Calling API Hookeds Problem

Issues related to VMProtect
fuzzing
Posts: 19
Joined: Fri Aug 07, 2020 2:33 am

Calling API Hookeds Problem

Post by fuzzing »

After protect a file (.EXE on this case), .EXE calls MessageBoxA and that API can be hooked to log or alter his params.
If there any chance to make on VMProtect a API Wrapper to avoid calling the original hooked API?
Catharsis
Posts: 23
Joined: Tue Sep 22, 2020 5:27 pm

Re: Calling API Hookeds Problem

Post by Catharsis »

For MessageBox you can use the same trick as VMProtect.
A simple example:

Code: Select all

#include <windows.h>
#include <winternl.h>

#pragma comment(lib, "ntdll.lib")

extern "C" NTSTATUS NTAPI ZwRaiseHardError(LONG ErrorStatus, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask,
    PULONG_PTR Parameters, ULONG ValidResponseOptions, PULONG Response);

int main()
{
    UNICODE_STRING msgBody;
    UNICODE_STRING msgCaption;

    ULONG ErrorResponse;

   const wchar_t cBody[] = L"Some message";
    msgBody.Length = sizeof(cBody) - sizeof(wchar_t);
    msgBody.MaximumLength = msgBody.Length;
    msgBody.Buffer = (wchar_t*)cBody;

   const wchar_t cCaption[] = L"Caption";
    msgCaption.Length = sizeof(cCaption) - sizeof(wchar_t);
    msgCaption.MaximumLength = msgCaption.Length;
    msgCaption.Buffer = (wchar_t*)cCaption;

    const ULONG_PTR msgParams[] = {
        (ULONG_PTR)&msgBody,
        (ULONG_PTR)&msgCaption,
        (ULONG_PTR)(MB_OK | MB_ICONWARNING)
    };

    ZwRaiseHardError(0x50000018L, 0x00000003L, 3, (PULONG_PTR)msgParams, NULL, &ErrorResponse);
    return 0;
}
Under certain conditions this trick does not work correctly, but these conditions are so rare that you can ignore it.
Last edited by Catharsis on Sun Feb 12, 2023 1:15 pm, edited 2 times in total.
Catharsis
Posts: 23
Joined: Tue Sep 22, 2020 5:27 pm

Re: Calling API Hookeds Problem

Post by Catharsis »

This example can be improved by performing a manual map for ntdll
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Calling API Hookeds Problem

Post by Admin »

Catharsis wrote: Under certain conditions this trick does not work correctly, but these conditions are so rare that you can ignore it.
Because your msgParams have wrong structure. They must have 4 parameters (the latest parameter specifies the timeout and usually it equals INFINITE):
const ULONG_PTR msgParams[] = {
(ULONG_PTR)&msgBody,
(ULONG_PTR)&msgCaption,
(ULONG_PTR)(MB_OK | MB_ICONWARNING),
INFINITE
};
ZwRaiseHardError(0x50000018L, 4, 3, (PULONG_PTR)msgParams, NULL, &ErrorResponse); // 0x50000018L = STATUS_SERVICE_NOTIFICATION | HARDERROR_OVERRIDE_ERRORMODE
Catharsis
Posts: 23
Joined: Tue Sep 22, 2020 5:27 pm

Re: Calling API Hookeds Problem

Post by Catharsis »

Возможно с количеством параметров Вы правы, так как код не мой, а был взят с одного из форумов, но с 3 параметрами тоже работает (видимо из-за счастливого стечения обстоятельств).
Под редким условием я подразумевал настройку ACL для процесса. Окно отображается, но оно пустое (без нужного текста).
При надобности я могу зарепортить в отдельной теме с демкой для воспроизведения проблемы
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Calling API Hookeds Problem

Post by Admin »

Без нужного текста - это скорее всего проблемы с инициализацией UNICODE_STRING, либо с массивом аргументов (например сам массив не выровнен на границу 4/8 байт).

Code: Select all

__forceinline void InitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
{
	if (SourceString)
		DestinationString->MaximumLength = (DestinationString->Length = (USHORT)(wcslen(SourceString) * sizeof(WCHAR))) + sizeof(UNICODE_NULL);
	else
		DestinationString->MaximumLength = DestinationString->Length = 0;

	DestinationString->Buffer = (PWCH)SourceString;
}
fuzzing
Posts: 19
Joined: Fri Aug 07, 2020 2:33 am

Re: Calling API Hookeds Problem

Post by fuzzing »

MessageBox was just a example, what we can do with anothers APIs ?
Can VMP add a API Wrapping?
Catharsis
Posts: 23
Joined: Tue Sep 22, 2020 5:27 pm

Re: Calling API Hookeds Problem

Post by Catharsis »

Admin wrote:Без нужного текста - это скорее всего проблемы с инициализацией UNICODE_STRING, либо с массивом аргументов (например сам массив не выровнен на границу 4/8 байт).
Для реализации в VMP эта проблема тоже актуальна. Отправил репорт на info@vmpsoft.com с описанием и файлами для демонстрации (Subject письма: "ZwRaiseHardError bug")
fuzzing
Posts: 19
Joined: Fri Aug 07, 2020 2:33 am

Re: Calling API Hookeds Problem

Post by fuzzing »

Any news or plans?
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Calling API Hookeds Problem

Post by Admin »

VMProtect doesn't protect system DLLs against hooks.
fuzzing
Posts: 19
Joined: Fri Aug 07, 2020 2:33 am

Re: Calling API Hookeds Problem

Post by fuzzing »

Admin wrote:VMProtect doesn't protect system DLLs against hooks.
Its there any chance to add a API Wrapper ?
Catharsis
Posts: 23
Joined: Tue Sep 22, 2020 5:27 pm

Re: Calling API Hookeds Problem

Post by Catharsis »

fuzzing wrote: Its there any chance to add a API Wrapper ?
What prevents you from implementing a check for the most common hooks yourself?
fuzzing
Posts: 19
Joined: Fri Aug 07, 2020 2:33 am

Re: Calling API Hookeds Problem

Post by fuzzing »

Catharsis wrote:
fuzzing wrote: Its there any chance to add a API Wrapper ?
What prevents you from implementing a check for the most common hooks yourself?
Because there are too many ways of hook a APi.
Checking for 0xE9 or things like that can be bypassed just changing the instruction hooking method.
Catharsis
Posts: 23
Joined: Tue Sep 22, 2020 5:27 pm

Re: Calling API Hookeds Problem

Post by Catharsis »

fuzzing wrote:Because there are too many ways of hook a APi.
You have now answered your own question
fuzzing
Posts: 19
Joined: Fri Aug 07, 2020 2:33 am

Re: Calling API Hookeds Problem

Post by fuzzing »

Catharsis wrote:
fuzzing wrote:Because there are too many ways of hook a APi.
You have now answered your own question
Nope, patching the first bytes of a API can be avoided by making somewhat type of API Wrapper like Themida does, but honestly i don't like Themida, i don't use it and i will not use it, im on the VMProtect way, and will be nice if it can add somewhat of API Wrapper too!
Post Reply