Search found 50 matches
- Sat Mar 14, 2020 3:29 pm
- Forum: madCodeHook
- Topic: InjectLibraryW cause BSOD
- Replies: 14
- Views: 20395
Re: InjectLibraryW cause BSOD
tried update and at IDE say "[dcc64 Fatal Error] Unit1.pas(7): F2613 Unit 'MadCodeHook' not found."
- Sat Mar 14, 2020 2:30 pm
- Forum: madCodeHook
- Topic: InjectLibraryW cause BSOD
- Replies: 14
- Views: 20395
Re: InjectLibraryW cause BSOD
Tested all solutions posted here and the BSOD still.
maybe is the version of MCH who i use madCollection 4.0.0.2.
maybe is the version of MCH who i use madCollection 4.0.0.2.
- Sat Mar 14, 2020 12:31 am
- Forum: madCodeHook
- Topic: InjectLibraryW cause BSOD
- Replies: 14
- Views: 20395
InjectLibraryW cause BSOD
Hi, i'm with a problem. if i inject at all running processes on W7/XP generate a BSOD. Here is the injection code. for i1 := 0 to high(pl) do begin if GetCurrentProcessID = pl[i1].id then Continue; if dNtSysCall.IsProtectedProcess(pl[i1].id) then Continue; hOpen := OpenProcess(PROCESS_ALL_ACCESS ,fa...
- Fri Dec 20, 2019 12:09 am
- Forum: madCodeHook
- Topic: Prevent unhook api
- Replies: 1
- Views: 8536
Prevent unhook api
How i can prevent an app remove my user mode hook?
i'm hooking some apis and after a while they stop working, i tested creating a thread with RenewHook and hooks still working.
But i don't want use a thread for that.
i'm hooking some apis and after a while they stop working, i tested creating a thread with RenewHook and hooks still working.
But i don't want use a thread for that.
- Tue Jun 11, 2019 8:34 pm
- Forum: madCodeHook
- Topic: MadCodehook unit being detected as viruses
- Replies: 3
- Views: 8008
Re: MadCodehook unit being detected as viruses
Sectigo was revoked my certificated since it detect as viruses after protect with vmprotect.
- Tue Jun 11, 2019 3:57 am
- Forum: madCodeHook
- Topic: MadCodehook unit being detected as viruses
- Replies: 3
- Views: 8008
MadCodehook unit being detected as viruses
Hi Madshi,
When i call MadCodeHook at my application and send it to scan at virustotal detect as Gen:Variant.Jacard.155413 / Trojan.Jacard.D25F15 and others.
But when i remove the MadCodeHook unit my application have 0 detection of virus.
how solve it?
When i call MadCodeHook at my application and send it to scan at virustotal detect as Gen:Variant.Jacard.155413 / Trojan.Jacard.D25F15 and others.
But when i remove the MadCodeHook unit my application have 0 detection of virus.
how solve it?
- Tue Apr 02, 2019 12:32 am
- Forum: madCodeHook
- Topic: Little Question About RestoreCode
- Replies: 2
- Views: 6885
Little Question About RestoreCode
Are RestoreCode able restore own hooks? i mean if i hook ExitProcess. HookApi('kernel32.dll', 'ExitProcess', @InterceptExitProcess, @TrampolineExitProcess); procedure InterceptExitProcess(uExitCode: UINT); stdcall; begin ShowMessage('InterceptExitProcess'); //TrampolineExitProcess(uExitCode); end; A...
- Fri Mar 29, 2019 3:42 pm
- Forum: madCodeHook
- Topic: About hooks
- Replies: 7
- Views: 10408
Re: About hooks
That's not a solution, it's a hack that will never work 100% and even create greater probability for process instability. If you can set a hook in usermode using usermode code so can the next process, or in this case, remove yours. Only proven method for truly blocking the opening or duplicating of...
- Fri Mar 29, 2019 3:33 pm
- Forum: madCodeHook
- Topic: About hooks
- Replies: 7
- Views: 10408
Re: About hooks
iconic is right, as usual. If you insist on trying your best in user mode, I'd suggest that you hook NtProtectVirtualMemory and disallow modification of your API hook's memory pages. But it's easy enough to bypass such a hook, so it's really only one level more secure, but easy to bypass. Cat and m...
- Thu Mar 28, 2019 7:49 pm
- Forum: madCodeHook
- Topic: About hooks
- Replies: 7
- Views: 10408
Re: About hooks
What does AreThisProcessProtected() look like? If it's just checking the process ID that Windows shows you in Task Manager, Process Explorer etc. then your code can easily be bypassed, even by the higher level OpenProcess() API from kernel32. Many aren't aware of this however you can open *any* pro...
- Thu Mar 28, 2019 2:07 am
- Forum: madCodeHook
- Topic: About hooks
- Replies: 7
- Views: 10408
About hooks
Hello, I have a question, we did a dll who hook some apis like: HookApi('ntdll.dll', 'ZwOpenProcess', @InterceptZwOpenProcess, @TrampolineZwOpenProcess); function InterceptZwOpenProcess(ProcessHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; ClientId: PCLIENT_ID): N...
- Wed Mar 20, 2019 6:51 pm
- Forum: madCodeHook
- Topic: How RestoreCode works
- Replies: 9
- Views: 11896
Re: How RestoreCode works
I understand, so it's better hook these apis and just call a RestoreCode(@TrampolineHookedFunction) right?
another question, how about manual map injection on MCH? it on user mode.
another question, how about manual map injection on MCH? it on user mode.
- Wed Mar 20, 2019 2:16 pm
- Forum: madCodeHook
- Topic: How RestoreCode works
- Replies: 9
- Views: 11896
How RestoreCode works
How RestoreCode works?
I ask it because if somebody hook GetProcAddress or LoadLibrary who are used like RestoreCode(GetProcAddress(LoadLibrary(PChar('ntdll.dll')), PChar('RtlExitUserProcess'))); will RestoreCode works?
if not how prevent it?
I ask it because if somebody hook GetProcAddress or LoadLibrary who are used like RestoreCode(GetProcAddress(LoadLibrary(PChar('ntdll.dll')), PChar('RtlExitUserProcess'))); will RestoreCode works?
if not how prevent it?
- Thu Jan 10, 2019 8:33 pm
- Forum: madKernel
- Topic: About modules
- Replies: 13
- Views: 23157
Re: About modules
FreeLibrary is the right API. But you're only supposed to unload modules you've loaded yourself. Or modules that you know you can unload without causing trouble. If you unload a module and it crashes, then obviously you can't do that. I've tried unload a module injected by a external process, so it...
- Thu Jan 10, 2019 7:32 pm
- Forum: madKernel
- Topic: About modules
- Replies: 13
- Views: 23157
Re: About modules
Well, as I said, don't call "Modules" multiple times. There may be other things like that in your code. Of course even if your code is perfect, madKernel may still be slower because it encapulates everything into nice interfaces. But it shouldn't be that much of an overhead - unless you'r...