Jump to content

  • Log In with Google      Sign In   
  • Create Account

Ketzer2002

Member Since 23 Mar 2012
Offline Last Active Mar 27 2012 01:16 AM

Posts I've Made

In Topic: --Game Hooking revisited--

25 March 2012 - 06:54 AM

Hi Litheon,

> "First I would try to hook dx or opengl or win32 functions and then maybe see if you can hook functions in an .exe."

That is exactly what I'm trying first, before stepping deeper into hooking. I've tried in my above example to catch the WM_DESTROY Message of Notepad.exe, but without success...

Furthermore I don't want to post the exact game titel at this moment to prevent spreading OT Posts. First I want to create a step by step how to do it with actuall technologies.

Codeproject and co have many examples... I have allready installed the detours library and also have older versions of that dll. the problem with detours is, that i have to inject this dll with WINJECT, which is IMHO not the best way, if you want to setup an easy to use solution for everyone. I've seen the examples of Muhammad Haggag, but that is not exactly what I call a good tutorial... on the other hand he did a very good job, by writing all the needed directX functionality into one C++ Project, but that is useless for me at all if I try to understand, whats happening in detail...

Greetings.

In Topic: --Game Hooking revisited--

25 March 2012 - 05:09 AM

So many readings and no replies... :-)

So I'm going to post some more content to discuss.

I've created a Win 32 C++ Programm (not that hard with VS 2010), which should inject itself into the notepad.exe... but there are some problems, maybe i can start at this point, by getting some help of the codegurus.

so here it is: the Winmain.cpp consists of the following relevant code:

int APIENTRY _tWinMain(HINSTANCE hInstance,
					 HINSTANCE hPrevInstance,
					 LPTSTR	lpCmdLine,
					 int	   nCmdShow)
{
DWORD dwThreadID = 0;
HWND hWnd = FindWindow(NULL,L"Unnamed - Notepad");
dwThreadID = GetWindowThreadProcessId(hWnd,NULL);
fnSetMyHook(dwThreadID);
UNREFERENCED_PARAMETER(hPrevInstance);
UNREFERENCED_PARAMETER(lpCmdLine);
MSG msg;
HACCEL hAccelTable;
// Globale Zeichenfolgen initialisieren
LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);
LoadString(hInstance, IDC_WINDOWSHOOK, szWindowClass, MAX_LOADSTRING);
MyRegisterClass(hInstance);
// Anwendungsinitialisierung ausführen:
if (!InitInstance (hInstance, nCmdShow))
{
  return FALSE;
}
hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_WINDOWSHOOK));
// Hauptnachrichtenschleife:
while (GetMessage(&msg, NULL, 0, 0))
{
  if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg))
  {
   TranslateMessage(&msg);
   DispatchMessage(&msg);
  }
}
return (int) msg.wParam;
}

if I use the following code out of this:

DWORD dwThreadID = 0;
HWND hWnd = FindWindow(NULL,L"Unnamed - Notepad");
dwThreadID = GetWindowThreadProcessId(hWnd,NULL);
fnSetMyHook(dwThreadID);

dwThreadID gets an Thread ID of my Notepad.exe (the title of Notepad.exe in german windows sounds: "Unbenannt - Editor" so I don't exactly know the title name in english windows systems).

If I use fnSetMyHook(dwThreadID) with the right ThreadID it calls the code in my injector.cpp:

#include "stdafx.h"
#define INJECTIONDLL_API __declspec(dllexport)
#include "InjectionDLL.h"
HANDLE g_DllHandle;
HHOOK g_hMyHook;
LRESULT CALLBACK fnMyCallBack(int nCode, WPARAM wParam, LPARAM lParam);
BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
  {
   g_DllHandle = hModule;
  }
  break;
case DLL_THREAD_ATTACH:
  break;
case DLL_THREAD_DETACH:
  break;
case DLL_PROCESS_DETACH:
  break;
}
return TRUE;
}
INJECTIONDLL_API int fnSetMyHook(DWORD dwThreadId)
{
int nRetVal = 1;
g_hMyHook = SetWindowsHookEx(WH_GETMESSAGE,fnMyCallBack,(HINSTANCE)g_DllHandle,dwThreadId);
if(!g_hMyHook)
{
  nRetVal = 0;
}
return nRetVal;
}
LRESULT CALLBACK fnMyCallBack(int nCode, WPARAM wParam, LPARAM lParam)
{
MSG * pmsg = (MSG*)lParam;
static bool fDone = FALSE;
switch(pmsg->message)
{
case WM_DESTROY:
  {
   if(!fDone)
   {
	MessageBox(NULL,L"Messagebox called by target program.",L"Injected DLL",MB_OK);
	UnhookWindowsHookEx(g_hMyHook);
	fDone = TRUE;
   }
  }
  break;
}
return (CallNextHookEx (g_hMyHook,nCode,wParam,lParam));
}

This function is called:

INJECTIONDLL_API int fnSetMyHook(DWORD dwThreadId)
{
int nRetVal = 1;
g_hMyHook = SetWindowsHookEx(WH_GETMESSAGE,fnMyCallBack,(HINSTANCE)g_DllHandle,dwThreadId);
if(!g_hMyHook)
{
  nRetVal = 0;
}
return nRetVal;
}

but it always returns me a 0. Does anyone know why? Oh Yes, here is the injector.h file:

#ifndef INJECTIONDLL_API
#define INJECTIONDLL_API __declspec(dllexport)
#endif
INJECTIONDLL_API int fnSetMyHook(DWORD dwThreadId);

Any Help would be appreciated. Also I don't know how to go on then, which methods should be called in the injector.cpp next, if I wan't to catch the WM_Quit Message from Notepad.exe? And how can I use non standard Windows API functions? Like functions that only are implemented in Notepad.exe?

Anyone? Please, I really want to solve, understand and document this kind of problems.

Edit: Tools Available to use: OllyDB and Visual Studio 2010 or Visual Studio 11 developers preview.

PARTNERS