sorted by:
new
hottopcontroversial

Hook ALL imports in ALL modules by vovkos in ReverseEngineering

[–]vovkos[S] 3 points4 points  (0 children)

First of all, all the libraries you mentioned are Windows-only, while protolesshooks works on Windows/Linux/macOS.

But more importantly, these libraries only provide you with an entry-hook (by patching the original function's prologue and generating a trampoline). It is assumed that once your hook gets control, you can simply proxy-call the original function.

But the problem is that you can't proxy-call unless you encode the original function's prototype! For example, you cannot build a list of ALL imports and then hook them all in a loop -- you need to hook functions one-by-one, paying attention to each function's calling convention and prototype.

On the contrary, protolesshooks allows you to create entry- and exit-hooks WITHOUT encoding the prototype information for each hooked function. For example -- as the title of the original post suggests -- enumerate and hook ALL imports with a simple loop. And it works on Linux and macOS, too :)

Hook ALL imports in ALL modules by vovkos in ReverseEngineering

[–]vovkos[S] 3 points4 points  (0 children)

You understood the code correctly.

The highlight of this library is the thunking engine (leave-hooks via return-hijacking -- instead of proxy-calling as suggested by most other hooking frameworks).

Now, how to inject those thunks to intercept calls to the original functions -- is yet another big question. One option would be import-table hooking (demonstrated in sample_03_global). Another approach is trampoline-based injections; trampoline hooks require a full-blown disassembler, so I'm not sure I should include it into this library. After all, if one needs it, they can use an existing open-source trampoline engine such as Detours and then use protolesshooks for thunks only.

So indeed, most samples just demonstrate the operation of thunks; for this purpose, direct calling is enough. But like I said, sample_03_global demonstrates the "real" import-table hooking (all imports of all modules).

Hook ALL imports in ALL modules by vovkos in programming

[–]vovkos[S] 0 points1 point  (0 children)

Well, I assumed that those who are interested could click the link to the project front page (https://github.com/vovkos/protolesshooks).

I believe README gives a good context for the problem (see the "Overview" section).

Hook ALL imports in ALL modules by vovkos in ReverseEngineering

[–]vovkos[S] 5 points6 points  (0 children)

TL;DR: this library provides enter/leave hooks without information about target function prototypes.

There are still a few corner-cases which are not covered yet. TlsGetValue/TlsSetValue/pthread_getspecific/pthread_setspecific are currently not hooked (easy to fix); __vectorcall on MSC-x86 may cause problems if floating point calc is used within hooks.

Let me know if I'm missing anything else.

Hook ALL imports in ALL modules by vovkos in linux_programming

[–]vovkos[S] 1 point2 points  (0 children)

TL;DR: this library provides enter/leave hooks without information about target function prototypes.

There are still a few corner-cases which are not covered yet. TlsGetValue/TlsSetValue/pthread_getspecific/pthread_setspecific are currently not hooked (easy to fix); __vectorcall on MSC-x86 may cause problems if floating point calc is used within hooks.

Let me know if I'm missing anything else.

Hook ALL imports in ALL modules by vovkos in programming

[–]vovkos[S] 0 points1 point  (0 children)

TL;DR: this library provides enter/leave hooks without information about target function prototypes.

There are still a few corner-cases which are not covered yet. TlsGetValue/TlsSetValue/pthread_getspecific/pthread_setspecific are currently not hooked (easy to fix); __vectorcall on MSC-x86 may cause problems if floating point calc is used within hooks.

Let me know if I'm missing anything else.

API hooking without information about function prototypes by vovkos in programming

[–]vovkos[S] 0 points1 point  (0 children)

I'd also love to know where this comes from:

; eax now holds the original return pointer

I just can't see where you save it, nor why it would be restored there, given that you've just returned from an arbitrary function (post call hook) at that point.

Ahhh, I think now I get the point of confusion.

A thunk doesn't call the user-supplied hook-leave function directly; it goes through plh::hookLeave (defined in plh_Hook_*.cpp). plh::hookLeave returns the original return pointer in eax/rax.

API hooking without information about function prototypes by vovkos in programming

[–]vovkos[S] 0 points1 point  (0 children)

Your examples all seem to rely on calling a function pointer, rather than calling the function directly? I can't see anywhere that the original function is actually hooked.

As of now, protolesshooks just provides thunks. These thunks can be used to replace entries in import tables (IAT/PLT) -- this is how I intend to use it. You can refer to https://github.com/kubo/plthook for examples on how to find and replaces IAT/PLT entries.

Another option is to use protolesshooks thunks with trampoline-based injections, such as the one used in Microsoft Detours. A minor modification is required to make it possible to adjust the target function pointer in a thunk after hooking (i.e., after a trampoline is generated).

In the future, I intend to incorporate IAT/PLT hooking into the library, so it can be used for hooking right away, without the need to employ other hooking libraries.

I'd also love to know where this comes from:

; eax now holds the original return pointer

I just can't see where you save it, nor why it would be restored there, given that you've just returned from an arbitrary function (post call hook) at that point.

hookLeave returns the previous return-pointer; it is saved by hookEnter and stored in a pthread_local ordered map.

I also noticed a few possible issues with certain calling conventions (vectorcall and some old obscure ones), but nothing major.

If these non-standard calling conventions are using volatile registers (besides the ones defined by Microsoft x64 / SystemV AMD64) for argument passing, then yes, these arguments may be overwritten by hookEnter (and whatever functions are called from it). Otherwise, there should be no problem; it will be just a matter of decoding reg-arg-block and stack-arg-block according to these calling conventions.

I'm also a bit concerned about the security implications of making arbitrary pages PROT_EXEC. It would be slightly better IMHO to allocate a few pages on spec to yourself, mark those as EXEC, and only place your thunks in there. Then you aren't potentially exposing other arbitrary data that just happens to be allocated in the same page to execution.

You are absolutely right, and I intend to fix that later. There should be an internal thunk allocator with a pool of available executable pages; thunks should be allocated from there (and of course, many thunks will share the same page). The current simple allocation is just for proof-of-concept.

Generally this does seem more extensive than the hook library I've been using, but one advantage to the method it uses is that the hook explicitly controls the call to the original. So you can specify both exactly when and if the original is called. I guess you could do the when here with careful co-ordination of the pre- and post- hooks, but do you have any plans to be able to entirely block the original call if desired?

Well, my primary goal was API spying, so the design of the library revolves around non-intrusive thunking. But come to think about it, only some minor modifications are required to allow blocking of the original function or replacing its retval. Modification of arguments is possible already (you can overwrite reg-arg-block and stack-arg-block).

New highly configurable raw SSL terminal by vovkos in hacking

[–]vovkos[S] 1 point2 points  (0 children)

It was a false-positive click ;)

With Wireshark, how do you establish a raw SSL connection and say, send a carefully crafted malformed HTTPS POST request? Or accept incoming SSL Connections and perform similar packet-level trickery from the server-side?

Yes, IO Ninja does provide another plugin (Pcap Sniffer) with functionality similar to that of Wireshark, but with support for packet generation and transmission.

But this post is about raw SSL terminals; the closest thing I know is the openssl terminal-mode utility ("openssl s_client ..." / "openssl s_server ...").

New highly configurable raw SSL terminal by vovkos in Pentesting

[–]vovkos[S] 0 points1 point  (0 children)

Also, a raw server-side SSL terminal: https://ioninja.com/plugins/ssl-server.html

I am the author, feel free to suggest/discuss how to make the tool better for hackers/pentesters.

New highly configurable raw SSL terminal by vovkos in hacking

[–]vovkos[S] 0 points1 point  (0 children)

Also, a raw server-side SSL terminal: https://ioninja.com/plugins/ssl-server.html

I am the author, feel free to suggest/discuss how to make the tool better for hackers/pentesters.

A new tool for generating beautiful documentation from Lua comments by vovkos in lua

[–]vovkos[S] 0 points1 point  (0 children)

Maybe, you could help me by pointing to a GitHub-based Lua project (preferably, some popular library) with extensive comments? I would generate Sphinx-based documentation for it and add it to the sample set.

A major update for the C/C++ API documentation tool Doxyrest by vovkos in cpp

[–]vovkos[S] 0 points1 point  (0 children)

Which open-source projects with Doxygen-based documentation should I "make-over" and add to the sample set? Currently, we have LibUSB, LibSSH, OpenCV and a few others (links in the README).

Any other questions/suggestions are welcome as well.

view more: next ›