                             HookX
                        HookX  - [ Hook eXports ]
                        
                                        S verom u Boga, deroko/ARTeam
                                        

        I used this code to fix TheHyper's Unpackme 2. TheHyper allocated
memory for each dll and copied dlls to allocated regions. Each import was
redirected  to  those newly allocated dlls.  If we step into any of these
calls  we  have no idea  what procedure is  called (well we  can guess by 
looking  what procedure is  doing but not all  could be  recognized  like 
thet). So I rewrote dll hook engine  from themida  tutorial and  came  up 
with this code.

        DLLs are moved to new memory blocks and jmp __myhook would become
useless so I decided to rewrite them as  jmp dword ptr[hook]  which  will
make redirection imune to dll rebasing. After testing my little code with
ASPR and default import protection I saw that jmp dword ptr[hook]  wasn't
a good solution. ASPR will disassmeble instructions and if jmp  is  found
(short,near, dword) it will trace jmp and continue disassembling opcodes.
So I used call dword ptr[hook], and aspr was nooked.

        Back to TheHyper's Unpackme #2, well  TheHyper asked  me  not  to 
write solutions because he is preparing  UnpackMe #3 for  REAIII (have no
idea what that thingi is). Oki once injected HookX performed  hooking  of
dlls that are used by crackme (all of them before entrypoint).  So when I
reached  entrypoint  and  fixed  in  "live" process call __rebased_api to 
call [newbase], (same as in themida tut and armadillo dll)  I  knew later 
on which API is called from target process by looking at my hook(s).    

        Now simply I used ImportRec and chose length  of  my  rebased IAT
and -> Show Invalid and Trace Level 3, and I got all imports :)


Hook looks like this:

call    dword ptr[my_hook]

hook:
        add     esp, 4  ;nook ret by call
        push    eax
        mov     eax, API_address
        pop     eax
        old_bytes
        jmp     __next_instr_in_api
my_hook dd      offset hook 
  
etc, etc. For each dll I allocate num_of_ordinals * 30 bytes.

Proto:

stdcall         hookdllexport
                arg     dllbase
                arg     VirtualAlloc
                arg     VirtualProtect

return value : none, all regs are saved/restored

Usage:
                push    virtualprotect
                push    virtualalloc
                push    dllbase
                call    hookdllexports
                ...
include         .\hookX.inc


                                 
If you trace HookX.exe in debugger  you  may  see how APIs are hooked. In 
this example I  hook ntdll/kernel32/user32.dll,  and progy  works  fine:P 
Also, I take  care  of  forwarded  APIs  to  ntdll  by checking  for NTDL 
signature at entry of each API.


                        
                                