[Help] List-edit-add hooks using MHS
Posted: Wed Jan 12, 2011 4:42 am
Okay, so far I couldn't get too much out from it. Hooking looks similar to interrupt handling. I.e., its an event-driven code segment. It is run given an event happens. Alright.
So let's try the trivial: minesweeper. I would expect it to have no hooks at all but, still, it does trigger the F1 key for help, and MSDN says people might use hooks for binding the F1 key. Maybe this is just about not doing the default windows does (which is showing the corresponding help file), then if this is true, minesweeper could have absolutely no hooks.
But instead of getting one or none address, all I get is an error that according to the script happens only when someone makes a jump-table to an unknown module.
Things I am using:
- L.Spiro's suggested sample to find hooks on his help file
- Added the following code at the end:
- I opened the hex editor (ctrl+h) to assure the first address number on the attached process is 01000000 (hex).
- Then ran listhooks with the said address.
Things I am expecting:
- By giving the first address, the script function ListHooks() should scan the entire code in search for hooks.
- If I were to know the addresses of each hook, what would be the usefulness of the function?
- To get a list of 0 or more address
Things I am presented with upon attaching to minesweeper:
- The following output from the script:
Success. (compiled)
Opened Minesweeper. (PrintF)
Internal error on address 01000000! (Inside ListHooks)
I feel like in the depths of the learning curve, it seems I did not catch yet the point of hooks. What I am thinking is on finding where hooks are set. Once I know where normal hooks are set, I can save the list and then, upon running another process (the anti-anti-cheat in the case), see which hooks were created and then I can go forward to the phase of hooking KiSwapThread() to delete and add back hooks.
Also, I expect the following from the anti-anticheat (aac): it sets hooks in the target game process. What I have to do is remove these hooks from the game process, but add them back once the aac is the active thread, so it does not detect the changes. Furthermore, as the freaking aac likes shutting down the machine, I might look for hooks on system DLLs like kernel32.dll (resident via rundll32.exe or svchost.exe).
Am I far too lost?
So let's try the trivial: minesweeper. I would expect it to have no hooks at all but, still, it does trigger the F1 key for help, and MSDN says people might use hooks for binding the F1 key. Maybe this is just about not doing the default windows does (which is showing the corresponding help file), then if this is true, minesweeper could have absolutely no hooks.
But instead of getting one or none address, all I get is an error that according to the script happens only when someone makes a jump-table to an unknown module.
Things I am using:
- L.Spiro's suggested sample to find hooks on his help file
- Added the following code at the end:
- Code: Select all
bool newscan=1;
VOID On_Open_WINMINE_EXE() {
PrintF("Opened Minesweeper.");
ListHooks(0x01000000,5,newscan);
if (newscan) newscan=0;
}
- I opened the hex editor (ctrl+h) to assure the first address number on the attached process is 01000000 (hex).
- Then ran listhooks with the said address.
Things I am expecting:
- By giving the first address, the script function ListHooks() should scan the entire code in search for hooks.
- If I were to know the addresses of each hook, what would be the usefulness of the function?
- To get a list of 0 or more address
Things I am presented with upon attaching to minesweeper:
- The following output from the script:
Success. (compiled)
Opened Minesweeper. (PrintF)
Internal error on address 01000000! (Inside ListHooks)
I feel like in the depths of the learning curve, it seems I did not catch yet the point of hooks. What I am thinking is on finding where hooks are set. Once I know where normal hooks are set, I can save the list and then, upon running another process (the anti-anti-cheat in the case), see which hooks were created and then I can go forward to the phase of hooking KiSwapThread() to delete and add back hooks.
Also, I expect the following from the anti-anticheat (aac): it sets hooks in the target game process. What I have to do is remove these hooks from the game process, but add them back once the aac is the active thread, so it does not detect the changes. Furthermore, as the freaking aac likes shutting down the machine, I might look for hooks on system DLLs like kernel32.dll (resident via rundll32.exe or svchost.exe).
Am I far too lost?