An in-depth implementation of Windows API interception without library
Prof Sunitha Landge Saintush Kumar Ekta Kumari
Dept. of Computer Computer Department Computer Department
GF's Godavari College of Engineering GF's Godavari College of Engineering GF's Godavari College of Engineering
Jalgaon, India Jalgaon, India Jalgaon, India
s_r_landge@rediffmail.com saintush9x@gmail.com ekta55@yahoo.co.in
9860396142
Abstract—This paper is all about windows Application present an in-depth analysis to understand the basic of API
Programming Interface (API) ) interception, an interception and its various uses.
abbreviation of application program interface, is a set of
routines, protocols, and tools for building software II. ANALYSIS AND IMPLEMENTATION
applications. In this section we will also discuss some questions in
A special form of hooking employs intercepting detail like.
the functions calls made by a process. Function hooking 1. What is API interception?
is implemented by changing the very first few code 2. What is the need of API interception?
instructions of the target function to jump to a modified 3. How to achieve it without using library?
function. 32 bit API functions are intercepted before 4. How to use this concept in any program?
they are called and modifies its functionalities somehow, API interception is the process in which we can monitor the
require API for our own use and thus it become very easy to
either by redirecting it to a function of our choice, or
monitor the API.
stopping the function from being called, or logging the
request, the possibilities are endless. This is useful in Microsoft was using this concept for various
cracking software and modifying software. There are purposes. There are sequences of five bytes of NOP before
pre-built Microsoft library to intercept windows API. every API. Whenever a program loads in memory, then we
Most of these approaches are rather complex. But we can monitor its API calling sequence and can modify the
have implemented API interception with out library in running process according to our use. But how? Using the
simple way. API interception is first task performed by pointer and assignment with language vc++ we can modify
programmer or reverser to hack windows or monitor the running process very easily with out any library.
activity.
Keywords-interception, dynamic link library, API, hooking, As the program control flow instruction by
ollydbg instruction, we have to intercept the flow of instruction when
it comes to windows API .Since our logic is to modify
I. INTRODUCTION process by redirecting the flow to other modified function
Windows programming is based on win API (means instead of API and do various appropriate operation and
windows API). Application programming interface (API), an return to normal flow again.
abbreviation of application program interface, is a set of
routines, protocols, and tools for building software
applications .
When ever a program is run under windows operating
system, the program calls the API function already defined in
Dynamic link library (dll) modules like Kernel32, Gdi32,
and User32. Many of the functions exported from
kernel32.dll are nothing more than control transfer routines
to the stubs located in ntdll. For example, when a windows
application issues a call to CreateFile located in kernel32.dll,
the call is redirected to NtCreateFile, which passes it on to
NT’s kernel for further processing.
In this paper we will discuss how API function can be
intercepted by redirecting it to our own modified function,
and then performing necessary operation to modify our Figure1: Normal Opcode Sequence In Memory Before API Function
program or any third party program in our own way. We will
When program is loaded in memory its layout
looks like this before every API call. The sequence of five
nop (no operation) is present followed by mov edi, edi and
push ebp and mov ebp, ebp. We can analyze the opcode in
Ollydbg.
We will exploit this instruction for API interception.
The first nop will overwrite by long jump, opcode
0XE9.The other four byte will be replace by address to
modified function .The modified function is our function, to
which we want to jump instead of API function. Before
making any changes in memory we have to change its Figure 3: Before Interception the Byte Sequences Were like This, And Mov
access protection on a region of committed pages in the Edi, Edi As The API function Entry point.
virtual address space of the calling process.
The function entry point is mov edi, edi which is
equal to nop since edi is moving in edi. So this instruction
can use for short jump at first nop. So replacing the mov edi,
edi with 0xF9EB means short jump.
*pJumpBack = 0xF9EB;
Figure 2: Shows Overwritten Byte With A Long Jmp And Four Byte
Address.
VirtualProtect function changes the access
protection on a region with permission of
PAGE_EXECUTE_WRITECOPY, this will enable execute,
read, and write access to the committed region of pages. The
pages are shared read-on-write and copy-on-write.
If we want to intercept MessageBox function then address of
function is store in a pointer variable like OldProcedure and
pJumpBack. Figure 4: API Interception Is Achieved
WORD* pJumpBack = (WORD*) OldProcedure; Since Intel processor work on the principle of little endian
and other variable that point to modified function will be ,the sequence of 0xEBF9 in diagram is changed . Thus api
NewProcedure. NewProcedure is having address of our interception can be done in simple way without involving
modified function like ourMessageBox. Now subtract five complex library in your project.
byte from the address of MessageBox. Then we get the
address of first nop.
The above method can be use by developer in his
program directly or can be used to modify third party
BYTE* pLongJump = ((BYTE*) OldProcedure - 5);
software. There are three methods to use the above concept
Now assign jmp to this address. in the project.
*pLongJump = 0xE9; (1) Use directly in your code (the program the
programmer has written).
Remaining four byte will contain the address of (2) Use in dynamic link library and then load it
NewProcedure.and store it in pLongJumpAdr. through LoadLibrary. The LoadLibrary function
maps the specified executable module into the
*pLongJumpAdr=((DWORD)NewProcedure)─((DWORD) address space of the calling process.
OldProcedure); (3) Use in dynamic link library and directly inject the
dynamic link library into the process.
III. THE DLL’S DLLMAIN CALLBACK FUNCTION free the memory. The system
An optional entry point into a dynamic-link library calls the entry-point function of
(DLL). When the system starts or terminates a process or all currently loaded DLLs with
thread, it calls the entry-point function for each loaded DLL this value. The call is made in
using the first thread of the process. The system also calls the context of the exiting
the entry-point function for a DLL when it is loaded or thread.
unloaded using the LoadLibrary and FreeLibrary functions.
The reason code that indicates why the DLL entry-point In windows to implant and install API interception by
function is being called. This parameter can be one of the accessing another process’s virtual memory and executing
following values. the code in a different process’s context. Windows’s
kernel32.dll offers the API functions ReadProcessMemory
and WriteProcessMemory, which lets the application to read
TABLE I. DLL REASON CODE and write to an arbitrary process process’s virtual memory,
allocating new memory regions or changing an already
Value Meaning allocated memory region’s using VirtualAllocEx and
The DLL is being loaded into VirtualProtectEx functions. It is possible to execute code in
the virtual address space of the another process’s context.
current process as a result of the In two ways we can execute code in another
process starting up or as a result process’s context:
of a call to LoadLibrary. DLLs
DLL_PROCESS_ATTACH (1) Suspend one of the target application’s threads, copy the
can use this opportunity to
to-be-executed code into the target’s address space, set the
initialize any instance data or to
use the TlsAlloc function to resumed thread’s instruction pointer to the copied code’s
allocate a thread local storage location, and then resume the thread
(TLS) index. (2) Copy the to-be-executed code into the target’s address
space and create a new thread in the target process using the
CreateRemoteThread function and then with the code
The DLL is being unloaded location as the start address.
from the virtual address space
of the calling process because it With this method, it’s now possible to inject and
was loaded unsuccessfully or execute code into another process.
the reference count has reached
DLL_PROCESS_DETACH
zero (the processes has either
terminated or called APPLICATION
FreeLibrary one time for each With the achievement of application programming
time it called LoadLibrary). interface (API) interception, we can easily insert event
hooks at runtime, without altering the executable on
secondary memory. For example to insert hooks that can be
The current process is creating used to process or modify system events and application
a new thread. When this occurs, events for dialogs, scrollbars, and menus as well as other
the system calls the entry-point items. It also allows a hook to insert, remove, process or
function of all DLLs currently modify keyboard and mouse events. We can also spy on
attached to the process. The call network connection or generate a log for every API
is made in the context of the intercepted.
DLL_THREAD_ATTACH new thread. DLLs can use this
opportunity to initialize a TLS
slot for the thread. A thread FUTURE ENHANCEMENT
calling the DLL entry-point Our future work includes capturing API
function with sequences generated by malware. We will profile those
DLL_PROCESS_ATTACH sequences and utilize the profile in our malware
does not call the DLL entry- detection engine. We will make our matching algorithm
point function with and compare its performance against existing similar
DLL_THREAD_ATTACH ones.
A thread is exiting cleanly. If
DLL_THREAD_DETACH the DLL has stored a pointer to
allocated memory in a TLS slot,
it should use this opportunity to
CONCLUSION
As we have implemented this theory successfully,
we have presented a technique for API interception in an
efficient way.
We conducted experiments into the
performance of
this technique. Our objective was to understand and
implement the above methods on a plain computer.
Results suggest that optimized API interception does not
impose much burden on the performance of a computer.
We conclude that optimized API interception can be
used to filter out the parameter value of API and can
change the parameter or use the parameter value for our
new planned software, the way we want to do.
REFERENCES
[1] Richard Simon, “Windows NT Win32 API SuperBibles,”
(Publisher: Macmillan Computer Publishing) Publication Date:
03/01/98
[2] Sven B Schreiber, “Undocumented Windows 2000 Secrets”
[3] Walter Oney, “Programming the windows driver model”, Published
by Microsoft Press,1999.
[4] Ed Bot t, Carl Siechert, “Microsoft Windows Security Inside Out for
Windows XP andWindows 2000” Published by Microsoft Press,2003.
[5] Ishai ,“Why does the compiler generate a MOV EDI, EDI instruction
at the beginning of functions?”
http://blogs.msdn.com/b/ishai/archive/2004/06/24/165143.aspx
[6] Chad Austun, “Disabling Kernel Functions in Your Process”
http://chadaustin.me/2009/03/disabling-functions/
[7] Kevin Frei “What does "Hot Patchability" mean and what is it for?”
http://blogs.msdn.com/b/freik/archive/2006/03/07/x64-
hotpatchability.aspx
[8] “Linked List Hooking engine...also implementing WLSI...”.
http://www.cheatengine.org/forum/viewtopic.php?p=2939529&sid=d
45a4c0cc0753b8131285562fd4b307a
Article in IEEE journal and Conference:
[9] Carsten Willems, Thorsten Holz and Felix Freiling “Toward
Automated DynamicMalware Analysis Using CWSandbox,” 2007 ,
Page(s): 32 – 39 IEEE Journal
[10] Marhusin, M.F.; Larkin, H.; Lokan, C.; Cornforth, D. “An Evaluation
of API Calls Hooking Performance” Publication Year: 2008 ,
Page(s): 315 - 319 IEEE Conferences