LCF-AT Posted December 21, 2016 Posted December 21, 2016 Hi guys, I am looking for any API hook code / lib for MASM.So just wanna ask whether there is something to get or not.I cant find for example the MinHook lib but only for C++ again and not for MASM and before I start to write something by myself I do better ask before so maybe I can save the work for this.Maybe you know something I could use for MASM if there is something out. Thank you
Techlord Posted December 21, 2016 Posted December 21, 2016 (edited) Would this be useful for you ? x86 Hooking Library written in MASM : Quote https://gist.github.com/xibxor/5753207 EDIT : Found this as well ... x86 hooking/detours macros and procedures written in MASM : Quote https://gist.github.com/xibxor/5753292 Hope they help... Greetz P.S: Also attached a very old example I found lying on my PC (it uses Chinese fonts so some characters may appear odd on your PC but overal should be fine)... 76580_HookAPILib.zip Edited December 21, 2016 by Techlord 1
Techlord Posted December 21, 2016 Posted December 21, 2016 (edited) Found another possibly better one just now Please check the attachment (Source Code +Library +Include file in Attachment)... Credits to original authors. Main thread relating to this can be found here and here . Good Luck ! Also thought that I should add an excellent article from the Code Breaker's Journal titled " Hooking Windows API - Technics of hooking API functions onWindows" , which , while @LCF-AT would already be familiar with, would most undoubtedly be helpful to others who may come across this post. Other than for the first couple of pages, the article mainly focusses on hooking using ASM... 41232.rar CBJ_1_2_2004_HolyFather_Hooking_Windows_API.pdf Edited December 21, 2016 by Techlord 1
LCF-AT Posted December 21, 2016 Author Posted December 21, 2016 Hi Techlord, thank you for checking and finding some stuff for me. Ok I have checked this but the stuff looks not good especially the last one 41232 is really bad and buggy too.So I think I have to create something by myself again.But thanks Techlord. greetz
evlncrn8 Posted December 21, 2016 Posted December 21, 2016 microsoft detours is free for x86 afaik, for non commercial use.. theres the pro ver with source too and x64, im sure you can find it 1
Techlord Posted December 21, 2016 Posted December 21, 2016 @LCF-AT : Since you'd insisted that you needed a MASM lib/hook code, my options became very restricted. If you ask me, my suggestions would be in this order : Madshi is one of the best though its not "officially" free ... Then MS Detours... Then EasyHook ... I do not know why you specifically wanted only MASM libs but generally speaking, since its more flexible to code in C++ , while I do have a ton of API hooking libs even in my collection, very few of them are actually MASM libs and they are all C++ libs... In nay case , Good Luck ! Greetz 1
LCF-AT Posted December 22, 2016 Author Posted December 22, 2016 Hi again, thanks for the infos so far. So I have a new problem now.So I wanted to write something by myself using BeaEngine & disasm function.For Bea I got the masm lib and now I wanted to build a static lib for disasm.dll but if I use it in my project then the created file gives a C++ Runtime Error R6034 out.So in the improts if disasm file I see its using msvcrt80 dll I also have on my system and I also can load the dll normaly in Olly etc.So the question why its not working with my file?Just need to use the _Assemble@24 API only to assemble the ASCII commands I got from Bea back. includelib disasm.lib _Assemble@24 PROTO C cmd:DWORD,pi:DWORD,model:DWORD,attempt:DWORD,constsize:DWORD,errtext:DWORD greetz
Techlord Posted December 22, 2016 Posted December 22, 2016 2 hours ago, LCF-AT said: For Bea I got the masm lib and now I wanted to build a static lib for disasm.dll but if I use it in my project then the created file gives a C++ Runtime Error R6034 out.So in the improts if disasm file I see its using msvcrt80 dll I also have on my system and I also can load the dll normaly in Olly etc.So the question why its not working with my file? Hi @LCF-AT : The R6034 error is thrown when your app attempts to load a C runtime lib without using a Manifest ... Solution 1 : Quote Rebuild your application to include a manifest. Building an application with Visual Studio automatically puts the manifest into the resulting .exe or .dll file. If you are building at the command line, use the mt.exe tool to add the manifest as a resource. Use resource ID 1 if you build an .exe, and resource ID 2 if you build a .dll. For more information, see How to: Embed a Manifest Inside a C/C++ Application. Full article here . Alternate Solution : The error is thrown also when your app attempts to load the C Runtime from 2 different locations ... In your case, it maybe trying to load the msvcrt80.dll from a different folder than where you intended it to ... So the solution (the less elegant than the one above but easier) would be to change the path etc so that your app looks for the runtime in the folder where you actually intend it to look. In your case, since you say that runs correctly in Olly, then cehck where Olly is loading it from and then sue the same runtime dll ! Reference for Solution 2 here . 1
LCF-AT Posted December 25, 2016 Author Posted December 25, 2016 Hi again, short question.Did anyone work with the disasm.dll / lib & the functions disasm & assemble?So I tried this again and it seems to work on first view but then I saw there is any problem with commands like jmp long xy call xy and I dont get the right ASCII string back in the struct. EDI 75658788 E9 7388DA8A JMP 00401000 EBX 00000000 10001182 PUSH 0x4 ; full disasm 10001184 PUSH 0x10014658 ; pointer to structure that receives result 10001189 PUSH EBX ; addr of command 1000118A PUSH 0x400 ; lenght of struct 1000118F PUSH EDI ; addr to disassemble 10001190 CALL 100073AE ; disasm function So as ASCII command I get this back.... JMP 8ADA8878 ...and not JMP 401000 So what did I wrong?I just want to get the commands 1:1 back as ASCII string. greetz
kao Posted December 25, 2016 Posted December 25, 2016 (edited) Read the manual and examples. Especially the part "3- How to decode bytes in an allocated buffer while keeping original virtual addresses?" EDIT: looks like you're using some custom wrapper around the actual Disasm function, as the actual function doesn't take 5 arguments, but just one. So my previous advice might be irrelevant and the problem could be caused by your wrapper. Edited December 25, 2016 by kao 1
LCF-AT Posted December 25, 2016 Author Posted December 25, 2016 (edited) Hi kao, oh no so I did mean the diasm function from disasm.dll from Ollydbg site.I dont mean the function of BeaEngine.Problem is I need a API to decode / disasm command and a API to assemble.BeaEngine is good of course but cant assemble.Also if I use Bea to decode and Disasm dll / to assemble ASCII strings its dosent work for 100 % so some commands I get from Bea back the assemble function cant handle like cmp eax, FFh so there I get unknown command as error back.Now I tried just using disasm for both to disasm & assemble commands but now I got this address problem of jump / calls etc.I also tried to debug Olly itself and checked the disasm export but this seems also to work else as the disasm function from disasm.dll.So the best would be just using one dll for both operations to prevent problems like I get if I use 2 diffrent dll & functions like Bea & disasm.dll you know.Do you know any other dll what can handle both?Or maybe you could check this disasm.dll / disasm function from Ollydbg function description about such addresses and how to get the commands 1:1 as ASCII back. greetz EDIT: Ok I found the problem I did with disasm function.So I just didnt used same address where the command I want to disasm is stored (push ebx above / just need to use same address on that paramter like I did for edi).Now it works hey. Edited December 25, 2016 by LCF-AT
LCF-AT Posted December 27, 2016 Author Posted December 27, 2016 Hi again, one another question. So I got a problem using created static libs and using the functions of the lib + getting return values of function after using the function. Example: I have a lib of disasm dll and I use some functions like disasm function of this lib.The function has 5 paramters to push and inside of the API at the end the return value is set to return 14 (10 bytes for push paramters & 4 bytes for the call of the API = all fine so far).Now if I use the function in my WinASM project then I just call the function invoke ,1,2,3,4,5 and the proto of this function I added above with C before (without it dosent work).After compiling I load the test file in Olly and check this API and call it and the stack is set same as before calling the API (all good so far) but right after the API comes the command add esp,14 same as in API but its not needed and I have manually to set sub esp,14 after that API.So this sucks and I dont wanna do this each time for any APIs xy.So how can I disable this?Or something to prevent adding a restore stack add esp,xy after a function of the lib I use?Does anyone know this? greetz
ragdog Posted December 27, 2016 Posted December 27, 2016 (edited) https://en.wikipedia.org/wiki/X86_calling_conventions Edited December 27, 2016 by ragdog
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now