Search found 36 matches
- Mon Jun 22, 2009 10:39 am
- Forum: fun talk
- Topic: New Security Tool Released
- Replies: 22
- Views: 62150
Hi iconic, KX-Ray didn't seem to log any errors... I've many kernel land hooks that overwrite the first few bytes of the target functions...but they are not E9 or FF25 jumps. Maybe KX-Ray only detect orthodox hooks that uses commonly used jump instructions instead of comparing against file image byt...
- Wed Jun 17, 2009 5:43 am
- Forum: fun talk
- Topic: New Security Tool Released
- Replies: 22
- Views: 62150
- Sat Sep 06, 2008 6:44 am
- Forum: madCodeHook
- Topic: Check if a hook is injected
- Replies: 8
- Views: 7110
Well, you need to do a little more than that. The first byte of an API is usually where a hook would be installed but this isn't a rule as an API hook can be installed further on down the function... hmm..., if it has to be perfect, how about this....compare the module's memory image which contains...
- Fri Sep 05, 2008 3:25 pm
- Forum: madCodeHook
- Topic: Check if a hook is injected
- Replies: 8
- Views: 7110
- Tue Dec 04, 2007 5:25 am
- Forum: madCodeHook
- Topic: TIP: How to get return address from an API hook.
- Replies: 6
- Views: 6622
- Thu Apr 05, 2007 10:22 am
- Forum: madCodeHook
- Topic: Hook detection
- Replies: 9
- Views: 28812
Well, madCodeHook is one of the most well known hooking library around which is used by many commercial products. It's natural that somebody would come up with something that specifically targets at madCodeHook. Besides, code overwriting hooking method is, by itself, so offensive that I think there ...
- Fri Mar 30, 2007 8:51 pm
- Forum: madCodeHook
- Topic: Is Hooked?
- Replies: 15
- Views: 16522
- Mon Aug 21, 2006 10:39 am
- Forum: madCodeHook
- Topic: hooking NtCreateFile
- Replies: 5
- Views: 4608
- Tue May 16, 2006 7:16 pm
- Forum: madCodeHook
- Topic: Injection fails when DLL is placed in certain location
- Replies: 8
- Views: 7237
hmm... I just tested again right now with DllInjector.exe and Empty.dll, to make sure. And the result was the same. If Empty.dll was in %WINDIR%\Temp then NETWORK SERVICE and LOCAL SERVICE are not injected, but if Empty.dll was in some other place, everything is OK! Using the injection routine from ...
- Tue May 16, 2006 5:03 pm
- Forum: madCodeHook
- Topic: Injection fails when DLL is placed in certain location
- Replies: 8
- Views: 7237
- Tue May 16, 2006 4:52 pm
- Forum: madCodeHook
- Topic: Injection fails when DLL is placed in certain location
- Replies: 8
- Views: 7237
- Tue May 16, 2006 3:51 pm
- Forum: madCodeHook
- Topic: Injection fails when DLL is placed in certain location
- Replies: 8
- Views: 7237
:idea: Ah! I found a way to go around it! I've tested it out with MS Detours, and so far seems to work out OK! Given that the injecting process has MORE privilege pertaining to file acces than those to be injected process, you can try to make the LoadLibrary thread impersonate the access token of th...
- Mon May 15, 2006 9:41 pm
- Forum: madCodeHook
- Topic: Injection fails when DLL is placed in certain location
- Replies: 8
- Views: 7237
Injection fails when DLL is placed in certain location
I've found that on certain environment, system wide injection fails on process running as "NT AUTHORITY\NETWORK SERVICE" and "NT AUTHORITY/LOCAL SERVICE" when the to be injected DLL is placed under %WINDIR%\Temp. The process doing the injection was running as "NT AUTHORITY\S...
- Thu May 04, 2006 5:53 am
- Forum: madCodeHook
- Topic: Hooking NtTerminateThread crashes the app
- Replies: 7
- Views: 7354
- Wed May 03, 2006 7:17 pm
- Forum: madCodeHook
- Topic: Hooking NtTerminateThread crashes the app
- Replies: 7
- Views: 7354
I didn't use any MessageBox in my code; I meant windows' error message ie. Access violation or something like that, because when apps crash, windows usually pops some sort of message box. I am not hooking system wide now, I am only testing my code on one app at a time. But any app I inject into, tha...