1
00:00:00,450 --> 00:00:05,430
So in this video, we'll be taking a look at the simple API hooking in C-sharp.

2
00:00:05,850 --> 00:00:07,980
So this is the function we have.

3
00:00:08,010 --> 00:00:15,510
Let's say this one has the normal function and every function starts with this function product.

4
00:00:15,780 --> 00:00:22,690
So this is the x3x come x creating the x register and then setting up the stack frame.

5
00:00:22,710 --> 00:00:29,580
So we are pushing the previous functions based pointer under the stack and then copying the DSP value

6
00:00:29,580 --> 00:00:30,360
into the EVP.

7
00:00:30,390 --> 00:00:38,630
So that KB points to this latest value on the stack and also espresso also related to the stack.

8
00:00:38,640 --> 00:00:40,840
Now the stack gets increased.

9
00:00:40,860 --> 00:00:48,930
So this is the basic function product that happens on the stack whenever the new function is about to

10
00:00:48,930 --> 00:00:50,040
be called.

11
00:00:51,030 --> 00:00:53,460
So this occupies five bytes.

12
00:00:53,490 --> 00:00:58,740
Now what we're going to do is we are going to all write these bytes with the jump instruction.

13
00:01:00,510 --> 00:01:01,350
So.

14
00:01:02,920 --> 00:01:07,960
With a jump instruction to my custom function.

15
00:01:08,170 --> 00:01:11,680
And this custom function is called who could function.

16
00:01:14,170 --> 00:01:16,120
So in this custom function.

17
00:01:18,770 --> 00:01:23,600
This will be calculating the offset between these two function addresses.

18
00:01:23,600 --> 00:01:31,190
And then we are going to jump with this offset and then the program execution goes to this function.

19
00:01:32,340 --> 00:01:36,270
Now the program gets started executing it here.

20
00:01:36,300 --> 00:01:42,330
Now we are going to rewrite these bytes back to this function.

21
00:01:42,450 --> 00:01:47,160
So we will be saving this these bytes in an area.

22
00:01:49,700 --> 00:01:54,020
And after the program education got into this or who could function.

23
00:01:54,020 --> 00:02:01,580
We will then immediately write these bytes into this function so that this function will be a varied

24
00:02:01,580 --> 00:02:06,380
one, so that these function parameters will be passed around to this function.

25
00:02:06,890 --> 00:02:13,210
So we can examine the function parameters and do whatever the operation we want.

26
00:02:13,220 --> 00:02:19,970
So this is similar to the back during our executables where we write the entry point to the code and

27
00:02:19,970 --> 00:02:30,200
then sell registers and execute the shared code, then pop back the registers and then continue jump

28
00:02:30,200 --> 00:02:33,470
back to this instruction or general entry point.

29
00:02:33,470 --> 00:02:34,700
So that is what we do.

30
00:02:34,910 --> 00:02:37,820
We have seen in the back during executables.

31
00:02:37,850 --> 00:02:46,220
This is also similar to that already, but except instead of saving or the general purpose and E flags

32
00:02:46,220 --> 00:02:53,300
will be saving these five bytes, we will be saving these five bytes in an array and then we will write

33
00:02:53,300 --> 00:02:56,450
the OP code of this offset.

34
00:02:56,450 --> 00:03:04,850
So whenever a function is called the program, execution goes from this point to my custom function

35
00:03:04,850 --> 00:03:13,100
to our custom function here immediately will be copy will be restoring these bytes at this address because

36
00:03:13,640 --> 00:03:16,820
this function should execute like legally.

37
00:03:16,820 --> 00:03:24,020
So all these parameters will be passed down to this function and we can examine the parameters and do

38
00:03:25,170 --> 00:03:28,190
particular operation based on those parameters.

39
00:03:28,190 --> 00:03:31,940
So let's see here we are going to use the message box.

40
00:03:31,940 --> 00:03:34,730
So we are now the message box.

41
00:03:35,410 --> 00:03:39,320
I think we no need of this one actually defining.

42
00:03:39,320 --> 00:03:46,430
I'm I wrote here just to show you the syntax of this first one is the handle and second one is text

43
00:03:46,430 --> 00:03:48,950
and the caption and the type of the message box.

44
00:03:50,120 --> 00:03:54,110
So so message box is the user that you should adhere to.

45
00:03:54,110 --> 00:03:55,430
So we need to.

46
00:03:57,960 --> 00:04:00,150
Road user 32 dot.

47
00:04:02,690 --> 00:04:08,150
So after voting we will get handle User 32 handle.

48
00:04:09,970 --> 00:04:18,910
And we are going to find the address of message box here so we can use get address of user 32 handle

49
00:04:19,810 --> 00:04:20,530
and.

50
00:04:22,920 --> 00:04:25,070
My search box here.

51
00:04:27,830 --> 00:04:32,170
So let's call this jazz funk address.

52
00:04:32,180 --> 00:04:36,260
So this is the actual original function address.

53
00:04:37,160 --> 00:04:39,560
So we have found the address of message box.

54
00:04:39,590 --> 00:04:42,770
Now we are going to save the first five bytes.

55
00:04:44,020 --> 00:04:47,440
Of this function at this address.

56
00:04:47,830 --> 00:04:57,820
So let's declare a budgetary which is saved by new battery of five, five and.

57
00:05:00,790 --> 00:05:03,100
Now we need to copy these five bytes.

58
00:05:03,100 --> 00:05:05,140
Marcia, Dot copy.

59
00:05:06,730 --> 00:05:07,630
And.

60
00:05:10,450 --> 00:05:12,430
You can see function address.

61
00:05:12,430 --> 00:05:14,410
Copy from that address.

62
00:05:15,070 --> 00:05:17,200
Into the destination area.

63
00:05:17,230 --> 00:05:24,250
Car saved bytes and starting index zero from where you want to copy and then rent this file.

64
00:05:27,640 --> 00:05:31,300
You can also put saved by rent to make this flexible.

65
00:05:31,390 --> 00:05:35,890
So we have saved these five bytes into this one.

66
00:05:36,640 --> 00:05:42,250
Now we need to find the actual address of this who could function.

67
00:05:42,250 --> 00:05:50,350
So in C++ or in C, it is very easy, but in this shot we need to declare something called delegate

68
00:05:50,350 --> 00:05:58,300
so we can delegate each function pointer similar to the C and CBP.

69
00:05:58,300 --> 00:06:01,270
So we are going to declare a delegate.

70
00:06:01,270 --> 00:06:09,050
So some of this signature that exactly matches to that of this message box or whatever function we are

71
00:06:09,070 --> 00:06:11,080
want to hook.

72
00:06:11,440 --> 00:06:14,560
So first one is the pointer string, string integer.

73
00:06:14,560 --> 00:06:18,850
So that is why I have showed you the syntax.

74
00:06:18,850 --> 00:06:24,010
So now we are going to create a function public static.

75
00:06:25,850 --> 00:06:27,500
But who could function.

76
00:06:28,070 --> 00:06:31,730
And this takes exactly the same parameters.

77
00:06:31,730 --> 00:06:34,250
So the signatures should be.

78
00:06:36,120 --> 00:06:36,810
The same.

79
00:06:38,860 --> 00:06:39,880
So why?

80
00:06:41,640 --> 00:06:44,310
No, I have declared one function.

81
00:06:52,540 --> 00:06:53,950
That should do it.

82
00:06:54,340 --> 00:06:56,830
Now we need to find This is my function.

83
00:06:56,830 --> 00:07:04,120
I need to find that to solve this so we can say Marshal, get function pointer for delegate.

84
00:07:04,120 --> 00:07:08,770
So it will get the function address for that exact delegate.

85
00:07:08,770 --> 00:07:13,450
And what we get we want is of type message.

86
00:07:16,040 --> 00:07:18,440
Of tape, message and.

87
00:07:20,090 --> 00:07:21,020
Who could function.

88
00:07:21,530 --> 00:07:25,700
So I am getting the function pointer for this.

89
00:07:25,700 --> 00:07:29,720
Who could function of the type message delegate.

90
00:07:31,390 --> 00:07:32,080
And.

91
00:07:33,050 --> 00:07:35,330
In the winter, we can say.

92
00:07:37,080 --> 00:07:38,820
Who could function at press.

93
00:07:40,900 --> 00:07:46,510
Now we got the who could function and we need to subtract Daesh to.

94
00:07:49,340 --> 00:07:57,410
And we need to actually subtract these two because these five bytes, these occupied five bytes.

95
00:07:57,410 --> 00:08:05,660
So it will be like a function address minus function one address minus five.

96
00:08:06,740 --> 00:08:09,050
So from here onwards we are going to jump.

97
00:08:09,050 --> 00:08:09,460
So.

98
00:08:09,930 --> 00:08:12,920
So let's make another bite.

99
00:08:13,220 --> 00:08:14,690
That is jump.

100
00:08:15,970 --> 00:08:17,710
That is also five bites.

101
00:08:18,190 --> 00:08:25,370
And the first one is first bite is zero nine.

102
00:08:25,450 --> 00:08:30,490
So that is the jump up called opcode for the jump instruction.

103
00:08:30,670 --> 00:08:33,250
And the next two four bytes will be the.

104
00:08:35,400 --> 00:08:36,310
I deserve this one.

105
00:08:37,150 --> 00:08:39,070
At this of this operation.

106
00:08:39,640 --> 00:08:40,450
So let's.

107
00:08:43,950 --> 00:08:46,340
Could a functional dress minus.

108
00:08:48,270 --> 00:08:49,650
Function address.

109
00:08:51,400 --> 00:08:52,150
Minus five.

110
00:08:52,910 --> 00:08:54,790
So this should give me the.

111
00:08:55,980 --> 00:08:57,110
Offset.

112
00:08:57,410 --> 00:08:59,630
So let's say point.

113
00:09:04,110 --> 00:09:05,010
And it.

114
00:09:15,040 --> 00:09:16,250
Okay, we got the offset.

115
00:09:16,250 --> 00:09:20,960
We need to copy these, uh, bytes into this jump so we can do that.

116
00:09:20,960 --> 00:09:21,260
Uh.

117
00:09:23,800 --> 00:09:28,660
Using bit converter, not get bytes.

118
00:09:29,700 --> 00:09:30,780
Of this offset.

119
00:09:33,780 --> 00:09:36,680
And we can directly copy without creating a new area.

120
00:09:36,690 --> 00:09:39,360
So you can use a red dot copy.

121
00:09:41,370 --> 00:09:43,920
This is the source area and.

122
00:09:47,700 --> 00:09:51,780
The source index is zero and the destination is jump.

123
00:09:51,780 --> 00:09:58,050
And the destination index is one because already in occupies the zero index and the length is four.

124
00:10:00,600 --> 00:10:04,710
So we have successfully copied this offset into this area.

125
00:10:08,080 --> 00:10:13,390
Now what we are to do is we going to write these bytes into this function address.

126
00:10:13,960 --> 00:10:16,180
So this is like a jump to that offset.

127
00:10:16,190 --> 00:10:20,680
So before that, we need to change the protection.

128
00:10:23,220 --> 00:10:26,430
Functional dress and size.

129
00:10:28,800 --> 00:10:29,980
Five Fibrates.

130
00:10:32,190 --> 00:10:36,810
New production directs 40 that gives read, write, execute.

131
00:10:39,730 --> 00:10:43,240
All product is equal to zero.

132
00:10:46,240 --> 00:10:48,380
Find out.

133
00:10:54,270 --> 00:10:55,980
So we have changed the.

134
00:10:57,680 --> 00:10:58,190
Prediction?

135
00:10:58,190 --> 00:11:01,190
No, we can copy, Master.

136
00:11:01,190 --> 00:11:01,880
Copy.

137
00:11:05,570 --> 00:11:11,960
Jump starting next year and the destination is the function address and the rent is jump.

138
00:11:14,000 --> 00:11:16,760
Now we have all written the.

139
00:11:18,690 --> 00:11:20,230
These are.

140
00:11:22,210 --> 00:11:22,960
Stack.

141
00:11:24,490 --> 00:11:28,750
Extract from product with this jump offset.

142
00:11:28,780 --> 00:11:36,850
Now, whenever I call this function, it's going to execute, it's going to program, going to execute

143
00:11:37,390 --> 00:11:38,620
to this focal function.

144
00:11:38,620 --> 00:11:43,110
So we cannot call message box here.

145
00:11:43,120 --> 00:11:45,160
So we have the address.

146
00:11:45,160 --> 00:11:47,740
So we need to match Dot.

147
00:11:49,590 --> 00:11:50,400
Get ready.

148
00:11:50,400 --> 00:11:51,990
Get four function pointer.

149
00:11:51,990 --> 00:11:53,250
Function address.

150
00:11:54,100 --> 00:11:55,510
And that type of.

151
00:11:56,480 --> 00:11:58,640
Type of message.

152
00:12:02,210 --> 00:12:04,190
Now this gives me the.

153
00:12:09,160 --> 00:12:11,470
This gives me the delegate so I can.

154
00:12:12,350 --> 00:12:14,960
I can see a message calls to.

155
00:12:16,220 --> 00:12:18,710
Paid cash this explicitly.

156
00:12:19,250 --> 00:12:20,930
Now I can call this function.

157
00:12:20,930 --> 00:12:26,990
So we are just executing that function at this address with this.

158
00:12:28,750 --> 00:12:34,360
Parameters in pointer dot zero and let's say widget function.

159
00:12:36,750 --> 00:12:37,310
Really?

160
00:12:41,450 --> 00:12:42,220
From what you.

161
00:12:51,290 --> 00:12:58,670
Now, whenever we call that function at this function address, the jump offset going to execute and

162
00:12:58,670 --> 00:13:03,830
the program execution goes to this particular function.

163
00:13:04,160 --> 00:13:06,830
Now, this is our code function.

164
00:13:07,670 --> 00:13:11,660
Now we can copy back those saved bytes.

165
00:13:11,660 --> 00:13:16,670
So to access these variables in this so you can make them static.

166
00:13:16,910 --> 00:13:19,460
So right here.

167
00:13:28,080 --> 00:13:31,890
And the next thing we want is this bites.

168
00:13:31,890 --> 00:13:32,460
So.

169
00:13:39,720 --> 00:13:41,220
Civil rights.

170
00:13:42,020 --> 00:13:43,620
So we can access your.

171
00:13:48,570 --> 00:13:53,310
So let's copy back these bites at this address.

172
00:13:53,810 --> 00:13:56,640
Marsh Dot copy.

173
00:13:59,860 --> 00:14:08,550
Source saved by its index zero and function address and saved by its dot length.

174
00:14:11,200 --> 00:14:16,210
Now we have copied back these terabytes into this address.

175
00:14:16,240 --> 00:14:18,550
Now we can call this function.

176
00:14:19,960 --> 00:14:25,300
And these parameters will be passed down to this function.

177
00:14:27,920 --> 00:14:29,440
So similarly.

178
00:14:35,080 --> 00:14:37,570
We can copy this one and paste here.

179
00:14:37,720 --> 00:14:43,390
So let's go and change this to I am from the function.

180
00:14:46,570 --> 00:14:46,820
Hmm.

181
00:14:47,230 --> 00:14:48,700
Not really legit.

182
00:14:49,550 --> 00:14:50,710
So let's build this.

183
00:14:50,720 --> 00:14:57,290
So whenever we execute this function, the jump in function gets executed and the program jumps to this

184
00:14:57,290 --> 00:14:58,180
focal function.

185
00:14:58,190 --> 00:15:06,320
Here we have already overwritten these bytes and the function will will execute normally because we

186
00:15:06,320 --> 00:15:08,890
have already written those words.

187
00:15:08,900 --> 00:15:11,810
Now we are executing whatever we want.

188
00:15:12,260 --> 00:15:17,040
So let's run this and we can see here it is.

189
00:15:17,060 --> 00:15:18,500
I am from the function.

190
00:15:21,080 --> 00:15:23,150
And if I go and say.

191
00:15:30,560 --> 00:15:31,340
Hitch.

192
00:15:31,910 --> 00:15:34,170
So we are there to copy.

193
00:15:34,190 --> 00:15:38,120
We are directly putting this parameter into this function.

194
00:15:38,120 --> 00:15:45,860
So whatever we pass here, it will be executed as it is because it's the same parameter.

195
00:15:46,250 --> 00:15:53,090
So these antivirus and EDR solutions will monitor these parameters whenever there is a call to these

196
00:15:53,480 --> 00:15:54,590
functions.

197
00:15:54,590 --> 00:15:59,540
So they monitor these parameters and define whether it's malicious or not.

198
00:16:00,970 --> 00:16:01,930
So you can.

199
00:16:06,250 --> 00:16:09,280
So we can also modify this.

200
00:16:10,190 --> 00:16:10,850
If.

201
00:16:13,750 --> 00:16:15,800
Spring is dark.

202
00:16:15,910 --> 00:16:16,960
Contents.

203
00:16:21,110 --> 00:16:23,900
It's not too low here.

204
00:16:27,730 --> 00:16:29,140
Not contents.

205
00:16:30,520 --> 00:16:40,270
So whenever let's say if the string pass around to this function contains a string like malicious.

206
00:16:40,450 --> 00:16:42,490
So then what we're going to do is.

207
00:16:43,390 --> 00:16:46,510
We are going to copy this one paste here.

208
00:16:48,260 --> 00:16:52,310
So let's let's think we are the antivirus.

209
00:16:52,310 --> 00:16:59,990
So whenever there is malicious in that thing so we can say sorry you are.

210
00:17:00,960 --> 00:17:01,200
To.

211
00:17:20,120 --> 00:17:21,440
In two other ways.

212
00:17:21,440 --> 00:17:28,880
What we are going to do is we are going to just pass the parameters as it is H and L and so.

213
00:17:31,020 --> 00:17:32,430
L and I.

214
00:17:34,830 --> 00:17:38,640
So you are detected and you are brought.

215
00:17:41,310 --> 00:17:42,720
Ah, you are wrong.

216
00:17:43,080 --> 00:17:43,740
So.

217
00:17:44,340 --> 00:17:45,330
So let's run this.

218
00:17:45,330 --> 00:17:47,670
And it says I am from rigid function.

219
00:17:48,090 --> 00:17:51,990
Whenever there is a word malicious.

220
00:17:54,400 --> 00:17:55,240
It is.

221
00:17:55,270 --> 00:17:56,590
You are dejected, you are broke.

222
00:17:56,590 --> 00:17:59,680
So this is how Abba function.

223
00:18:01,490 --> 00:18:03,470
Also looks like.

224
00:18:03,470 --> 00:18:05,210
So we can say it is.

225
00:18:09,310 --> 00:18:10,600
Now we can see you are detected.

226
00:18:10,600 --> 00:18:14,290
So this is how you hook EPA in.