Search found 50 matches

by pambol
Sat Mar 14, 2020 3:29 pm
Forum: madCodeHook
Topic: InjectLibraryW cause BSOD
Replies: 14
Views: 20092

Re: InjectLibraryW cause BSOD

tried update and at IDE say "[dcc64 Fatal Error] Unit1.pas(7): F2613 Unit 'MadCodeHook' not found."
by pambol
Sat Mar 14, 2020 2:30 pm
Forum: madCodeHook
Topic: InjectLibraryW cause BSOD
Replies: 14
Views: 20092

Re: InjectLibraryW cause BSOD

Tested all solutions posted here and the BSOD still.
maybe is the version of MCH who i use madCollection 4.0.0.2.
by pambol
Sat Mar 14, 2020 12:31 am
Forum: madCodeHook
Topic: InjectLibraryW cause BSOD
Replies: 14
Views: 20092

InjectLibraryW cause BSOD

Hi, i'm with a problem. if i inject at all running processes on W7/XP generate a BSOD. Here is the injection code. for i1 := 0 to high(pl) do begin if GetCurrentProcessID = pl[i1].id then Continue; if dNtSysCall.IsProtectedProcess(pl[i1].id) then Continue; hOpen := OpenProcess(PROCESS_ALL_ACCESS ,fa...
by pambol
Fri Dec 20, 2019 12:09 am
Forum: madCodeHook
Topic: Prevent unhook api
Replies: 1
Views: 8408

Prevent unhook api

How i can prevent an app remove my user mode hook?
i'm hooking some apis and after a while they stop working, i tested creating a thread with RenewHook and hooks still working.
But i don't want use a thread for that.
by pambol
Tue Jun 11, 2019 8:34 pm
Forum: madCodeHook
Topic: MadCodehook unit being detected as viruses
Replies: 3
Views: 7870

Re: MadCodehook unit being detected as viruses

Sectigo was revoked my certificated since it detect as viruses after protect with vmprotect.
by pambol
Tue Jun 11, 2019 3:57 am
Forum: madCodeHook
Topic: MadCodehook unit being detected as viruses
Replies: 3
Views: 7870

MadCodehook unit being detected as viruses

Hi Madshi,

When i call MadCodeHook at my application and send it to scan at virustotal detect as Gen:Variant.Jacard.155413 / Trojan.Jacard.D25F15 and others.
But when i remove the MadCodeHook unit my application have 0 detection of virus.

how solve it?
by pambol
Tue Apr 02, 2019 12:32 am
Forum: madCodeHook
Topic: Little Question About RestoreCode
Replies: 2
Views: 6792

Little Question About RestoreCode

Are RestoreCode able restore own hooks? i mean if i hook ExitProcess. HookApi('kernel32.dll', 'ExitProcess', @InterceptExitProcess, @TrampolineExitProcess); procedure InterceptExitProcess(uExitCode: UINT); stdcall; begin ShowMessage('InterceptExitProcess'); //TrampolineExitProcess(uExitCode); end; A...
by pambol
Fri Mar 29, 2019 3:42 pm
Forum: madCodeHook
Topic: About hooks
Replies: 7
Views: 10246

Re: About hooks

That's not a solution, it's a hack that will never work 100% and even create greater probability for process instability. If you can set a hook in usermode using usermode code so can the next process, or in this case, remove yours. Only proven method for truly blocking the opening or duplicating of...
by pambol
Fri Mar 29, 2019 3:33 pm
Forum: madCodeHook
Topic: About hooks
Replies: 7
Views: 10246

Re: About hooks

iconic is right, as usual. If you insist on trying your best in user mode, I'd suggest that you hook NtProtectVirtualMemory and disallow modification of your API hook's memory pages. But it's easy enough to bypass such a hook, so it's really only one level more secure, but easy to bypass. Cat and m...
by pambol
Thu Mar 28, 2019 7:49 pm
Forum: madCodeHook
Topic: About hooks
Replies: 7
Views: 10246

Re: About hooks

What does AreThisProcessProtected() look like? If it's just checking the process ID that Windows shows you in Task Manager, Process Explorer etc. then your code can easily be bypassed, even by the higher level OpenProcess() API from kernel32. Many aren't aware of this however you can open *any* pro...
by pambol
Thu Mar 28, 2019 2:07 am
Forum: madCodeHook
Topic: About hooks
Replies: 7
Views: 10246

About hooks

Hello, I have a question, we did a dll who hook some apis like: HookApi('ntdll.dll', 'ZwOpenProcess', @InterceptZwOpenProcess, @TrampolineZwOpenProcess); function InterceptZwOpenProcess(ProcessHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; ClientId: PCLIENT_ID): N...
by pambol
Wed Mar 20, 2019 6:51 pm
Forum: madCodeHook
Topic: How RestoreCode works
Replies: 9
Views: 11693

Re: How RestoreCode works

I understand, so it's better hook these apis and just call a RestoreCode(@TrampolineHookedFunction) right?

another question, how about manual map injection on MCH? it on user mode.
by pambol
Wed Mar 20, 2019 2:16 pm
Forum: madCodeHook
Topic: How RestoreCode works
Replies: 9
Views: 11693

How RestoreCode works

How RestoreCode works?
I ask it because if somebody hook GetProcAddress or LoadLibrary who are used like RestoreCode(GetProcAddress(LoadLibrary(PChar('ntdll.dll')), PChar('RtlExitUserProcess'))); will RestoreCode works?

if not how prevent it?
by pambol
Thu Jan 10, 2019 8:33 pm
Forum: madKernel
Topic: About modules
Replies: 13
Views: 22617

Re: About modules

FreeLibrary is the right API. But you're only supposed to unload modules you've loaded yourself. Or modules that you know you can unload without causing trouble. If you unload a module and it crashes, then obviously you can't do that. I've tried unload a module injected by a external process, so it...
by pambol
Thu Jan 10, 2019 7:32 pm
Forum: madKernel
Topic: About modules
Replies: 13
Views: 22617

Re: About modules

Well, as I said, don't call "Modules" multiple times. There may be other things like that in your code. Of course even if your code is perfect, madKernel may still be slower because it encapulates everything into nice interfaces. But it shouldn't be that much of an overhead - unless you'r...