Mad code hook Injection Driver (mchInjDrv)

Mad code hook Injection Driver 는 API 후킹을 쉽게 지원해주기 때문에 다양한 프로그램에서 이용할 수 있다.
이 드라이버는 '키로거'나 '패스워드 스틸러' 같은 스파이웨어 종류에서도 이용할 수 있는 반면에 시스템 관리 프로그램과 같이 정상적인 목적으로도 이용될 수 있다.

[ 서비스 ]
서비스 이름 : mchInjDrv

[ 내부 문자열 ]
00004022   00404C22      0   madTypes
000040B7   00404CB7      0   MadException
000056BB   004062BB      0   madTools
000061C8   00406DC8      0    madDisAsm
00008ED0   00409AD0      0    madRemote
0000C1D6   0040CDD6      0   madCodeHook
0000DC18   0040E818      0    TCodeHook
000111D8   00411DD8      0   forbiddenAPIsMutex
000111EC   00411DEC      0   madCodeHook warning...
0001120C   00411E0C      0   You've tried to hook one of the following APIs:
00011264   00411E64      0   These APIs are usually hooked in order to hide a
000112A0   00411EA0      0   process. Of course madCodeHook can do that just
000112DC   00411EDC      0   fine. But I don't want virus/trojan writers to misuse
0001131C   00411F1C      0   madCodeHook for illegal purposes. So I've decided
00011358   00411F58      0   to not allow these APIs to be hooked.
00011388   00411F88      0   If you absolutely have to hook these APIs, and if
000113C4   00411FC4      0   you have a commercial madCodeHook license, you
000113FC   00411FFC      0   may contact me.
0001820C   00418E0C      0   iexplore.exe
0001821C   00418E1C      0   msapp.exe
0001833C   00418F3C      0   Settings\{B01BDE43-7063-4CF8-A2F5-4D2511400487}
000184F0   004190F0      0   Settings\{B01BDE43-7063-4CF8-A2F5-4D2511400487}
00018708   00419308      0   {B01BDE43-7063-4CF8-A2F5-4D2511400487}
00018738   00419338      0   Generic Host Process
00018844   00419444      0   {B01BDE43-7063-4CF8-A2F5-4D2511400487}
0001C4D5   004200D5      0   amadDisAsm
0001C512   00420112      0   madTools
0001C528   00420128      0   madStrings
0001C535   00420135      0   madRemote
0001C541   00420141      0   madCodeHook
000183F0   00418FF0      0   Settings\{B01BDE43-7063-4CF8-A2F5-4D2511400487}
000185C0   004191C0      0   Settings\{B01BDE43-7063-4CF8-A2F5-4D2511400487}
0001897C   0041957C      0   {B01BDE43-7063-4CF8-A2F5-4D2511400487}


[ Export 함수 내용 ]
0001B046   0041D046      0   instalation
0001B052   0041D052      0   uninstalation


[ 참고 : http://help.madshi.net/ApiCodeHooking.htm ]

Use "HookCode/HookAPI" to hook any function or API. Both your callback function and the next hook variable must have exactly the same definition (parameters + calling convention). Please use "HookAPI" as much as you can. "HookCode" is only meant for situations where "HookAPI" can't be used. Normally when calling HookCode/API you don't need to put anything into the "flags" parameter. However, in some specific situations the flags may be useful. So here's what they mean:

SYSTEM_WIDE_9X: Generally the hook takes effect only in the current process, except if you signal this flag. However, as the name already implies, this flag works in win9x only and even there only for system APIs. If you're interested in this topic, please read also this one.

ACCEPT_UNKNOWN_TARGETS_9X: This flag is only valid in combination with SYSTEM_WIDE_9X. It means that installation of the hook shall succeed even if your callback function contains unknown call/jmp targets. See the documentation of CopyFunction for more information.

NO_SAFE_UNHOOKING: By default madCodeHook counts how many times any thread is currently running inside of your callback function. This way unhooking can be safely synchronized with that counter. Sometimes you don't need/want this counting to happen, though, e.g. if you don't plan to ever unhook, anyway. Or if the counting performance drop is too high for your taste. Or if you want to unhook from inside the hook callback function. In those cases you can set the flag "NO_SAFE_UNHOOKING".

NO_IMPROVED_SAFE_UNHOOKING: With madCodeHook version 2.1f the "safe unhooking" functionality (see above) was improved. Most probably there's no problem with the improvement, but to be sure you can disable it. The improved safe unhooking is currently only available in the NT family.

SAFE_HOOKING: Optionally madCodeHook can use a special technique to make sure that hooking in multi threaded situations won't result in crashing threads. This technique is not tested too well right now, so it's optional for now. You can turn this feature on by setting the flag "SAFE_HOOKING". Without this technique crashes can happen, if a thread is calling the API which we want to hook in exactly the moment when the hook is installed. Safe hooking is currently only available in the NT family.

MIXTURE_MODE: madCodeHook implements two different API hooking methods. The "mixture mode" is the second best method, it's only used if the main hooking method doesn't work for whatever reason (e.g. because of a "bad" API code structure). Normally madCodeHook chooses automatically which mode to use. You can force the use of the mixture mode by specifying this flag. Normally there's no need to do so, though.

NO_MIXTURE_MODE: If you don't want the mixture mode to be used, then simply tell madCodeHook so by using this flag. If the main API hooking method can't be used, this results in a failed hook attempt, though.

One thing you should know is that madCodeHook API hooks can be successfully installed even if the DLL which exports the to-be-hooked API is not loaded yet in the current process. For each API hook madCodeHook watches over DLL loading/unloading and installs/uninstalls its API hooks automatically at the right time. Can you have it any more comfortable?

function HookCode (code         : pointer;                    callbackFunc : pointer;                    out nextHook : pointer;                    flags        : dword = 0) : bool; stdcall; function HookAPI  (module, api  : pchar;                    callbackFunc : pointer;                    out nextHook : pointer;                    flags        : dword = 0) : bool; stdcall; // Example: var ExitProcessNext : procedure (exitCode: dword); stdcall; procedure ExitProcessCallback(exitCode: dword); stdcall; begin   // okay, this doesn't make much sense, but who cares...  :-)   ExitProcessNext(exitCode + 1); end; HookAPI('kernel32.dll', 'ExitProcess', @ExitProcessCallback, @ExitProcessNext);

If you're done with hooking, you can uninstall the hooks again. Process wide hooks are uninstalled automatically, when your DLL is unloaded or when your process exits. System wide hooks (only available in win9x) keep installed, if you don't manually uninstall them. Uninstalling is normally (if you didn't specify DONT_COUNT when hooking) delayed until the hook callback function is not in use by any thread anymore. This avoids crashes when a hook DLL is being uninjected.

function UnhookCode (var nextHook: pointer) : boolean; function UnhookAPI  (var nextHook: pointer) : boolean; // Example: UnhookAPI(@ExitProcessNext);

Some firewall/antivirus programs install API hooks, too. Sometimes they uninstall your hooks. So if you hook often hooked APIs like CreateProcess, you might want to call RenewHook inside of your hook callback function (after you called the next hook), to make sure that your hook is still installed. Don't have fear, it rarely happens that another program is uninstalling your hooks. And if it happens, it only happens for such APIs, which are hooked very often. So normally you don't need to care. RenewHook is only there just in case...

function RenewHook (var nextHook: pointer) : bool; stdcall;

When unhooking an API madCodeHook (normally) waits until the hook is not in use anymore. Only then the API is unhooked. This is what I call "safe unhooking". It makes sure that there are no access violations when a hook dll gets unloaded. However, if safe unhooking constantly thinks that an API hook is still in use, this will freeze the unhooking and thus also the unloading of the hook dll. In order to be able to debug such situations you can call "IsHookInUse" to ask whether safe unhooking thinks that the hook is still in use or not. The returned number indicates how often the hook is still in use. "0" means the hook is not in use anymore.

function IsHookInUse (var nextHook: pointer) : integer; stdcall;

Sometimes when hooking a lot of APIs with the "mixture mode" in win9x, the installation of all the hooks can take some time. To speed things up a bit, you can put your HookAPI calls into a "CollectHooks".."FlushHooks" frame:

procedure CollectHooks; procedure   FlushHooks; // Example: procedure InstallTextOutHooks; begin   CollectHooks;   HookAPI('gdi32.dll',    'TextOutA',    @TextOutACallbackProc,    @TextOutANextHook);   HookAPI('gdi32.dll',    'TextOutW',    @TextOutWCallbackProc,    @TextOutWNextHook);   HookAPI('gdi32.dll', 'ExtTextOutA', @ExtTextOutACallbackProc, @ExtTextOutANextHook);   HookAPI('gdi32.dll', 'ExtTextOutW', @ExtTextOutWCallbackProc, @ExtTextOutWNextHook);   FlushHooks; end;

In case you've not read enough yet, you can also have a look at the "ProcessFunc" Example or at the "ProcessAPI" Example.