Hi,
I need help on whether madCodeHook can help in my usage.
I have used other hooking libraries such as Detours and EasyHook to hook RegQueryValueExW and RegQueryValueExA for iexplore.exe. I could intercept some registry calls, but calls to HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions key for example could not be intercepted.
I suspect the RegQueryValueExW could be called dynamically or by another DLL. Would madCodeHook be able to succeed in this scenario?
Many thanks.
Function loaded dynamically
Re: Function loaded dynamically
Hello,
I always suggest to hook the lowest level API. Look here for more information:
http://www.codeproject.com/Articles/145 ... ative-APIs
I don't know if hooking the native APIs instead of RegQueryValueExW will already fix the issue you're seeing. If not, you'll need to figure out how the registry calls are made exactly. All the hook libraries will only hook what you tell them to hook exactly. So if the registry calls are made through an API which you have not hooked, it's really not the hook library's fault. Once you figured out *why* your hooks fail to work in this specific situation, finding a solution shouldn't be too difficult.
I always suggest to hook the lowest level API. Look here for more information:
http://www.codeproject.com/Articles/145 ... ative-APIs
I don't know if hooking the native APIs instead of RegQueryValueExW will already fix the issue you're seeing. If not, you'll need to figure out how the registry calls are made exactly. All the hook libraries will only hook what you tell them to hook exactly. So if the registry calls are made through an API which you have not hooked, it's really not the hook library's fault. Once you figured out *why* your hooks fail to work in this specific situation, finding a solution shouldn't be too difficult.
Re: Function loaded dynamically
Hi,
Thanks for the suggestion. I have hooked the native API, but it is not able to get the result i need. As for programs that monitor API, i have tried out rohitab's API Monitor and WinAPIOverride32. Do you have any other applications to recommend?
Thanks.
Thanks for the suggestion. I have hooked the native API, but it is not able to get the result i need. As for programs that monitor API, i have tried out rohitab's API Monitor and WinAPIOverride32. Do you have any other applications to recommend?
Thanks.
Re: Function loaded dynamically
I don't know any other API monitor tools. You may have to use a debugger and/or disassembler to find out what's going on.
Re: Function loaded dynamically
Follow each call from madDisasm, easiest for run-time analysis. You must be not finding the lowest-level API, almost guaranteed to be a system call in the form of interrupt 0x2E or SYSENTER / SYSCALL.. Also, caller could be doing this directly and avoiding KiFastSystemCall on x86 for example.
P.S> If you hook an appropriate native API and have a missed/lost result then it's probably doing a system call directly, which you will miss with conventional hook packages
--Iconic
P.S> If you hook an appropriate native API and have a missed/lost result then it's probably doing a system call directly, which you will miss with conventional hook packages
--Iconic
Re: Function loaded dynamically
Hi Iconic,iconic wrote:Follow each call from madDisasm, easiest for run-time analysis. You must be not finding the lowest-level API, almost guaranteed to be a system call in the form of interrupt 0x2E or SYSENTER / SYSCALL.. Also, caller could be doing this directly and avoiding KiFastSystemCall on x86 for example.
P.S> If you hook an appropriate native API and have a missed/lost result then it's probably doing a system call directly, which you will miss with conventional hook packages
--Iconic
Thanks for the help. However, i could not get madDisasm from madshi's collection. Which non-conventional hook packages do you recommend?
Re: Function loaded dynamically
What I mean is, if a program doesn't rely on traditional ways to call an API/Function Code it most likely will not be victim to hooking. I can't elaborate much on this because this would be "bypassing" madCodeHook, Detours and any other hooking library on the market. If I may rephrase, if an application chooses to use the interrupt services directly for a native call there's no usermode hooking package I have seen that will catch the result of this call. By the way, registry APIs will always boil down to native calls down the line eventually, perhaps you're not hooking the right API or processing the data structures correctly?
Most likely if you believe you're doing everything right the target program is ensuring that the result of an API call is "hook proof" from general purpose API hooking packages, I could list many ways on how to do this but again am not at liberty to say on this forum.
--Iconic
Most likely if you believe you're doing everything right the target program is ensuring that the result of an API call is "hook proof" from general purpose API hooking packages, I could list many ways on how to do this but again am not at liberty to say on this forum.
--Iconic