord->Eip + 5; // or just skip X number of bytes.
      pExceptionInfo->ContextRecord->Eip = (DWORD)hkFunction; // Point EIP to hook handle.
      }

      pExceptionInfo->ContextRecord->EFlags |= 0x100; //Set single step flag, causing only one line of code to be executed and then throwing the STATUS_SINGLE_STEP exception.

      return EXCEPTION_CONTINUE_EXECUTION; // When we return to the page, it will no longer be PAGE_GUARD'ed, so we rely on single stepping to re-apply it. (If we re-applied it here, we'd never move forward.)
      }

      if (pExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_SINGLE_STEP) // This is now going to return true on the next line of execution within our page, where we re-apply PAGE_GUARD and repeat.
      {
      DWORD dwOld;
      VirtualProtect((void*)0x08048fb7, 1, PAGE_EXECUTE | PAGE_GUARD, &dwOld);

      return EXCEPTION_CONTINUE_EXECUTION;
      }

      return EXCEPTION_CONTINUE_SEARCH;
      }

      Here's a visual of the EFlags register:

      VEH Hooking (aka PageGuard Hooking) - An In-depth Look

      As you can see, the 8th bit activates the Trap Flag (Single-step interrupt).
      0x100 to binary is 000100000000. The bitwise OR operator |: simply turns it on.

      For more information on using PAGE_NOACCESS to accomplish the same thing, check out DarkstaR's blogpost and example code.
      Last edited by Zuva; 10-09-2015 at 03:15 PM.

    2. #2
      Respected Hacker
      PRAISE THE SUUUUUUUUUUUUUUN
       
      Coding
       
      Solaire's Avatar
      Join Date
      Dec 2013
      Location
      Undead Burg
      Posts
      1,096
      Thanks (-->)
      364
      Thanks (<--)
      584
      Very good stuff, thanks for sharing!

      EDIT:
      Just finished reading the post and going through the code, and wow. That is a pretty cool way of doing things.

      EDITEDIT:
      +1 for The More You Know
      Last edited by Solaire; 10-09-2015 at 09:39 AM.
      VEH Hooking (aka PageGuard Hooking) - An In-depth Look

      [02-02, 21:50] AnomanderRake: jeans, skinny jeans, MC hammer pants, yoga pants & hot pants
      [02-02, 21:50] AnomanderRake: Only one of them isn't gay
      [02-02, 21:51] Krampus: MC hammer pants, duh
      [02-02, 21:54] Krampus: Actually, trick pants. All questions are gay, duh
      [02-02, 21:56] AnomanderRake: aight now I know you're hitting the bong :P
      [02-02, 21:58] Krampus: Trick bong, there is no spoon

    3. #3
      Global Moderator
      give me my colorz back
      FeelsBadMan
       
      Coding
       
      till0sch's Avatar
      Join Date
      Oct 2012
      Location
      Germany.
      Posts
      1,167
      Thanks (-->)
      179
      Thanks (<--)
      338
      https://www.youtube.com/watch?v=CYqq9Ovz_9c

      thanks for sharing really informative!

    4. #4
      Kim Kong Trasher
      I don't have status.
       
      Raging
       
      c5's Avatar
      Join Date
      Jul 2012
      Location
      Mankei Iland
      Posts
      1,221
      Thanks (-->)
      97
      Thanks (<--)
      491
      Neat, I also had an implementation of it in YUNOHook (PageBP) https://guidedhacking.com/showthread...6009#post36009

      I wouldn't say it's very sneaky, it's as sneaky as any other type of hook really. If they'd check for it, they'd find it really easily. It's easier to find than patched code for example since all you literally have to do in the most simple case is to virtualquery and check for page_guard or go over the exception handlers leading to your module, etc, countless of ways.

      It's indeed slow when implemented that way on code but if you like to piddle in kernel, I recommend looking into IDT and PageFault for example.
      VEH Hooking (aka PageGuard Hooking) - An In-depth Look

    5. Thanks Solaire, Zuva, NTvalk thanked for this post
    6. #5
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      Zuva's Avatar
      Join Date
      Oct 2015
      Posts
      16
      Thanks (-->)
      10
      Thanks (<--)
      18
      Quote Originally Posted by c5 View Post
      Neat, I also had an implementation of it in YUNOHook (PageBP) https://guidedhacking.com/showthread...6009#post36009

      I wouldn't say it's very sneaky, it's as sneaky as any other type of hook really. If they'd check for it, they'd find it really easily. It's easier to find than patched code for example since all you literally have to do in the most simple case is to virtualquery and check for page_guard or go over the exception handlers leading to your module, etc, countless of ways.

      It's indeed slow when implemented that way on code but if you like to piddle in kernel, I recommend looking into IDT and PageFault for example.
      If you VEH hook VirtualQuery and VirtualQueryEx calls to never return PAGE_GUARD, and whatever else you need to hook, it can be quite stealthy.
      Last edited by Zuva; 10-09-2015 at 03:40 PM.

    7. #6
      Coder
      Pimp ? 420 : 666;
       
      Coding
       
      Kilo's Avatar
      Join Date
      Feb 2015
      Posts
      103
      Thanks (-->)
      16
      Thanks (<--)
      27
      I was literally asking about some insight on this yesterday. Thanks for sharing! Definitely going to take notes.
      e/ haha I missed the first line, thank you !
      Last edited by Kilo; 10-09-2015 at 05:20 PM.

    8. #7
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      2,953
      Thanks (-->)
      637
      Thanks (<--)
      884
      Great post thanks for your making a tutorial and sharing it on GH

    9. #8
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      -SoCal-'s Avatar
      Join Date
      Oct 2013
      Posts
      6
      Thanks (-->)
      1
      Thanks (<--)
      0

      Re: VEH Hooking (aka PageGuard Hooking) - An In-depth Look

      CheatTheGame
      So this only works on programs that use 32 bit architecture correct?

    Similar Game Hacker Threads

    1. [Help] ENDSCENE Hooking
      By Ace0fSpades in forum GH Tutorials Help
      Replies: 3
      Last Post: 09-19-2015, 09:26 PM
    2. [Help] Hooking D3D
      By lukaluka in forum GH Tutorials Help
      Replies: 4
      Last Post: 07-21-2015, 03:46 PM
    3. [Help] D3D Hooking
      By Solaire in forum Direct-X, OpenGL
      Replies: 3
      Last Post: 10-25-2014, 06:45 PM
    4. [Tutorial] vTable Hooking / VMT hooking
      By c5 in forum Game Hacking Tutorials
      Replies: 4
      Last Post: 11-06-2013, 12:25 AM