Hooks are easy (part 2)
Some time ago I wrote an introductory article about hooks (what is this, why is it necessary, Hello world). The article was conceived as simple, minimalist and, it seems, this is how it turned out. The only reproach I heard in the comments is “Why take the Microsoft Detours library, which costs $ 10,000 for commercial use?” Remark fair. In this article I will give the same example with the use of another library at the cost of about 20 times less (which is already quite within reason) - madCodeHook .
For a better understanding of this article, it is recommended to first read the first part .
madCodeHook
A library with a rich past. Its first version came out in the distant 2000th year, was intended for use under Delphi, and knew little of it. However, in the following years, the author developed it quite well: he made an SDK for C ++, implemented support for 64-bit systems, all versions of Windows from 9x to Win 8.1, implemented a driver for deploying hooks in all newly created processes, well, quite actively worked on the project (updates and now come out regularly). Along the way, because of the reluctance to be aided by virus writers, the library lost the free version, but prices starting at 349 euros make it a real alternative and unrealistically expensive Microsoft Detours , and the low-comfort mhook , and unstable (in my experience) EasyHook .
')
Limitations of the evaluation version
- No source
- No static linking available.
- The included mchEvaluation.exe application must be manually started.
- MadCHook.dll must be copied to System32
In general, to study - nothing critically disturbing. For a commercial product, in any case, you need to buy a license.
We remember our task
In the first part of the article, we used hooks to force the Mozilla Firefox browser when entering Habr to write in its header “Hello, Habr!”. Firstly, I am too lazy to invent a new task, and secondly, it would be even more correct to implement the same thing again on the basis of another library - you can compare the development speed, volume and complexity of the code. In addition, in the first part we have already figured out where and what hooks need to be hung, so we will save some time on this.
Practice
1. Download the latest version of madCodeHook, install.
2. Create in Visual Studio (I use VS 2010, but you can take another one) solution with two projects. The first is the library with the hook code, which we will inject into the browser process. The second is the injector application, its task is to throw the library into the address space of the browser.
- To create the first project: File-> New-> Project. Type Visual C ++ -> Win32 -> Win32 Project. In the project creation dialog, specify the type “Dll”
- To create a second project: File-> Add-> New Project. Type Visual C ++ -> Win32 -> Win32 Console Application.
4. We pop into our projects a header file and a lib file from the madCodeHook SDK. When installing the library by default, they are located at C: \ Program Files (x86) \ madCollection \ madCodeHook \ Dll. In the evaluation version, only dynamic linking is available to us, so we pick up the files madCHook-dynamic.h and madCHook-dynamic-microsoft.lib, you can rename them for brevity to madCHook.h and madCHook.lib.
5. Write the code. Key points:
Injector code
#include "stdafx.h" #include <conio.h> #include "windows.h" #include "madCHook.h" #include <tlhelp32.h> HANDLE GetProcessByName(PCWSTR name) { DWORD pid = 0; HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 process; ZeroMemory(&process, sizeof(process)); process.dwSize = sizeof(process); if (Process32First(snapshot, &process)) { do { if (_wcsicmp(process.szExeFile, name) == 0) { pid = process.th32ProcessID; break; } } while(Process32Next(snapshot, &process)); } CloseHandle(snapshot); if (pid != 0) return OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); return NULL; } int _tmain(int argc, _TCHAR* argv[]) { InjectLibraryW((DWORD)GetProcessByName(L"firefox.exe"), L"HookLib.dll"); _getch(); UninjectLibraryW((DWORD)GetProcessByName(L"firefox.exe"), L"HookLib.dll"); } Library code with a hook
#include "stdafx.h" #include "madCHook.h" LRESULT (WINAPI * TrueSendMessageW)(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam) = SendMessageW; __declspec(dllexport) LRESULT WINAPI MySendMessageW(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam) { if (Msg == WM_SETTEXT && wcsstr((LPCTSTR)lParam, L""NULL) return TrueSendMessageW(hWnd, Msg, wParam, (LPARAM)L", !"); return TrueSendMessageW(hWnd, Msg, wParam, lParam); } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: HookAPI("User32.dll", "SendMessageW", MySendMessageW, (PVOID*) &TrueSendMessageW); } return TRUE; } Ready project on Gitkhab
6. Compile, run Firefox, run mchEvaluation.exe, launch the injector, go to Habr in the browser. Result:
findings
In terms of convenience of working with the evaluation version, madCodeHook loses slightly to Microsoft Detours, the full-featured versions are approximately equal in this regard. The code to write madCodeHook requires even less. MadCodeHook includes a driver for implementing libraries at the system-wide level (in all existing and new processes), this task needs to be solved in Detours with your own service or driver. The speed and stability of the library seemed to me similar. madCodeHook does not evoke an “enterprise” feeling like a Microsoft product, which is both good and bad: the author can be easily caught on the forum (which is good), but it also says “I can go on vacation for 6 weeks at any time of the year” (which badly). The madCodeHook community is focused on their forum , the Microsoft Detours community is somehow scattered around Stackoverflow, wasm.ru, MSDN forums and does not create a sense of integrity.
In general, the library madCodeHook leaves a good impression, you can use.
Source: https://habr.com/ru/post/213309/
All Articles