pls I seriously need Help, MessageBox()Hook fails.

Good day,
I tried to do some API hook today for MessageBox(), I attempted something like this it compiles, but it doesn’t send out the messageBox, to display Hooked. It’s a Program written in C. compiles without problems but doesn’t show my ‘Hooked’ MessageBox

Code looks like this
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#include <stdio.h>
#include <windows.h>

typedef int oldMessageBox(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption, UINT uType);

BYTE hook[6];

void ApiHook(LPSTR Module,LPCSTR OldFunc,LPVOID NewFunc, unsigned char *backup)
{
  DWORD dwProtect;
  HINSTANCE hLib = LoadLibrary(Module);
  DWORD OldFuncAddr = (DWORD)GetProcAddress(hLib, OldFunc);
  DWORD NewFuncAddr = (DWORD)NewFunc;

  BYTE jmp[6] = {0xE9,0x00,0x00,0x00,0x00,0xC3};

  DWORD jmpAddr = (NewFuncAddr - OldFuncAddr) - 5;
  memcpy(&jmp[1],&jmpAddr,4);

  VirtualProtect((LPVOID)OldFuncAddr,6,PAGE_EXECUTE_READWRITE,&dwProtect);
  WriteProcessMemory(GetCurrentProcess(),(LPVOID)OldFuncAddr,jmp,6,0);
  VirtualProtect((LPVOID)OldFuncAddr,6,dwProtect,&dwProtect);

}

int newMessageBox(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption, UINT uType)
{
   MessageBoxA(0,"Hooked","Hooked",MB_ICONEXCLAMATION|MB_OK);
   //return oldMessageBox(hWnd,lpText,lpCaption,uType);
}


int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstace,LPSTR lpCmdLine,int nCmdShow)
{
   ApiHook("user32.dll","MessageBoxA",newMessageBox,hook);
}

Am I doing this Wrongly, Please I do need help.
closed account (13bSLyTq)
Hi,

I have found the error, pertaining your local hooking. As you see you have successfully hooked MessageBoxA. No doubt on that however since you did an byte-based hooking where you changed the bytes of the prologue of MessageBoxA like so:

1
2
3
4
5
;MessageBoxA function
jmp [newMessageBox]
....
....
....


However since in your callback you are calling MessageBoxA(0,"Hooked","Hooked",MB_ICONEXCLAMATION|MB_OK);

It will simply jump into your jmp again and it will simply do an infinite loop, back and forth into callback and back into the MessageBoxA function and back vice versa, that's why your "hook" is failing as you have not successfully left this loop. This is an basic error most hooking newbies perform.
Thanks for the reply, in correcting it, what do I do. Could u pls assist in the source code so I can see where ma error is pls.
I would be glad.
closed account (13bSLyTq)
Hi,

I have prepared a new source-code, this works for me:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#include<Windows.h>
#include<iostream>
using namespace std;

typedef int (WINAPI* UnHookCallMsgBox)(HWND,LPCSTR,LPCSTR,UINT);

UnHookCallMsgBox msgBox;
int InstallHookSleep(LPVOID lpAddress, LPVOID lpCall)
{
        if(lpAddress == 0 || lpCall == 0) return 1; //Misc Checks

        DWORD dwOldProtection = 0; // Our Old Protection Holder

        VirtualProtect(lpAddress,10/*Size JMP*/,PAGE_EXECUTE_READWRITE,&dwOldProtection);

        *(BYTE*)(lpAddress) = 0xE9; /*JMP*/
        *(DWORD*)((LPBYTE)lpAddress + 1) = ((DWORD)lpCall - ((DWORD)lpAddress  + 5)); //Offset of Sleep() & callback.
   VirtualProtect(lpAddress,5,dwOldProtection,&dwOldProtection); //Reinforce the original protection for Sleep()
		return 0;
}

int WINAPI nNewMessageBox(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
{ 
//Simply recover the lost bytes 
    __asm mov edi, edi 
	msgBox(0,"Hooked","Hooked",MB_ICONEXCLAMATION|MB_OK);
	return 0;
}
int main()
{
	LPVOID Address = GetProcAddress(GetModuleHandle("User32.dll"), "MessageBoxA") ;
	DWORD UnhookAddress = (DWORD)Address+5;
	msgBox = (UnHookCallMsgBox)(LPVOID)UnhookAddress;
	InstallHookSleep((LPVOID)Address,(LPVOID)nNewMessageBox);
	MessageBoxA(0, 0, 0, 0);
	return 0;
}


If this still crashes remove the __asm mov edi, edi cuz some compiler settings optimize this code into the inital prologue of the function so it can cause crash. As far as this code goes, its pretty self-explanatory, nothing too complicated you never seen or heard.

I would recommend you check my blog about hooking, it has a lot of material pertaining about it: http://codeempire.blogspot.co.uk
Last edited on
Ok brov, I worked on it againn throws a diferent error
LNK2019 : Unresolved External.

I am using Visual Studio 2012 Ultimate. What exactly could be wrong.
closed account (13bSLyTq)
You need to tell me what line and provide me with more code you used and more information.
Last edited on
Ok Good morning to you,

Here is what I tried that has been giving me that error, I tried linking to this MSVRCTD.lib it threw this error back. Here is what the error looks like.
1
2
3
4
5
Error1error LNK2019: unresolved external symbol _xMessageBox referenced in function _newMessageBox

Error2error LNK2019: unresolved external symbol _main referenced in function ___tmainCRTStartup

Error3error LNK1120: 2 unresolved externals


And the code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <stdio.h>
#include <windows.h>

typedef int oldMessageBox(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption, UINT uType);
oldMessageBox xMessageBox;

BYTE hook[6];

void ApiHook(LPSTR Module,LPCSTR OldFunc,LPVOID NewFunc, unsigned char *backup)
{
  DWORD dwProtect;
  HINSTANCE hLib = LoadLibrary(Module);
  DWORD OldFuncAddr = (DWORD)GetProcAddress(hLib, OldFunc);
  DWORD NewFuncAddr = (DWORD)NewFunc;

  BYTE jmp[6] = {0xE9,0x00,0x00,0x00,0x00,0xC3};

  DWORD jmpAddr = (NewFuncAddr - OldFuncAddr) - 5;
  memcpy(&jmp[1],&jmpAddr,4);

  VirtualProtect((LPVOID)OldFuncAddr,6,PAGE_EXECUTE_READWRITE,&dwProtect);
  WriteProcessMemory(GetCurrentProcess(),(LPVOID)OldFuncAddr,jmp,6,0);
  VirtualProtect((LPVOID)OldFuncAddr,6,dwProtect,&dwProtect);

}

int newMessageBox(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption, UINT uType)
{
  _asm
{
mov edi, edi
} 

  xMessageBox(0,"Hooked","Hooked",MB_OK);
  return MessageBox(hWnd,lpText,lpCaption,uType);
}


int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstace,LPSTR lpCmdLine,int nCmdShow)
{
   ApiHook("user32.dll","MessageBoxA",newMessageBox,hook);
}

closed account (13bSLyTq)
Hi,

Try this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <Windows.h>
#include <stdio.h>

typedef int (WINAPI* oldMessageBox)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
oldMessageBox xMessageBox;

BYTE hook[6];

void ApiHook(LPSTR Module, LPCSTR OldFunc, LPVOID NewFunc, unsigned char *backup)
{
	DWORD dwProtect;
	HINSTANCE hLib = LoadLibrary(Module);
	DWORD OldFuncAddr = (DWORD)GetProcAddress(hLib, OldFunc);
	DWORD NewFuncAddr = (DWORD)NewFunc;

	BYTE jmp[6] = { 0xE9, 0x00, 0x00, 0x00, 0x00, 0xC3 };

	DWORD jmpAddr = (NewFuncAddr - OldFuncAddr) - 5;
	memcpy(&jmp[1], &jmpAddr, 4);

	VirtualProtect((LPVOID)OldFuncAddr, 6, PAGE_EXECUTE_READWRITE, &dwProtect);
	WriteProcessMemory(GetCurrentProcess(), (LPVOID)OldFuncAddr, jmp, 6, 0);
	VirtualProtect((LPVOID)OldFuncAddr, 6, dwProtect, &dwProtect);

}

int newMessageBox(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
{
	_asm
	{
		mov edi, edi
	}

	xMessageBox(0, "Hooked", "Hooked", MB_OK);
	return MessageBox(hWnd, lpText, lpCaption, uType);
}


int main()
{
	ApiHook("user32.dll", "MessageBoxA", newMessageBox, hook);
	MessageBox(0, 0, 0, 0);
}
The same, still has the same errors.
closed account (13bSLyTq)
It works for my PC, you need to give me exact project detail settings or else its not going to work.
I used visual studio. Else u advise I upload themain project andsend to you. But did u say It works
closed account (13bSLyTq)
Yes its better if you upload it and yea it works on my PC fine.
closed account (13bSLyTq)
You can inject this into pretty much any process if you have the correct permissions usually Administrator, this is because a lot of processes tend to secure themselves effectively from injection from non-administrator users via ACLs and DACLS this requires you to elevate your permissions via UAC, to learn how to do this I suggest you read this to elevate during run-time: http://www.codeproject.com/Articles/320748/Haephrati-Elevating-during-runtime

I will still encourage you to NOT INJECT into these very important processes:

1. Winlogon.exe - Login Process! VERY IMPORTANT! DO NOT INJECT! WILL BSOD IF YOU CRASH IT
2. csrss.exe - Shutdown Process! VERY IMPORTANT! DO NOT INJECT! WILL BSOD IF YOU CRASH IT

Except from this, don't try inject into processes you cannot inject into like this:

1. Anti-Virus solution - This will never work!

2. Google Chrome - I managed just about managed to inject into it! I used a different secret method to inject into it. But still possible if you plan on starting it up and then injecting into it using process pointers.

_________________________________________

Now let me explain why svchost.exe failed, if you have an Anti-Virus solution running they tend to protect svchost.exe from injection as svchost.exe is usually used as malwares to hijack and zombify the process and use it to communicate with C&C.

I'd try disabling AV and then inject in svchost.exe it should in my thought experiment work else I think its your injector or (GOOD IDEA):

An better idea is to create an sample network application client and server using Winsock which uses send() to send messages across then check if they are checking up to server. Then run the hook and in callback change the message slightly or return 0 so that different results will pop up thus you can check your hook without any tools.
Topic archived. No new replies allowed.