Sunday, January 10, 2016

OpenProcess API hook in MSVC++(C)

This is a C program I've written in Visual Studio 2015 to hook OpenProcess API calls to prevent a target application from obtaining a handle to a ProcessId of our choice which can render other APIs dependent on process handles useless(such as TerminateProcess) when acting on the ProcessId.
I was trying to do inline assembly injection in Delphi 7 to this very effect but the disassembler viewer, and the IDE in general was not very smooth. So I gave Microsoft Visual C++ a go recalling I had a copy of the latest Visual Studio 2015. The IDE was just amazingly productive. So, working on and off, with a lot of debugging and disassembling and hours of scouring the internet for answers to questions that arose along the way, I finally managed to write a functioning program.

The code is, I think, fairly well commented. So it should be easy enough to understand:
//the characterset property is set to "Not Set" which defaults everything to ANSI(non-unicode)
//disable optimization under C/C++=>Optimization from Project=>Project Properties. otherwise a lot of variables
//are "optimized away" when debugging; you can't see their values from the IDE while debugging.
//also, optimize for small code under C/C++=>Optimization. otherwise, the compiler will append
//a ton of INT 3 instructions to your assembly functions.
//so, make a custom optimization profile with the above criteria met

#include "stdafx.h"
#include <conio.h>
#include <Windows.h>


void jmp();
void trampoline();
void fake();

int main()
{

/*
 //Process Killer program
    repeat:
    DWORD pid = 0;
    HANDLE hProcess = 0;
    printf("Enter PID to terminate ");
   
    scanf_s("%d", &pid);
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
    if (hProcess == 0)
    {
        printf("Cannot get a handle to the PID!\n");
        printf("Error : %d\n\n", GetLastError());
        goto repeat;
    }
    if (!TerminateProcess(hProcess, 0) )
    {
        printf("Cannot terminate PID : %d\n", pid);
        printf("Error : %d\n\n", GetLastError());
        goto repeat;
    }
    else
    {
        printf("Killed!\n\n");
    }
    goto repeat;
    */

   
    DWORD protectpid;
    DWORD hookpid;//process to inject to
    printf("Enter the PID to inject to : ");
    scanf_s("%d", &hookpid);
    printf("Enter the PID to protect : ");
    scanf_s("%d", &protectpid);
    LPVOID OPPt = GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenProcess");
   
   
    /****************Read the raw jmp and trampoline functions from own memory************/
    HANDLE myhProcess = OpenProcess(PROCESS_ALL_ACCESS, false, GetCurrentProcessId());
    SIZE_T size = SIZE_T((long)(&fake) - (long)(&trampoline));//size of trampoline
    SIZE_T size2 = (SIZE_T)(((long)(&trampoline) - (long)(&jmp)));//size of jmp
    SIZE_T readbytes;
    char *jmpBytes = (char *)calloc((size_t)size2,sizeof(char));
    ReadProcessMemory(myhProcess, &jmp, jmpBytes, size2, &readbytes);//read the jmp function into jmpBytes
    char *trampolineBytes = (char *)calloc((size_t)size, sizeof(char));
    ReadProcessMemory(myhProcess, &trampoline, trampolineBytes, size, &readbytes);//read the trampoline function into trampolineBytes
    /*************************************************************************************/

    /************Allocate space in the remote process for trampoline function************/
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, hookpid);
    LPVOID hAddress = VirtualAllocEx(hProcess, (LPVOID)0, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//address of trampoline
    /************************************************************************************/

    /**********************Fix the jmp address and the pid to filter********************/
    memcpy(&jmpBytes[1], &hAddress,(size_t) 4);
    memcpy(&trampolineBytes[5], &protectpid, (size_t)4);
    /***********************************************************************************/

    CloseHandle(myhProcess);
    /********************Shellcode read!*************************************/

   

    SIZE_T writtenbytes;
    if (WriteProcessMemory(hProcess, hAddress, trampolineBytes, size, &writtenbytes))//write the fixed trampoline
    {
       
        if (WriteProcessMemory(hProcess, OPPt, jmpBytes, size2, &writtenbytes))//write the fixed jmp
        {
            //jmp was written
            MessageBox(0, "Patched!", ":D", 0);
           
        }
    }
    DWORD laterror = GetLastError();
   
   
    return 0;
}



__declspec(naked) void jmp()
/* the __declspec(naked) suppresses the extra opcodes the compiler would automatically add
before and after a function which would be bad for our to-be-injected asm block */
{
    __asm
    {
        mov eax, 0x93250000//trampoline address to be patched
        call trick
        trick:
        pop esi//esi=address of this statement
        jmp eax
       
        /*
 This part isn't very relevant to the above code but is still informative and is something I wrote when I was trying a simple mov and jmp combination.
        Must be careful not to do a partial overwrite:

        The normal opcodes before overwriting the OpenProcess code in kernel32.dll are:

        75891952 > 8BFF             MOV EDI,EDI                                                       ; ucrtbase.60682104
        75891954   55               PUSH EBP
        75891955   8BEC             MOV EBP,ESP
        75891957   5D               POP EBP
        75891958   EB 05            JMP SHORT <JMP.&API-MS-Win-Core-Synch-L1-1-0.OpenProcess>          ; relative jump to the JMP below
        7589195A   90               NOP
        7589195B   90               NOP
        7589195C   90               NOP
        7589195D   90               NOP
        7589195E   90               NOP
        7589195F  -FF25 54098975    JMP DWORD PTR DS:[<&API-MS-Win-Core-Synch-L1-1-0.OpenProcess>]    ; KERNELBA.OpenProcess
       
        Say we have only a mov and a jmp code. It ends up overwriting the above opcodes starting from the
        first byte 8B. The corresponding opcodes are:

        00C7118C B8 00 00 25 93       mov         eax,93250000h
        00C71191 FF E0                jmp         eax

        Clearly, the size of opcodes to be written is 7(one byte each for B8, 00, 00, 25, 93, FF, E0)

        After being overwritten, the modified OpenProcess code in kernel32.dll looks like:

        75891952 > B8 00002593      MOV EAX,93250000
        75891957   FFE0             JMP EAX
        75891959   05 90909090      ADD EAX,90909090
        7589195E   90               NOP
        7589195F  -FF25 54098975    JMP DWORD PTR DS:[<&API-MS-Win-Core-Synch-L1-1-0.OpenProcess>]    ; KERNELBA.OpenProcess

        Clearly, the original bytes 8B, FF, 55, 8B, EC, 5D, EB, a total of 7 bytes have been overwritten
        as expected by our mov and jmp. But the remaining 05, 90, 90... bytes give a different opcode
        altogether, the ADD EAX,90909090 thing, which is unwanted. So, the 05 byte is replaced with an extra
        opcode, a simple nop i.e. 90 so that the modified version looks like:

        75891952 > B8 00002593      MOV EAX,93250000
        75891957   FFE0             JMP EAX
        75891959   90               NOP
        7589195A   90               NOP
        7589195B   90               NOP
        7589195C   90               NOP
        7589195D   90               NOP
        7589195E   90               NOP
        7589195F  -FF25 54098975    JMP DWORD PTR DS:[<&API-MS-Win-Core-Synch-L1-1-0.OpenProcess>]    ; KERNELBA.OpenProcess

        which is what we would want if we needed only a mov and jmp injected.       
       
        */




        /*
        Now what our code does:

        Original contents inside the OpenProcess procedure in the target process' kernel32:

        76571952 > 8BFF             MOV EDI,EDI                              ; ucrtbase.74772104
        76571954   55               PUSH EBP
        76571955   8BEC             MOV EBP,ESP
        76571957   5D               POP EBP
        76571958   EB 05            JMP SHORT <JMP.&API-MS-Win-Core-Synch-L1>
        7657195A   90               NOP
        7657195B   90               NOP
        7657195C   90               NOP
        7657195D   90               NOP
        7657195E   90               NOP
        7657195F  -FF25 54095776    JMP DWORD PTR DS:[<&API-MS-Win-Core-Sync>; KERNELBA.OpenProcess

        The disassembly of our jmp() code:

        00B91218 B8 00 00 25 93       mov         eax,93250000h
        00B9121D E8 00 00 00 00       call        0B91222h
        00B91222 5E                   pop         esi
        00B91223 FF E0                jmp         eax

        The OpenProcess routine after injection:

        76571952 > B8 00002593      MOV EAX,93250000
        76571957   E8 00000000      CALL kernel32.7657195C
        7657195C   5E               POP ESI
        7657195D   FFE0             JMP EAX
        7657195F  -FF25 54095776    JMP DWORD PTR DS:[<&API-MS-Win-Core-Sync>; KERNELBA.OpenProcess


        */
    }
}


__declspec(naked) void trampoline()
{
    __asm
    {
        pop edx
        pop ecx
        pop ebx
        pop eax
        cmp eax, 14902//pid to protect
       
        jne skipper
        xor eax, eax
       
       
    skipper:
        push eax
        push ebx
        push ecx           
        push edx
        add esi,3//coz instruction at esi is followed by a jmp which is 2 bytes
        jmp esi


    }
}

__declspec(naked) void fake()
{
    __asm
    {

    }
}

No comments:

Post a Comment