Introducing Ganxo v0.1 – An open source API hooking framework

Hello,

Today I release the first Alpha version of Ganxo (pronounced as “Gun Show” or “Gan Chou”), an open source API hooking framework. In Catalan, Ganxo means “hook”, thus the framework’s name.

Writing an API hooking framework was always on my to do list. I started developing Ganxo back in April 2016 and after two weeks of development during my free time, I got busy with other things and abandoned my efforts.

My initial goals were to accomplish the following before going public with it:

  • Support x86 and x64 hooking
  • Write a more extensive test suite
  • Fully document it

This past weekend, I decided to release Ganxo even though I have not met all my goals. As of today, Ganxo works on MS Windows and supports x86 API hooking. The groundwork is laid down and it should be easy to add x64 bits hooking support on Windows or even just port it to other operating systems.

Feel free to clone the code from here and start using it today.

Stay tuned, I plan more features in the coming future!

flower separator
batchography-good-resDo you want to master Batch Files programming? Look no further, the Batchography is the right book for you.

Available in print or e-book editions from Amazon.
flower separator

You might also like:

LICEcap – Record your desktop and create animated GIFs

LICEcap, from Cockos Incorporated, is a nice and free tool that allows you to record your desktop screen activity and later save the activity as an animated GIF. This comes in handy when you are creating a small tutorial of some sort.
The nice thing about LICEcap is that it is not only free but also supports Windows and macOS.

Features and options:

  • Record directly to .GIF or .LCF.
  • Move the screen capture frame while recording.
  • Pause and restart recording, with optional inserted text messages.
  • Global hotkey (shift+space) to toggle pausing while recording
  • Adjustable maximum recording framerate, to allow throttling CPU usage.
  • Basic title frame, with or without text.
  • Record mouse button presses.
  • Display elapsed time in the recording.

You might also like:

Hiew+ – Editing process memory with Hiew hex editor

What’s is Hiew+

Hiew+ is based on the FsPlus project. FsPlus is an implementation of an idea that allows you to access non disk files as if they were disk files. Hiew+ is a real life example of FsPlus where we take Hiew (an excellent hex editor) and turn it into an excellent process editor. Each process will be viewed as a file with a size as much as SYSTEM_INFO.lpMaximumApplicationAddress returns. In theory FsPlus should work with any hex editor to provide process memory editing, but this release is just Hiew ready.

Hiew+ editing the process memory of a process being debugged by IDA Pro

Usage

To use FsPlus, you need to inject FsPlus.dll into Hiew’s process memory so that the APIs are hooked. After APIs are hooked, FsPlus will recognize and treat in a different manner any file name that has the following form: “pid|1234” where 1234 is a given PID. To make the usage even simpler, I provid a small GUI (FsPlusGui) to allow you launch Hiew conveniently.

In fact, Hiew+ can be considered as a nice addition to your reverse engineering tools arsenal (IDA Pro‘s debugger or any other debugger, etc.).

Here’s a screenshot of the FsPlusGui:

You will need to double click on a process to have Hiew or the desired process launched with FsPlus support.
Make sure you specify the settings correctly in FsPlus.ini:

[settings]
title=Hiew+ (c) lallous <lallousz-x86@yahoo.com>
hookdll=.\fsPlus.dll
launch=c:\hiew\hiew32.exe

Features

After you run it successfully, you will be able to start editing processes as if you were editing files. The catch is every process virtual address is now a physical offset in Hiew.

Modules as IMAGE_SECTION_HEADERs

For your convenience we have created additional IMAGE_SECTION_HEADER structures in the PE header of the main process, so that each loaded module is view as a PE section:

Textual information about process’ modules

In addition to viewing modules as PE sections, you will have an actual representation of all loaded modules just after the end of the PE header:

flower separator
batchography-good-resDo you want to master Batch Files programming? Look no further, the Batchography is the right book for you.

Available in print or e-book editions from Amazon.
flower separator

No Read Errors

To avoid reading errors and such, any unreadable memory page is filled with “BAD!” pattern.

Physical and Logical disk editing

This is not something added by FsPlus, rather it is a undocumented feature of Hiew32 where you can use Hiew to edit/view logical and physical disk sectors:

Conclusion

Download – Release date: late 2008

This tool has been tested with Windows Vista (32) and Windows XP SP2 and with Hiew 7.29.
Hope you find this tool useful as Hiew itself.
Note: Please don’t contact me if you run into trouble. This tool is no longer supported.

You might also like:

Batchography: Changing the MAC address on Windows – A free Batch script

batchography-good-resIn a previous post entitled “How to get unlimited free Internet at Airports“, I showed you how to circumvent the time limit imposed by the “free” Wi-Fi connections in certain airports.

For that trick to work, you were required to update the MAC address of your computer each time the free time is over.

In this blog post, I am going to share with you the ChangeMACAddressBatch script that I wrote with the help and instructions from the excellent Batchography book.

The script makes use of various recipes illustrated in the Batchography book (in Chapter 4) and uses the various Batch scripting language syntax (Chapters 1 and 2) and methodologies (Chapter 3). Therefore, I will not be explaining the script’s contents or how it works because it will become evident if you read the Batchography book.

flower separator

Get the book from Amazon:

  • Paperback editionbtn-buy-on-amazon
  • E-book editionbtn-buy-on-amazon

flower separator

How to use the script interactively

To begin with, you need to run the script with administrative privileges.

Running the script as an administrator


On Windows 8 and above, just press Win+X and choose “Command Prompt (Admin)” like this:

chg-mac-run-elevated-command-prompt

Otherwise, if you are using the Windows Explorer window, then right-click on your script and choose “Run as Administrator”:

chg-mac-run-as-admin

Starting the script

When you first run the script, you will be presented with the main menu that will show you a list of all the adapters you have on your system.

On my laptop for instance, I have 4 adapters:

  • An Ethernet adapter
  • 2 x VMWare virtual adapters
  • A Wi-Fi adapter

Using the keyboard, type the adapter number that you want to inspect and/or change its MAC address:

chg-mac-main-menu

Let’s press “4” in this case and go inside that adapter’s information screen. Continue reading

WifiPasswordReveal: A script to reveal all the saved WiFi passwords in Windows 7 and above

Hello,

The “How to show saved Windows 7 Wifi passwords” turned out to be a popular article and to make the life of my readers easier, I decided to apply a newly acquired knowledge and write a tool to make it SUPER EASY to get all the saved WiFi passwords without needing administrative privileges and without having to click through various settings dialogs.

Note: In some cases, if the script fails to run, then you may want to run the script as administrator.

Read on! Continue reading

Backup and restore NTFS files permission with the ResetPermission utility

This is a follow up article to the popular article Resetting NTFS files permission in Windows – Graphical Utility.

In this article, I document the new feature in the ResetPermissions utility v1.1.5, where you can now backup and restore the NTFS files permissions. Continue reading