About hook order

cde · Post by **cde** » Tue Oct 12, 2004 9:50 am

Dear madshi,

When we hook a WinApi like "OpenProcess",it works very well.
In some condition,if we has another program like firewall or other software
which hook the same Api before our Applicatin ,then they will inject our
code .Can we has another way to recapture the priority of the Api ?

We had try to hook the Api in my own application with Madshi's "HookCode",but it seems to still work after Other's hook.

Best Regards,
cch

Post by **madshi** » Tue Oct 12, 2004 4:51 pm

Well, you could try to unhook and rehook the APIs after a while. I'm not sure whether that would solve the problem. It's just a thought. It all depends on when the other software is installing its hooks and on which hooking method the other software uses.

Generally it's always a problem if multiple programs hook the same APIs. Such a thing can even result in instability...

What you could do is to try hooking lower level APIs instead of the higher level APIs. E.g. instead of hooking OpenProcess you could hook NtOpenProcess in the NT family. Maybe that will help. But again it depends on what the other software does. If it also hooks NtOpenProcess, you have the same problem again...

uall · Post by **uall** » Sun Feb 20, 2005 7:58 pm

you can use

function HookAPIJMP2(oldfunction,yourfunction: pointer; var nextfunction: pointer): boolean; stdcall;

from www.arschvoll.net/myhook.txt
its a function which writes a 0xE9) distance jump on the API and everytime u want to call the API its removing the hook and after calling its installing it again

its a slow method but should work with other hook methods

u can use madshis codehook to do the same:

in your hooked function unhook it before calling the original one, slow but working oO

Post by **madshi** » Sun Feb 20, 2005 8:22 pm

uall wrote:everytime u want to call the API its removing the hook and after calling its installing it again

Actually that's a bad solution because of three reasons:

(1) Bad for performance (as you stated yourself).

(2) In the moment when you call the original API, you uninstall the hook. If another thread is now calling the very same API in exactly this moment, that API call is not catched. So this way you have a big hole in your hooking logic.

(3) Installing/uninstalling a hook is always dangerous. If another thread is currently running in the first 5 bytes of the API and you overwrite those 5 bytes in that moment, the thread will crash.

Just try it yourself: Hook an API like GetCurrentProcessId. In the hook callback function do nothing but calling the original API. Then create *two* (!!) threads which call this API in an endless loop. You'll see that there are no stability problems with madCodeHook, also madCodeHook will catch all API calls of both threads. But if your code steadily unhooks and rehooks by overwriting the API code, your solution will miss some API calls. Furthermore it should crash once in a while.

uall · Post by **uall** » Sun Feb 20, 2005 8:37 pm

thats correct, madshi
maybe u can first check if the function is allready hooked, if not u can use normal madhookcode but if its hooked you
1) have to analyze how the hook works (if there is a call, then go into the call and use HookCode there, [there is one more value on stack - the return address of the call] if the is a jump go to te jump and hook there)
normally HookApi should support jmp/call problem but there are some problems with other hook methods (McAfee)
2) use hook/unhook method - "OpenProcess" isnt called so much i think
3) use import hook (maybe u dont get all calls)
4) suspend all other threads while hooking/unhooking
(bad idea, tooo slow ;>)

5) use int 3 bp hooking && debugger
6) use hardware bp hooking && ( debugger || ntdll.??userexception?? code hook)
7) use page guard code hooking && ( debugger || ntdll.??userexception?? code hook)
7) use page guard code hoo

nildo · Post by **nildo** » Mon Feb 21, 2005 11:47 am

uall, first of all, I'd like to say that I alread used your hacks on C-D bypassing! You are such a great programmer

Well, using a hook on TranslateMessage to do remote execution is such a bad way... What about console applications?

uall · Post by **uall** » Mon Feb 21, 2005 4:19 pm

oh yes that right, it was my own "inject" method to bypass CD and it works on win9x systems

i dont created it to have a "good" injection method it was only for Half-Life and bypassing CD
i haved added it to myhook because its working on win9x

nildo · Post by **nildo** » Mon Feb 21, 2005 4:48 pm

uall wrote:oh yes that right, it was my own "inject" method to bypass CD and it works on win9x systems

i dont created it to have a "good" injection method it was only for Half-Life and bypassing CD
i haved added it to myhook because its working on win9x

Thats good!

Hey uall, what's the actual state of development of CD bypassing? Is there a working method/program for the last version?

uall · Post by **uall** » Mon Feb 21, 2005 4:59 pm

sure there is but i dont post links
maybe u know CDD

nildo · Post by **nildo** » Mon Feb 21, 2005 5:11 pm

uall wrote:sure there is but i dont post links
maybe u know CDD

Was a long time without playing with hacks... I was just interested in the methods used by your programs

uall · Post by **uall** » Mon Feb 21, 2005 5:24 pm

i wanted to uplode all my projects (packed ~5mb)
then u can study my little hacks ;>
are u coding in delphi or c++?

nildo · Post by **nildo** » Mon Feb 21, 2005 5:26 pm

uall wrote:i wanted to uplode all my projects (packed ~5mb)
then u can study my little hacks ;>
are u coding in delphi or c++?

Delphi
Thx a lot!!!!

nildo · Post by **nildo** » Tue Feb 22, 2005 11:21 am

Have you uploaded them uall?