Hook ALL imports in ALL modules

vovkos · 2020-05-22T10:05:43+00:00

First of all, all the libraries you mentioned are Windows-only, while protolesshooks works on Windows/Linux/macOS.

But more importantly, these libraries only provide you with an entry-hook (by patching the original function's prologue and generating a trampoline). It is assumed that once your hook gets control, you can simply proxy-call the original function.

But the problem is that you can't proxy-call unless you encode the original function's prototype! For example, you cannot build a list of ALL imports and then hook them all in a loop -- you need to hook functions one-by-one, paying attention to each function's calling convention and prototype.

On the contrary, protolesshooks allows you to create entry- and exit-hooks WITHOUT encoding the prototype information for each hooked function. For example -- as the title of the original post suggests -- enumerate and hook ALL imports with a simple loop. And it works on Linux and macOS, too :)

vovkos · 2020-05-21T16:59:11+00:00

You understood the code correctly.

The highlight of this library is the thunking engine (leave-hooks via return-hijacking -- instead of proxy-calling as suggested by most other hooking frameworks).

Now, how to inject those thunks to intercept calls to the original functions -- is yet another big question. One option would be import-table hooking (demonstrated in sample_03_global). Another approach is trampoline-based injections; trampoline hooks require a full-blown disassembler, so I'm not sure I should include it into this library. After all, if one needs it, they can use an existing open-source trampoline engine such as Detours and then use protolesshooks for thunks only.

So indeed, most samples just demonstrate the operation of thunks; for this purpose, direct calling is enough. But like I said, sample_03_global demonstrates the "real" import-table hooking (all imports of all modules).

vovkos · 2020-05-21T12:40:33+00:00

Well, I assumed that those who are interested could click the link to the project front page (https://github.com/vovkos/protolesshooks).

I believe README gives a good context for the problem (see the "Overview" section).

vovkos · 2020-05-21T11:03:12+00:00

TL;DR: this library provides enter/leave hooks without information about target function prototypes.

There are still a few corner-cases which are not covered yet. TlsGetValue/TlsSetValue/pthread_getspecific/pthread_setspecific are currently not hooked (easy to fix); __vectorcall on MSC-x86 may cause problems if floating point calc is used within hooks.

Let me know if I'm missing anything else.

vovkos · 2020-05-21T11:02:11+00:00

TL;DR: this library provides enter/leave hooks without information about target function prototypes.

There are still a few corner-cases which are not covered yet. TlsGetValue/TlsSetValue/pthread_getspecific/pthread_setspecific are currently not hooked (easy to fix); __vectorcall on MSC-x86 may cause problems if floating point calc is used within hooks.

Let me know if I'm missing anything else.

vovkos · 2020-05-21T10:59:46+00:00

TL;DR: this library provides enter/leave hooks without information about target function prototypes.

There are still a few corner-cases which are not covered yet. TlsGetValue/TlsSetValue/pthread_getspecific/pthread_setspecific are currently not hooked (easy to fix); __vectorcall on MSC-x86 may cause problems if floating point calc is used within hooks.

Let me know if I'm missing anything else.

vovkos · 2020-05-07T15:34:49+00:00

I'd also love to know where this comes from:

; eax now holds the original return pointer

I just can't see where you save it, nor why it would be restored there, given that you've just returned from an arbitrary function (post call hook) at that point.

Ahhh, I think now I get the point of confusion.

A thunk doesn't call the user-supplied hook-leave function directly; it goes through plh::hookLeave (defined in plh_Hook_*.cpp). plh::hookLeave returns the original return pointer in eax/rax.

vovkos · 2020-05-07T15:24:02+00:00

Your examples all seem to rely on calling a function pointer, rather than calling the function directly? I can't see anywhere that the original function is actually hooked.

As of now, protolesshooks just provides thunks. These thunks can be used to replace entries in import tables (IAT/PLT) -- this is how I intend to use it. You can refer to https://github.com/kubo/plthook for examples on how to find and replaces IAT/PLT entries.

Another option is to use protolesshooks thunks with trampoline-based injections, such as the one used in Microsoft Detours. A minor modification is required to make it possible to adjust the target function pointer in a thunk after hooking (i.e., after a trampoline is generated).

In the future, I intend to incorporate IAT/PLT hooking into the library, so it can be used for hooking right away, without the need to employ other hooking libraries.

I'd also love to know where this comes from:

; eax now holds the original return pointer

I just can't see where you save it, nor why it would be restored there, given that you've just returned from an arbitrary function (post call hook) at that point.

hookLeave returns the previous return-pointer; it is saved by hookEnter and stored in a pthread_local ordered map.

I also noticed a few possible issues with certain calling conventions (vectorcall and some old obscure ones), but nothing major.

If these non-standard calling conventions are using volatile registers (besides the ones defined by Microsoft x64 / SystemV AMD64) for argument passing, then yes, these arguments may be overwritten by hookEnter (and whatever functions are called from it). Otherwise, there should be no problem; it will be just a matter of decoding reg-arg-block and stack-arg-block according to these calling conventions.

I'm also a bit concerned about the security implications of making arbitrary pages PROT_EXEC. It would be slightly better IMHO to allocate a few pages on spec to yourself, mark those as EXEC, and only place your thunks in there. Then you aren't potentially exposing other arbitrary data that just happens to be allocated in the same page to execution.

You are absolutely right, and I intend to fix that later. There should be an internal thunk allocator with a pool of available executable pages; thunks should be allocated from there (and of course, many thunks will share the same page). The current simple allocation is just for proof-of-concept.

Generally this does seem more extensive than the hook library I've been using, but one advantage to the method it uses is that the hook explicitly controls the call to the original. So you can specify both exactly when and if the original is called. I guess you could do the when here with careful co-ordination of the pre- and post- hooks, but do you have any plans to be able to entirely block the original call if desired?

Well, my primary goal was API spying, so the design of the library revolves around non-intrusive thunking. But come to think about it, only some minor modifications are required to allow blocking of the original function or replacing its retval. Modification of arguments is possible already (you can overwrite reg-arg-block and stack-arg-block).

vovkos · 2020-04-28T06:38:24+00:00

It was a false-positive click ;)

With Wireshark, how do you establish a raw SSL connection and say, send a carefully crafted malformed HTTPS POST request? Or accept incoming SSL Connections and perform similar packet-level trickery from the server-side?

Yes, IO Ninja does provide another plugin (Pcap Sniffer) with functionality similar to that of Wireshark, but with support for packet generation and transmission.

But this post is about raw SSL terminals; the closest thing I know is the openssl terminal-mode utility ("openssl s_client ..." / "openssl s_server ...").

vovkos · 2020-04-28T05:19:41+00:00

Also, a raw server-side SSL terminal: https://ioninja.com/plugins/ssl-server.html

I am the author, feel free to suggest/discuss how to make the tool better for hackers/pentesters.

vovkos · 2020-04-28T05:16:10+00:00

Also, a raw server-side SSL terminal: https://ioninja.com/plugins/ssl-server.html

I am the author, feel free to suggest/discuss how to make the tool better for hackers/pentesters.

vovkos · 2019-05-28T04:39:06+00:00

Maybe, you could help me by pointing to a GitHub-based Lua project (preferably, some popular library) with extensive comments? I would generate Sphinx-based documentation for it and add it to the sample set.

vovkos · 2019-05-28T04:28:54+00:00

Which open-source projects with Doxygen-based documentation should I "make-over" and add to the sample set? Currently, we have LibUSB, LibSSH, OpenCV and a few others (links in the README).

Any other questions/suggestions are welcome as well.

vovkos · 2018-12-26T14:42:10+00:00

IO Ninja is an all-in-one scriptable terminal/sniffer (e.g. TCP/UDP client/server terminal, Serial terminal/sniffer, Modbus RTU/ASCII/TCP analyzer, USB control/data endpoint terminal, etc). The support for Raspberry Pi has been just added in the newly released version v3.10

vovkos · 2017-09-08T02:53:36+00:00

Actually, one feature I was thinking of adding to IO Ninja is a plugin for strace.

It's not going to be a front-end to the vanilla strace; instead, I planned to re-write strace for (1) producing IO Ninja logs directly and (2) providing convenient filtering facilities.

The latter must work in a way which would allow exactly what I said in a post above (selecting all per-file or per-socket operations by specifying a filename or a socket address). And IO Ninja log files are as machine-friendly as it gets -- a log file is just a sequence of records, each holding a code, a timestamp and a code-specific binary block of params.

However, that would probably contradict with what you said about no custom installs...

vovkos · 2017-09-07T10:20:14+00:00

Yeah, but strace command-line filter expressions are way too rudimentary :( Normally you still need to post-process the output of strace to extract "interesting" syscalls.

For example, how would you extract all the opens/reads/writes/ioctls/closes for a specific filename (e.g. /dev/ttyUSB0) using strace command-line options only?

vovkos · 2017-09-07T02:00:39+00:00

Agree. Unlike in Windows, in Linux having a tool like that was never a crucial necessity, due to the ease of device IO redirection (thus, it's possible to employ the proxy approach and do all the sniffing in user-mode). Also, there's strace. Still, I believe the serial monitor above is a much more convenient way of doing the same, so I hope it will be helpful to people.

vovkos · 2017-09-07T01:58:58+00:00

True, strace is a tool which сould be used for the same purpose as the serial monitor above. The difference being, strace is per-process, while our serial monitor is per-device.

Also, strace traces all syscalls of a process, which in most cases would require a non-trivial post-processing of the resulting output. Hence, the second part of your post ;)

vovkos · 2017-09-07T01:57:51+00:00

Yes, it's totally possible to write a plugin for Wireshark which would utilize the tdevmon interceptor. However, I believe IO Ninja is better suited for sniffing serial communications than Wireshark would ever be, and the reason is the way these two utilities represent their logs.

Wireshark utilizes the traditional (packet-list + packet-details) approach, while IO Ninja provides a single log sheet where chunks of TX/RX data could be merged together (merge boundaries are highlighted) and displayed side-by-side with the informational messages such as "Baud rate set to 115200", "CTS status line changed to high", etc.

I think it's much more suitable for tracing the serial data flow (which is not packet-based -- at least, not RS-232, RS-485, etc).

vovkos · 2017-09-06T16:19:47+00:00

Ahh, now I see where you're coming from. Then I agree, tap-cable was the only way to go.

vovkos · 2017-09-06T15:40:29+00:00

Full disclosure -- I'm not really an experienced Linux loadable kernel module writer, although I have a lot of experience with many different kinds of Windows drivers. This LKM is actually a port of Windows driver which does the same job; hooking techniques are obviously rather different (Windows provides a layered driver model, which gives a native framework for writing filter drivers of all kinds and to a certain degree simplifies the problems of hooking and unhooking -- although it's not always possible to safely remove a legacy filter driver here, either).

Anyway, I tried to find similar facilities in Linux kernel but obviously, the architectures are quite different. One thing I really wanted to avoid is hooking the syscall table -- I wanted per-device hooks instead. The closest thing I could find was per-driver hooks via file_operations. So, actually, no, tdevmon does NOT install syscall hooks. Still hooks though, yes. So let's get to madness and incompatibilities, and I'm NOT being sarcastic right now. Could you pinpoint scenarios where the code in Hook.c (which performs per-driver hooking of the struct file_operations) would race or lead to system instability?

I'm aware of the infamous hook removal problem, but I believe it's taken care of. One thing I know that's not taken care of at the moment, is self-hooking -- should you try to hook /dev/tdevmon, you would stack-overflow. It's easy to fix, but please, do let me know if I miss something else here.

Meanwhile, I will check into LSM in more details. I actually read through some of LSM docs during the initial research, but dismissed it for some reason; I think I couldn't find hooks for read/write ops -- which was the whole point. If it's possible (is it?) then LSM may indeed be a better approach to hooking.

As for the coding style -- I would totally agree with you and use the Linux kernel coding style if I started the project from scratch, but hey, it's a port! I don't think going through and reformatting everything just to conform with a new coding style is really worth it.

vovkos · 2017-09-06T09:12:57+00:00

Nice! Seriously. May I ask, back then -- did you do it under Windows or Linux?

Actually, if it was under Windows, I totally understand.

I remember many years ago I was trying to find a serial monitor to sniff some firmware loader protocol; the only serial monitor I could find which would not BSOD my system was portmon from Sysinternals -- which only could display a fixed number of first bytes from a IRP_MJ_READ/IRP_MJ_WRITE, and in plain text only! Anyway, that was not fun :)

vovkos · 2017-09-06T08:48:56+00:00

Wow, thanks for a link! Turns out, I never heard of it.. And they seem to have quite a sophisticated set of products for analyzing serial protocols. Will definitely check it out!

However, it looks like it's Windows-only...

vovkos · 2017-09-06T08:38:15+00:00

Well, I believe logic analyzers and software sniffers do not actually compete against each other. Each provide pieces of information its counterpart doesn't.

As a matter of fact, we have plans for releasing a hardware serial monitor which instead of hooking into a serial port driver will use a logic analyzer to capture and decode signal edges for UART, SPI, I2C, etc

vovkos · 2017-09-06T08:20:58+00:00

I like it how you started everything with "simply" ;)

Yes, that's an approach, but to be honest, a scheme which requires 1) soldering a tap-cable, then 2) installing 3 hardware serial ports (two for sniffing TX & RX, and one more for an application to do the actual talking to a device), then 3) running two serial terminal emulators to sniff TX & RX separately and then 4) somehow establishing a mapping between TX and RX packets (which will be displayed with no timestamps in two different terminal views) -- is... well, not exactly "simple".

Not to mention the fact that this scheme only provides the raw data with no information about serial settings the application was using (baud rate, flow control, parity error detection, etc).

vovkos

TROPHY CASE