gemot encubed

gemot encubed (
-   Production & Help (
-   -   New API hooking tool (

Proger 2013-05-21 21:07

New API hooking tool
Hi folks,

Now that it's complete I don't know where to start, it's really huge. Anyway let's try a small example. There's an oldy RPG from 2000s called "Avaton"; I'll use it as a test subject (it's about 120 MiB).

My tool - ApiHook - allows you to execute custom scripts attached to any exported function of a DLL loaded into a process. In other words it's like a debugger where you set breakpoints with conditions but here you can run full-blown scripts instead of some simple conditions. You can dump call stack, dump memory segments, log stuff to console, etc.

Among other things it's very useful in finding initial call points when you're dealing with a new engine.

ApiHook has several strong points and one of them is that it can use both IAT table patching and prologue rewriting (the default) to attach its own handler to subject. IAT is fast but unreliable (e.g. it won't work for dynamic binding with LoadLibrary/GetProcAddress) and it only affects particular module (unless you patch every process module). Prologue patching is unavoidable - first instructions of target function body are overwritten to point to ApiHook's handler so you can't call the hooked function bypassing ApiHook itself. It's a technique used by rootkits and low-level apps like antiviruses.

Let's say we want to see what files does Avaron access via CreateFileA. Here's what you need to do:
  1. Download ApiHook and extract it anywhere
  2. Create hook script - let's call it "avaron.oo" (you can use .txt too if you wish). It's a plain text file, we'll fill it below
  3. Open command prompt at ah.exe (it doesn't matter but usually is more convenient - no typing of long paths)
  4. Now type this command (but don't run it yet): ah.exe launch avaron.oo - or it can be shortened to ah l avaron (l = launch, .exe and .oo/.txt are added automatically)

Now it's set up. We need to fill in the hook script (docs) - it specifies what ApiHook should hook and what to do once a trapped call happens. Script file has a basic INI-like format:

log :fn

That's it. Now as soon as CreateFileA is called we'll see a line like CreateFileA: save0000.dat in the console, log or both.

Now you can run the command line above. (Note: you should have DEP disabled!) The game title opens and... nothing happens. You will see something like this:

Now that's strange, isn't it? But let's try to Load a saved game (don't close ApiHook) - it's the top clickable menu item. You should immediately see new lines appearing in the console as the game lists empty slots:

Your choice...
21:44: CreateFileA: save0000.dat
* CreateFileA: save0001.dat
* CreateFileA: save0002.dat
* CreateFileA: save0003.dat
* CreateFileA: save0004.dat
* CreateFileA: save0005.dat
* CreateFileA: save0006.dat
* CreateFileA: save0007.dat
* CreateFileA: save0008.dat
* CreateFileA: save0009.dat

As we see ApiHook works and listens for CreateFileA calls. If so - why we didn't see them, the game at least had to read title image from somewhere?

This is because most of the engine isn't contained in avaron.exe but rather in uty32dll.dll (see it in the game's folder?). By default ApiHook only triggers on calls originating from the process itself (the EXE) but not its modules (DLLs) - since it uses prologue rewriting even calls from system libraries like kernel32.dll will be intercepted and output and believe me that's a huge stream - you'll see it in a moment.

So we need to hook uty32dll.dll instead of/in addition to avaron.exe. Close the game and ApiHook (you can type t in its console and press Enter) and change the command line so it looks like this: ah l avaron --module=uty.

--module can be * to hook everything including system DLLs or it can be full or part module name to which hooks should be attached. We could type path\...\uty32dll.dll, uty32dll or any other unique file name portion like uty, which we did.

Now run it again and this time you will see much more activity:

* CreateFileA: win_up.bmp
* CreateFileA:
* CreateFileA: gwaku_up.bmp
* CreateFileA:
* CreateFileA: ewaku.bmp
* CreateFileA:
* CreateFileA: swaku.bmp
* CreateFileA:
* CreateFileA: t.bmp
* CreateFileA:
* CreateFileA: t.bmp
* CreateFileA:

Aha! and others including some non-existent files like t.bmp. Great. Now if you try to Load a game you'll notice that there are no new lines in the console - unless you have used --module=*.

This is very basic usage. You can do a lot more but I'll keep this first post short and if anyone is interested - feel free to drop a comment. ApiHook is yet in early beta stage so there are glitches.

You can find a more appealing teaser script under the spoiler.

That's it for now. Hopefully it is useful. Let me know what you think.

All times are GMT -8. The time now is 20:22.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.