madshi.net

Hi iconic, KX-Ray didn't seem to log any errors... I've many kernel land hooks that overwrite the first few bytes of the target functions...but they are not E9 or FF25 jumps. Maybe KX-Ray only detect orthodox hooks that uses commonly used jump instructions instead of comparing against file image byt...

hi, just played around with KX-Ray! Cool tool
But are you sure that the ring0 hook detection is working?
I have about 50 kernel inline hooks installed, but none of them were detected...

Well, you need to do a little more than that. The first byte of an API is usually where a hook would be installed but this isn't a rule as an API hook can be installed further on down the function... hmm..., if it has to be perfect, how about this....compare the module's memory image which contains...

Enumerate and open every process, and see if the first instruction of the API in question is a JMP instruction (first bytes being 0xE9 or 0xFF, 0x25).

madshi wrote:Just for my interest: What do you need this for?

Want to know which dll called the function. If it's comming from certain enemy dll, modify the function's behavior

Well, madCodeHook is one of the most well known hooking library around which is used by many commercial products. It's natural that somebody would come up with something that specifically targets at madCodeHook. Besides, code overwriting hooking method is, by itself, so offensive that I think there ...

I'd say unhooking is bad, because it can trigger other counter measures or protection schemes the hooker might have implemented, if there is any. I suggest leaving all the hooks alone, and "hop" over the hook when you must call the function without the hook. To "hop" over the hoo...

The problem simply is that if people use madCodeHook to work around game protection or game anti-cheating software, then madCodeHook itself may be considered "evil" by game developers. And I don't like that, of course. I do understand your point. But some game anti-cheat software do use m...

hmm... I just tested again right now with DllInjector.exe and Empty.dll, to make sure. And the result was the same. If Empty.dll was in %WINDIR%\Temp then NETWORK SERVICE and LOCAL SERVICE are not injected, but if Empty.dll was in some other place, everything is OK! Using the injection routine from ...

Ah... forgot to tell you that I tested with the precompiled DllInjector.exe in your Demo.

As far as I know, it occurs on already running process, especially svchost.exe and alg.exe and some other processes all under user name "NT AUTHORITY\NETWORK SERVICE" or "NT AUTHORITY/LOCAL SERVICE". And it occurs when I place my dll in %WINDIR%\Temp, which is the TempPath for sy...

:idea: Ah! I found a way to go around it! I've tested it out with MS Detours, and so far seems to work out OK! Given that the injecting process has MORE privilege pertaining to file acces than those to be injected process, you can try to make the LoadLibrary thread impersonate the access token of th...

I've found that on certain environment, system wide injection fails on process running as "NT AUTHORITY\NETWORK SERVICE" and "NT AUTHORITY/LOCAL SERVICE" when the to be injected DLL is placed under %WINDIR%\Temp. The process doing the injection was running as "NT AUTHORITY\S...

Ahhh...!!
It stopped crashing when I deleted the OutputDebugString call from the NtTerminateThread callback function ...but why ????
I find calls to WaitForSingleObject inside disassembly of OutputDebugString; so maybe that's the reason?

I didn't use any MessageBox in my code; I meant windows' error message ie. Access violation or something like that, because when apps crash, windows usually pops some sort of message box. I am not hooking system wide now, I am only testing my code on one app at a time. But any app I inject into, tha...