Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Hooking a kernel API, and dealing with advanced data types.



  • Please log in to reply
16 replies to this topic
Verdlin
  • Members
  • 256 posts
  • Last active: Apr 29 2016 06:46 PM
  • Joined: 21 Dec 2012

Hello,
 
I've searched pretty extensively on this subject, but I haven't found enough to help me figure out how to do this. I really have two questions here:

  • How do you hook a function defined in a kernel API? (In the below example, I am talking about Kernel32.dll)
  • After intercepting a function, how do you pass out advanced variable types? (In the below example, I am unsure how to handle a pointer to a SYSTEMTIME struct)

I think I am onto the right track with the two functions below, but if you run this you will have many background processes crash. My best guess says this is because I am not passing out a correct data type. I don't think I quite have the right procedure below because my test .exe is not tripping up on GetLocalTime(). Any input would be much appreciated.
 
 

TestTime()
{
    Gui +LastFound
    DllCall("RegisterShellHookWindow","UInt",WinExist())
    OnMessage(DllCall( "RegisterWindowMessage","Str","SHELLHOOK" ),"GetLocalTime")
    return
}

GetLocalTime(ByRef rSystemTime)
{
    hModule := DllCall("LoadLibrary", "Str", "Kernel32.dll", "Ptr") ; GetLocalTime is defined in here.
    hTimeProc := DllCall("GetProcAddress", "Ptr", hModule, "AStr", "GetLocalTime", "Ptr")
    hhookTime := DllCall("SetWindowsHookEx", "Int", 5, "Ptr", hTimeProc, "Ptr", hModule, "Ptr", 0, "Ptr")

    rSystemTime = "201212413131313999"
    return
}

 


Scripts are written and tested using AHK_H 64w (unless otherwise specified).

CFlyout. EasyIni. Dynamic Label Execution (No Reload). Word Lookup.


guest3456
  • Members
  • 1704 posts
  • Last active: Nov 19 2015 11:58 AM
  • Joined: 10 Mar 2011

i am not an expert on the subject, but i was interested in something similar, and i'm pretty sure you can't do what you're trying to do

 

then again, what are you trying to do?

 

in your example it seems that you are trying to intercept GetLocalTime in kernel32.dll. what do you plan to do after you intercept it? 

 

OnMessage is used to execute certain code when your own script receives messages

http://www.autohotke...s/OnMessage.htm

as described on that page, the OnMessage function has to have four parameters in order: MyMessageMonitor(wParam, lParam, msg, hwnd)

these are the parameters of the message that were sent to your script. so i dont think your ByRef rSystemTime is even allowed

 

as for hooking onto the Shell, there have been a few examples of that in AHK already:

http://www.autohotke...lhook-messages/

this allows your own script to receive messages from the Shell

 

however hooking on the shell only alerts you of certain messages, described here:

http://msdn.microsof...esktop/ms644989(v=vs.85).aspx



Verdlin
  • Members
  • 256 posts
  • Last active: Apr 29 2016 06:46 PM
  • Joined: 21 Dec 2012

Thanks for the quick reply!

 

I previously did not understand OnMessage, but that link cleared things up for me. That certainly won't work for what I am trying. It doesn't look like a Shell hook will work, either.

 

Yes, what am I trying to do? Here's a program called RunAsDate. This is exactly what I am trying to do - just in AutoHotKey. Where it says, "How does it work ?" his explanation is, "RunAsDate intercepts the kernel API calls that returns the current date and time (GetSystemTime, GetLocalTime, GetSystemTimeAsFileTime), and replaces the current date/time with the date/time that you specify."

 

I really want to do just this. Any thoughts?


Scripts are written and tested using AHK_H 64w (unless otherwise specified).

CFlyout. EasyIni. Dynamic Label Execution (No Reload). Word Lookup.


Lexikos
  • Administrators
  • 9844 posts
  • AutoHotkey Foundation
  • Last active:
  • Joined: 17 Oct 2006

To do that, you would need to inject code into the process which you're trying to hook (e.g. Outlook.exe in the example shown for RunAsDate).  That would need to be machine code, compiled or assembled from some other language (optionally contained within a dll file). If you're determined, you should be able to find the necessary information elsewhere. Otherwise, I suggest you give up.



guest3456
  • Members
  • 1704 posts
  • Last active: Nov 19 2015 11:58 AM
  • Joined: 10 Mar 2011
as i understand it, you need to write a .dll file that you inject into other applications, which then hooks onto any function calls that the target applicaiton attempts

there are libraries in other languages that let you do this, google "detours hook" or "easyhook". you could ask the RunAsTime author how he does it, if he uses one of those libraries. i dont see any .dll in the download zip

the only attempt in AHK that i know of is this:
http://www.autohotke...nthook-example/

but i dont know if its the same. i'm curious what you find

Lexikos
  • Administrators
  • 9844 posts
  • AutoHotkey Foundation
  • Last active:
  • Joined: 17 Oct 2006
the only attempt in AHK that i know of is this:
http://www.autohotke...nthook-example/

That's a completely different kind of "hook". It uses an API provided by the OS to register a callback to be notified when specific Active Accessbility events are raised. By contrast, Verdlin wants to "hook" a function call that doesn't specifically allow hooking, and is presumably called in the context of some other process (not AutoHotkey.exe).

(Offtopic: Since RegisterCallback was added to AutoHotkey, an external DLL such as the one shown in that thread is no longer needed. However, this does not help "hooking" function calls in other processes.)

HotKeyIt
  • Moderators
  • 7439 posts
  • Last active: Jun 22 2016 09:14 PM
  • Joined: 18 Jun 2008

Probably InjectAhkDll() will help :)



guest3456
  • Members
  • 1704 posts
  • Last active: Nov 19 2015 11:58 AM
  • Joined: 10 Mar 2011

thanks for clarifying Lex. i remember reading some C++ examples of injecting code into other processes WndProc but i never wrapped my head around it. you had to WriteProcessMemory or something

 

i will study HotKeyIt's link though :)



Verdlin
  • Members
  • 256 posts
  • Last active: Apr 29 2016 06:46 PM
  • Joined: 21 Dec 2012

Thanks for the input, everyone! Holiday season/the new year gets very busy for me, but I have not given up on this subject.

 

 

To do that, you would need to inject code into the process which you're trying to hook (e.g. Outlook.exe in the example shown for RunAsDate).  That would need to be machine code, compiled or assembled from some other language (optionally contained within a dll file). If you're determined, you should be able to find the necessary information elsewhere. Otherwise, I suggest you give up.

 

Thanks. Oh, I'm determined, I just have a lot of things going on right now, and so my time is limited.

 

 

Probably InjectAhkDll() will help smile.png

 

That is awesome! I got AutoHotKey_H up and running, now. HookScript.ahk looks like what I'll need to use (with some tweaks, of course).

 

It looks as if injecting AutoHotkeyMini.dll causes many applications to crash just on the OpenProcess call (Msgbox outputting, "Error Could not open process for PID..."). What strikes me as odd is that I don't find anything but this thread and the main thread of InjectAHKdll() when I do a search for, "AutoHotKey InjectAHKDll crash." Searching for that + the error brings up irrelevant results. This makes me think that either most people don't have this problem, or that not a lot of people use this script.

 

Anyway, FWIW I wrote the author of RunAsDate almost a month ago, and he has not replied. Do you have any ideas/suggestions concerning this crash and what I could do to mitigate it?


Scripts are written and tested using AHK_H 64w (unless otherwise specified).

CFlyout. EasyIni. Dynamic Label Execution (No Reload). Word Lookup.


Verdlin
  • Members
  • 256 posts
  • Last active: Apr 29 2016 06:46 PM
  • Joined: 21 Dec 2012

Bump.


Scripts are written and tested using AHK_H 64w (unless otherwise specified).

CFlyout. EasyIni. Dynamic Label Execution (No Reload). Word Lookup.


guest3456
  • Members
  • 1704 posts
  • Last active: Nov 19 2015 11:58 AM
  • Joined: 10 Mar 2011

obviously there is not many examples, HotKeyIt just wrote that code a few weeks ago. i got his Notepad example to work, but even Notepad would crash on script close.

 

anyway, you are not gonna find much information about this in AHK, i have looked already. your best bet is to find how code works in other languages and translate it into AHK. i gave two examples to search for earlier. you can talk to ppl who know about those

 

can also try this page for some information

http://www.codeproje...-Another-Proces



HotKeyIt
  • Moderators
  • 7439 posts
  • Last active: Jun 22 2016 09:14 PM
  • Joined: 18 Jun 2008
It looks as if injecting AutoHotkeyMini.dll causes many applications to crash just on the OpenProcess call (Msgbox outputting, "Error Could not open process for PID...").

This might be due to permissions, are you running the script as administrator?

Try running this using the PID of your process that you can get from task manager and see if process can be opened.

 

  hProc := DllCall("OpenProcess", "UInt", PROCESS_ALL_ACCESS:=0x1F0FFF, "Int",0, "UInt", EnterYourPIDhere)
  If !hProc
     MsgBox Could not open process
  else DllCall("CloseHandle", "PTR", hProc)


Verdlin
  • Members
  • 256 posts
  • Last active: Apr 29 2016 06:46 PM
  • Joined: 21 Dec 2012
obviously there is not many examples, HotKeyIt just wrote that code a few weeks ago. i got his Notepad example to work, but even Notepad would crash on script close.

 

anyway, you are not gonna find much information about this in AHK, i have looked already. your best bet is to find how code works in other languages and translate it into AHK. i gave two examples to search for earlier. you can talk to ppl who know about those

 

can also try this page for some information

http://www.codeproje...-Another-Proces

Good point! I did not even check the time stamps. Yes, I read the two links you posted, but, if I am not mistaken, we said those particular methods would not work for this particular injection of code. Awesome link, by the way! I might even use some of those methods outside of AHK. When I get HotKeyIt's injection code running, then I think the methods listed in that link will be what I need to use to inject my scripts. Thanks!

 

 

This might be due to permissions, are you running the script as administrator?

Try running this using the PID of your process that you can get from task manager and see if process can be opened.

 

  hProc := DllCall("OpenProcess", "UInt", PROCESS_ALL_ACCESS:=0x1F0FFF, "Int",0, "UInt", EnterYourPIDhere)
  If !hProc
     MsgBox Could not open process
  else DllCall("CloseHandle", "PTR", hProc)

Well, that actually works just fine. No crash, and the script does not lock up. Then it seems it can open the process without crashing. I tried injecting the AutoHotkeyMini.dll again, ensuring that I was running AHK with admin privileges, and it chocked up at the same spot.

 

I realize that, at this point, there could be many reasons why this is not working. Thanks for your help, thus far. I'll try to do some more research into DLL injection so that I can troubleshoot this on my own.


Scripts are written and tested using AHK_H 64w (unless otherwise specified).

CFlyout. EasyIni. Dynamic Label Execution (No Reload). Word Lookup.


guest3456
  • Members
  • 1704 posts
  • Last active: Nov 19 2015 11:58 AM
  • Joined: 10 Mar 2011
Yes, I read the two links you posted, but, if I am not mistaken, we said those particular methods would not work for this particular injection of code.

the WinEventHook link is for something different

however, 'detours' is pretty much the standard microsoft library when it comes to hooking another process. and 'easyhook' is another popular library. you would need to look into their methods and translate the code to AHK

but what HotKeyIt has done already is pretty similar

im' def interested in your progress so if you get somtehing working, please share !

Verdlin
  • Members
  • 256 posts
  • Last active: Apr 29 2016 06:46 PM
  • Joined: 21 Dec 2012

Ok! Two months later, and I have made some progress grin.png. What I have been able to accomplish:

  • Injecting AutohotkeyMini.dll
  • Hooking GetSystemTime() to my target application

What I cannot accomplish, for the life of me, is how to pass out the lpSystemTime struct. This is a pointer, so I thought what I could do was pass out the address of a valid struct. I created a SYSTEMTIME struct, and then I tried to set lpSystemTime to the address of my struct. When I debug my application to see the values my function hook is returning, all values are set to 52428 (which translates to blank). Any ideas? In my code below, the specific area of interest is the line "GetSystemTime(lpSystemTime)".

Spoiler


Thanks in advance.


Scripts are written and tested using AHK_H 64w (unless otherwise specified).

CFlyout. EasyIni. Dynamic Label Execution (No Reload). Word Lookup.