Hooking Example (case 2. class method hooking)

This is an example of hooking a class function.

This article doesn't have many examples of hooking c ++ classes.

The following code:

Class TestClass {

Public:

…

int myPrintf(const std::string & id, const int & value);

…

}

Hook code:

int TestClass::myPrintf(const std::string & id, const int & value) {

    typedef int (TestClass::*HookFunction)(const std::string & id, const int & value);

    static HookFunction orgMethod = 0;

    if (orgMethod == 0) {

        void *tmpPtr = dlsym(RTLD_NEXT, "Mangling Name");

        memcpy(&orgMethod, &tmpPtr, sizeof(void *));

    }

   

    int orgRetValue;

    orgRetValue = (this->*orgMethod)(id, value);

    return orgRetValue;

#C #C++ #Linux #Embedded #Hooking Example #Hooking #Class Hooking

Hooking Example (case 1. getchar() / rand())

 Hooking Example:

 1. Getchar() / rand

   only C , and this code is meaningless code. Only test!

Target code.

- target.c

  : gcc –o target target.c

Hook code.

- hook.c

  : gcc -shared -fPIC -o hook.so main.c –ldl

Exec:

Normal:

$  ./target

Hook:

$LD_PRELOAD="/home/xxxx/hook_test/hook/hook.so" ./target

*the blue box : privacy.

#C #C++ #Linux #Embedded #Hooking Example #Hooking 

API Hooking

• API Hooking

- A technique to intercept API calls to get control

- The most widely used technique with Message hooking

API ?

- An interface to control the functions provided by the operating system or programming language.

- On Windows, use the Win32 API

*As an example of a process, all processes load kernel32.dll and access the system through ntdll.dll.

*Win32 API: Windows OS can't directly use system resources(memory, file, network, video, sound, etc.) by user applications. It is directly managed by the OS.(due to stability, security, efficiency, and so on.)

=> Using the Win32 API (the meaningful program can't be created without API function.)

#C #C++ #Linux #Embedded #Hooking Example #Hooking #API #API Hooking

Message Hooking

• Message Hooking

- Intercepting messages,  between User <-> OS <-> Applications

- Typical Program SPY ++

* Window based Graphic User Interface : event driven operation

* message : Use the keyboard / mouse to select a menu, select a button, move the mouse, resize the window, move the window, etc…

#C #C++ #Linux #Embedded #Hooking Example #Hooking #Message Hooking

Hooking(Message Hooking / API Hooking)

• Hooking

- Reverse engineering core technology

- techniques that interchange or intercept function calls, messages, events, etc.

- Development of Hook code for bug fix or improvement (source code X)

- Development of Hook code to freely manipulate executable file and process memory

• Hooking Advantages

- execution of user's hook code before/after API call, Message forwarding (additional function)

- Possible to peek or manipulate the return value of API function / parameter passing through hooking function

- Cancels "Send Event", "Call API" or change the execution flow to user code

=> free calling depending on the situation

• Most Popular Hooking

- Message Hooking

- API Hooking

• Hooking points

- IAT (import addres table): A table of which functions in a library refer to which functions.

 => Changing the API address to a hooking function,

- Code: Directly access the API real address from the system library mapped to process memory, and modify the code directly

 - Export Address Table (EAT): A mechanism to use functions provided by library files in other programs: message / API hooking

#C #C++ #Linux #Embedded #Hooking Example #Hooking #Message Hooking

Reverse engineering : Hooking(Message Hooking, API Hooking)

Reverse engineering : Hooking(Message Hooking, API Hooking)

• Reverse engineering

 - Opposition to "Forward Engineering"

 - Techniques to Backtrack about the deployed system
- part of the software maintenance process

• purpose

- to understand the structure and operation principle of the program(using the disassembler / debugger )

- to fix bugs or improve functionality

- freely manipulating executable files and process memory

• uses

- Debugging and patching (Hotfix)

- Modify an application without code

- hacking

#C #C++ #Linux #Embedded #Hooking Example #Hooking #Message Hooking #Reverse engineering

PCANBasic api : PCAN_RECEIVE_EVENT

PCAN_RECEIVE_EVENT를 설정하면 PCAN 데이터를 받을 때에만 동작한다.

CAN_SetValue (class-method : SetValue) 함수를 호출 -> Win32 동기화 함수 (예 : WaitForSingleObject) 중 하나를 사용하여 이벤트 신호를 받을 때까지 대기 ->  CAN_Read (클래스 메소드 : 읽기) 함수로 읽을 수 있으며 CAN 메시지를 처리

SetValue로 이벤트를 설정하고 Win32 동기화 함수를 통해 대기 할 시, 프로세스 로드가 증가 없이 데이터 읽기가 가능하다.

원문 번역.

이벤트를 사용하려면 클라이언트 응용 프로그램이 CAN_SetValue (class-method : SetValue) 함수를 호출하여 매개 변수 PCAN_RECEIVE_EVENT를 설정해야합니다. 이 매개 변수는 이벤트 객체의 핸들을 설정합니다. 메시지를 받으면 드라이버는이 이벤트를 "Signaled"상태로 설정합니다.

다른 스레드는 프로세스 로드를 증가시키지 않고 Win32 동기화 함수 (예 : WaitForSingleObject) 중 하나를 사용하여 이벤트 신호를 받을 때까지 대기하는 클라이언트 어플리케이션에서 시작해야함.

 이벤트가 신호되고 나면 클라이언트의 수신 버퍼를 CAN_Read (클래스 메소드 : 읽기) 함수로 읽을 수 있으며 CAN 메시지를 처리 ​​할 수 ​​있습니다.

ref: http://www.peak-system.com/‎


sample code :

can.h
classA {
....
DWORD readthread(); 
HANDLE m_hEvent; // 이벤트 핸들
....
}
---------------------------------------
can.cpp

DWORD classA::readthread() {

      ....

    LOADAPI.SetValue(m_PcanHandle, PCAN_RECEIVE_EVENT, &m_hEvent, sizeof(m_hEvent));

    if (m_hEvent == NULL) {

        return RETURN::FAIL;

    }

    

    while (1) {

    //Wait for CAN Data...

        result = WaitForSingleObject(m_hEvent, 10000);

        if (result == WAIT_OBJECT_0)

              LOADAPI.Read(m_PcanHandle, &CANMsg, &CANTimeStamp); 

    }