[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 455
  • Last Modified:

Snifing specific Win32 API calls (system wide)

I need to catch specific Win32 API calls to winmm.dll (system wide). I'd appritiate any ideas,

Sencerely,
Vladip (mailto:vladip@usa.net)
0
vladip
Asked:
vladip
  • 4
  • 3
  • 2
  • +3
1 Solution
 
fasterCommented:
One easy way is to get SoftICE from Numega, it is a powerful debug tool, allow you to trace any API (and much more...)

http://www.numega.com
0
 
alexoCommented:
I think vladip wanted to do it programmatically.
0
 
nietodCommented:
Programmatically?  Easy, you write soft ice.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
alexoCommented:
I remember seing a description of how to do it.  Unfortunately, lost the reference (sysinternals?)
0
 
vladipAuthor Commented:
I need to do sniffing by myself in my aplication, so it doesn't help too much that SoftICE is doing it.
The only solution I'm thinking about is to inject all processes with my dll which will snif each process independently. But for that I need to be notified each time process is going to be created. I don't know how to do it.
0
 
agreenCommented:
For hooking the process and thread creation or deletion see PMon http://www.sysinternals.com/ntpmon.htm
0
 
vladipAuthor Commented:
Pmon is not  good enough.
First, in order to inject dll I need to be called by Loader BEFORE application is started. And second, I need soution for both 95 and NT.

Thanks for your help guys. Don't give up!!!!
0
 
nietodCommented:
>> The only solution I'm thinking about is to inject all processes with my dll
I'm not sure how that is going to help you.  I'm curious though.

If you use a system hook, set by SetWindowsHook(), you can get your DLL mapped into every process.  The event you hook doesn't matter and what you do to handle (ignore) the event doesn't matter.

Now this maps the DLL into the process after it loads, not before.  But I can't see how that matters.
0
 
nietodCommented:
A solution, sort of like the one employed by numga, is to replace the system DLLs with your own DLLs.  These new DLLs do your work and forward the call on to the original system DLLs.  To do this, you have to install your DLLs before windows propper loads.   In 95 this can be done using a DOS program called from the autoexec (if you want to do this each time you boot), or by a DOS install program that is run from DOS compatibility mode.
0
 
nietodCommented:
Note to other experts:  This is in response to an e-mail sent to be me by vladip.  

>> I think thatyour idea (with WindowsHook) will work
Test it first, before you close this question.  

>>The only question I still have is how can I give you points for your answer
If you grade the question with an A - D, then the expert who has the question locked gets the points.  Currently that is faster.  If you want the points to go to a different expert, reject the current answer and ask that expert you want to get the points to submit a "dummy" answer.

>> (BTW how much points should I give for such answer)
You've already committed 200 points.  You can raise that if you wish, but you can't lower it.  If an expert answers a question that is at a particular  point value, then they feel that it is worth that point value, so you are not obligated to raise the value.  

Most importantly, always try to get a working solution before you accept an answer.
0
 
xyuCommented:
I've put sample if intercepting API call at
http://www.geocities.com/SiliconValley/1741/miscprog/intercept.zip...
and here is listing:

/****************************************************************************/
/** intercept.cpp                                                          **/
/** ---------------------------------------------------------------------- **/
/** Example of interception of an API or any DLL function call             **/
/** ---------------------------------------------------------------------- **/
/** The method shown here may be very impressive in conjunction with       **/
/** CreateRemoteThread API                                                 **/
/** ---------------------------------------------------------------------- **/
/** July 23, 1998 by Oleg Kagan                                            **/
/****************************************************************************/

/****************************************************************************/

//============================================================================
#include <windows.h>

// Switch all optimizations off
// (Visual C specific... For any other compiler do the same thing)
//============================================================================
#pragma optimize("", off)

//============================================================================
#define MakePtr(Type, Base, Offset) ((Type)(DWORD(Base) + (DWORD)(Offset)))

//============================================================================
BOOL InterceptDllCall(

      HMODULE hLocalModule,
      const char* c_szDllName,
      const char* c_szApiName,
      PVOID pApiNew,
      PVOID* p_pApiOrg,
      PVOID pApiToChange
      
){
    PIMAGE_DOS_HEADER pDOSHeader = (PIMAGE_DOS_HEADER)hLocalModule;
    PIMAGE_NT_HEADERS pNTHeader;
    PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
    DWORD dwProtect;
      BOOL bSuccess = FALSE;
   
    DWORD dwAddressToIntercept;

      if (pApiToChange) {
            dwAddressToIntercept = (DWORD)pApiToChange;
      }
      else {
            dwAddressToIntercept = (DWORD)GetProcAddress(
                  GetModuleHandle((char*)c_szDllName), (char*)c_szApiName
            ) /*GetProcAddress*/;
      } /*iff*/;

    if (IsBadReadPtr(hLocalModule, sizeof(PIMAGE_NT_HEADERS)))
        return FALSE;
   
    if (pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE)
        return FALSE;
   
    pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDOSHeader, pDOSHeader->e_lfanew);
    if (pNTHeader->Signature != IMAGE_NT_SIGNATURE)
        return FALSE;
   
    pImportDesc = MakePtr(
            PIMAGE_IMPORT_DESCRIPTOR, hLocalModule,
        pNTHeader->OptionalHeader.DataDirectory[
                  IMAGE_DIRECTORY_ENTRY_IMPORT
            ] /*pNTHeader->OptionalHeader.DataDirectory*/.VirtualAddress
      ) /*MakePtr*/;
   
    if (pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader) return FALSE;
   
      while (pImportDesc->Name) {
            PIMAGE_THUNK_DATA pThunk;
   
            pThunk = MakePtr(
                  PIMAGE_THUNK_DATA, hLocalModule, pImportDesc->FirstThunk
            ) /*MakePtr*/;
   
            while (pThunk->u1.Function) {
                  if (DWORD(pThunk->u1.Function) == dwAddressToIntercept) {      
                        if (
                              !IsBadWritePtr(
                                    (LPVOID)pThunk->u1.Function, sizeof(DWORD)
                              ) /*!IsBadWritePtr*/
                        ){
                              if (p_pApiOrg)
                                    *p_pApiOrg = PVOID(pThunk->u1.Function);
                              (PDWORD)pThunk->u1.Function = (PDWORD)pApiNew;
                              bSuccess = TRUE;
                        }
                        else {
                              if (
                                    VirtualProtect(
                                          (LPVOID)(&pThunk->u1.Function), sizeof(DWORD),
                                          PAGE_EXECUTE_READWRITE, &dwProtect
                                    ) /*VirtualProtect*/
                              ){
                                    DWORD dwNewProtect;

                                    if (p_pApiOrg)
                                          *p_pApiOrg = PVOID(pThunk->u1.Function);
                                    pThunk->u1.Function = (PDWORD)pApiNew;
                                    bSuccess = TRUE;

                                    dwNewProtect = dwProtect;
                                    VirtualProtect(
                                          (LPVOID)(&pThunk->u1.Function), sizeof(DWORD),
                                          dwNewProtect, &dwProtect
                                    ) /*VirtualProtect*/;
                              } /*if*/
                        } /*iff*/
                  } /*if*/
                  pThunk++;
            } /*while*/
            pImportDesc++;
      } /*while*/

    return bSuccess;
} /*InterceptDllCall(HMODULE, const char*, const char*, PVOID,PVOID*,PVOID)*/

//============================================================================
BOOL Win32IsNT()
{
      static unsigned uIsNT = 2;
      if (uIsNT > 1) {
            // Check NT or Win95/98
            //----------------------
            OSVERSIONINFO VersionInfo; {
                  VersionInfo.dwOSVersionInfoSize = sizeof(VersionInfo);
                  GetVersionEx(&VersionInfo);
            } /*VersionInfo*/

            uIsNT = (VersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT);
      } /*if*/
      return (uIsNT != 0);
} /*Win32IsNT()*/

//============================================================================
void ChangeText(

      char* szText
      
){
      size_t nLength = strlen(szText);
      for (size_t i = 0; i < nLength; ++i) {
            szText[i] = char((i % 2) ? tolower(szText[i]) : toupper(szText[i]));
      } /*for (size_t i)*/
} /*ChangeText(char*)*/

//============================================================================
typedef int (*TMessageBoxFuncPtr)(HWND, LPCTSTR, LPCTSTR, UINT);
TMessageBoxFuncPtr p_fnMessageBoxOrg = NULL;

//============================================================================
int WINAPI MyMessageBox(

      HWND hWnd,          // handle of owner window
      LPCTSTR lpText,     // address of text in message box
      LPCTSTR lpCaption,  // address of title of message box
      UINT uType          // style of message box

){
      if (!p_fnMessageBoxOrg) return 0;
      ChangeText((char*)lpText); ChangeText((char*)lpCaption);
      int nResult = (*p_fnMessageBoxOrg)(hWnd, lpText, lpCaption, uType);
      return nResult;
} /*MyMessageBox(HWND, LPCTSTR, LPCTSTR, UINT)*/

//============================================================================
extern "C" int WINAPI WinMain(

      HINSTANCE hInstance,  // handle to current instance
      HINSTANCE /*hPrevInstance*/,  // handle to previous instance
      LPSTR szCmdLine,  // pointer to command line
      int /*nCmdShow*/  // show state of window

){
      char* c_szTitle = "API Call Interception";
      UINT uStyle = MB_OK | MB_ICONHAND | MB_SYSTEMMODAL;

      if (!Win32IsNT()) {
            MessageBox(
                  NULL,
                  "Sorry, but this example works under Microsoft Windows NT only",
                  c_szTitle, uStyle
            ) /*MessageBox*/;
            return EXIT_FAILURE;
      } /*if*/

      MessageBox(NULL, "Here it is normal                 ", c_szTitle, uStyle);

      // Lets Change it
      //----------------
      InterceptDllCall(
            hInstance, "user32.dll", "MessageBoxA",
            (PVOID)&MyMessageBox, (PVOID*)&p_fnMessageBoxOrg,
            NULL
      ) /*InterceptDllCall*/;

      MessageBox(NULL, "Beware of the mad hackers         ", c_szTitle, uStyle);

      InterceptDllCall(
            hInstance, "user32.dll", "MessageBoxA",
            (PVOID)p_fnMessageBoxOrg, NULL, (PVOID)MyMessageBox
      ) /*InterceptDllCall*/;

      MessageBox(NULL, "Here it is almoust normal again :)", c_szTitle, uStyle);

      return EXIT_SUCCESS;
} /*WinMain(HINSTANCE, HINSTANCE, LPSTR, int)*/

0
 
xyuCommented:
System wide injection is comming soon as DLL with the function like:

BOOL InjectDllIntoProcess(
    HPROCESS hProcess, // Process to inject into :)
    const wchar_t* c_wszDllToInject, // name of the DLL that contain Your code
    const wchar_t* c_wszStartupFunction // name of the void WINAPI Foo(HPROCESS hProcess) function that is going to receive control
);

0
 
xyuCommented:
vladip... I did it... i can sent to You dll that can help You to inject Your dll into any process and intercept any API... so afterwards You need just to intercept LoadLibrary and/or CreateProcess, etc. APIs and "infect" resulting modules again :)
I still working on simple tool do to do system wide "infection" :) but You can make Your own using the tools i developed already... its easy :) give me Your email and i'll send it to You

Good Luck
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 4
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now