[Preview] Out-Of-Process hooking made easy.

[bigtimt]

just a little sample code from what i'm working on, wanted to get everyones thoughts on it. In the final product the use won't even have to interact with the stack, All argument data will be marshalled and unmarshalled automatically. hope it looks nice, cept it's in vb iknoright

BIG thanks to cypher, his RTLRemoteThread bloggage inspired me to write this for some reason.

Code:

    Dim Proc As VDProcess = VDProcess.GetProcessesByProcessName("calc")(0)
    Dim WithEvents MessageBoxAHook As VDHook = Proc.CreateHook(&H77C5D681)

    Private Sub MessageBoxAHook_OnCatch(ByVal CallingThread As VoodooLib.VDThread) Handles MessageBoxAHook.OnCatch
        Dim pReturn As IntPtr = CallingThread.Stack.Pop
        Dim pText As IntPtr = Proc.Memory.AllocStringA("Test")

        CallingThread.Stack.Pop() 'don't care
        CallingThread.Stack.Pop() 'don't care
        CallingThread.Stack.Pop() 'don't care
        CallingThread.Stack.Pop() 'don't care

        CallingThread.Stack.Push(0)
        CallingThread.Stack.Push(pText)
        CallingThread.Stack.Push(pText)
        CallingThread.Stack.Push(0)
        CallingThread.Stack.Push(pReturn)

        MessageBoxAHook.Release()

        Proc.Memory.Free(pText)
    End Sub

[flukes1]

Nice work. Everyone knows VB.NET is what the pros use

Just a warning though: this is no less detectable than injection. With injection you get far more flexibility (your hook code runs inside one of the target process's threads) for no extra cost, as hooking functions with no kernel-mode protection is always detectable regardless of how you do it.

You can of course just circumvent Warden, but then you still need to consider any checks done outside of Warden.