madshi.net

Maybe (to solve recursive problems) madshi is calling your VirtualProtectNext function, which is used to call the original API. This is not bypassed. You also need to protect the VirtualProtect Hook inside the VirtualProtectCallback function. Also be sure you set PAGE_EXECUTE_READ, so that madshi MU...

type TProtectedAddress = packed record Addr: Pointer; Size: Integer; end; ProtectedAddresses: array of TProtectedAddress; procedure AddWriteProtection(Addr: Pointer; Size: Integer); begin if VirtualProtectNext(Addr, Size, PAGE_EXECUTE_READ, old) then begin SetLength(ProtectedAddresses, Length(Prote...

Page = 4096 Bytes = $1000 Bytes if you want to check if someone wants to change the protection of your hook do that: Virtualprotect(...,addr: pointer, size: integer...); pagestart := Integer(addr) and $FFFFF000 pagesize := (Integer(addr) and $FFF + size) if pagesize mod $1000 <> 0 then pagesize := p...

ntgdibitblt doesnt exist. BitBlt is an export auf gdi32.dll which directly ends in a sysenter / int2e.

madCHook creates a Codehook (not import hook) on GetProcAddress - it overwrites the first 6 Bytes of the function

fornax wrote: Unfortunately, the application I want to hook does not import GetProcAddress (so I cannot hook it)

Thats wrong, you cna hook kernel32.GetProcAddress // ntdll.LdrGetProcedureAddress and kernel32.LoadLibraryW // ntdll.LdrLoadDll everytime. Even if the program doesnt import it.

Try adding the path of the HookGdi.dll when injection. InjectLibrary("C:\\bla\\mydll.dll");

function GetObsfucator: DWord; stdcall; asm CALL GetCurrentProcessID XOR EAX, DWORD PTR FS:[30h] end; function GetPDB: Pointer; stdcall; asm MOV EAX, DWORD PTR FS:[30h] end; function GetProcessID9X(dwProcessHandle: DWord): DWord; stdcall; var dwObs: DWord; pHT : PHandleTable9x; pPDB : pPDB98; begin...

I think the problem is the following: Doing IPC is very slow (20msec or more) If the program gets data very fast, winsock is storing the data in a queue. So maye the recvf data isnt only one receive, it can be more parts which are stored in that one big buffer. Dont do anything which slowes down the...

And I think you cant read. Thats what I said, it should be only used for that "other" tools. Following example: You dont want that your Programm will be closed. BAD: Admin & Ring0 NtTermianteProcess (or OpenProcess) hook: still can be closed with another driver which can be loaded. (sy...

It should be correct, but is really slow, maybe you can use this: function ConvertDataToHex(Buffer: pointer; Length: Word): string; const hex: array[0..$F] of char = ('0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'); var i: integer; begin SetLength(Result,Length*2); for i := 0 to Len...

rizon.net #uall

ercanpolat, cant you get a debugger (like ollydbg) and attach it to iexplore exe.
Then post the asm code of WSASend and WSARecv.
I think that would be help us to look where the error occurs.

Btw. getting the EIP of the funtions can be done with ALT+E and then CTRL+N in ollydbg.

1) no havent done that, hook CreateProcessEx and load it inside 2) dunno havent Vista Its more an open source Version, if someone needs it he can recode parts of it and use it as he needs it. There is not much support from my side. If i have time i can maybe add something if its needed, but most tim...

The best way to get to their whitelist is to public your program. If there are enough customers who are using it and they blame PB they will add it (if its not a cheat)