Skip to content

Hooking

Jump to bottom
이종원 edited this page Jul 25, 2019 · 1 revision

Hooking?

The overall process of hooking is as follows.

  • Identify program structure and operation principle using disassembler / debugger
  • Develop hook code necessary to fix bugs or improve function.
  • Install hook code by freely manipulating executable file and process memory.

These series of tasks are the core of reverse engineering technology. So hooking is called "the flower of reversing".

There are various hooking techniques, but API hooking is called API Hooking, This is the most widely used technique with message hooking in User mode hooking.

User mode, kernal mode


Application Programming Interface (API)

In Window OS, when a user application wants to use system resources (memory, file, network, video, sound, etc.) There is no way you can do it yourself. Because they are directly managed by the OS, and for various reasons (stability, security, efficiency, etc.) This prevents direct access from the user application.

In this case, your application should request the system kernel. That's how you request it. It uses the Win32 API provided by Microsoft. (The API is provided by the OS manufacturer.)

In other words, you can not create a meaningful program without an API function.

API Function Call

Many system libraries (DLLs) are loaded to run the actual application code. By default, all processes kernel32.dll is loaded, and kernel32.dll is loaded ntdll.dll. (User32.dll and gdi32.dll are required for GUI applications.)

The role of ntdll.dll is to prompt kernel mode for access to system resources that occur in user mode application code.

For a simple example, I want to open the file c: \ abc.txt in notepad.exe. The code calls the msvcrt! Fopen () API. The API call flow after that is as follows.

msvcrt! fopen ()
  kkernel32! CreateFileW ()
     ntdll! ZwCreateFile ()
        ntdll! KiFastSystemCall ()
            SYSENTER // Intel IA-32 Op Code
                => Enter kernel mode

The APIs that use common system resources are going to run kernel32.dll and ntdll.dll and eventually get the SYSENTER command to enter kernel mode.

  • The term DLL mapping is more accurate than DLL loading. The Windows operating system uses a mechanism that loads DLLs into memory only once and then maps them to processes.

copyrights : https://reversecore.com/54

Clone this wiki locally