Avoid existing hook ?

c++ / delphi package - dll injection and api hooking

Avoid existing hook ?

Postby dpsoftware » Tue Jun 07, 2016 10:17 am

Will this package help me to avoid a hook that another application has already installed and if so, do the instructions cover it ?

Specifically I want to be able to call the original bitblt function of Windows (or a copy of it) as it seems a popular program is slowing it down so that my programs screen redraw takes 20s instead of near instant.

Using Delphi 6 and MadExcept but not yet purchased MadCodehook.
dpsoftware
 
Posts: 2
Joined: Tue Jun 07, 2016 10:01 am

Re: Avoid existing hook ?

Postby madshi » Tue Jun 07, 2016 10:22 am

Avoiding existings hooks is not really an intended part of madCodeHook's functionality. There *is* actually a "RestoreCode()" function, which will restore the first 6 bytes of any API, by looking up the original API code from the file on harddisk. However, it's quite hacky, and I wouldn't recommend buying madCodeHook just for that purpose. I'm not sure how many users are actually using this function, probably very very few, so I can't really guarantee that it will perfectly work in all circumstances...

I'm not an expert on GDI rendering, but there are often multiple layers in Windows, with higher level APIs (like CloseHandle) calling lower level APIs (like NtCloseHandle). Maybe something like that exists for GDI, too? In that case you could switch to using the lower level APIs instead of the higher level APIs, in the hope that doing so will avoid those API hooks.
madshi
Site Admin
 
Posts: 9412
Joined: Sun Mar 21, 2004 5:25 pm

Re: Avoid existing hook ?

Postby iconic » Tue Jun 07, 2016 8:53 pm

There are multiple ways to do what you wish, as Madshi alluded to calling a lower-level API (in this case a shadow table system service) can be used. The API would need to have the system call number in place (NtGdiBitblt) and you could use inline asm with SYSENTER/SYSCALL/INT 2E. User32, GDI etc. are Win32k.sys services and the system call number aren't in order as they are for NTDLL so you'd have to use symbols at run-time to get them or you could hardcode them, which isn't the most elegant solution. If that's not something you're comfortable with programming wise you can try to copy the DLL to another location (maybe in your app's directory?), load that library and call BitBlt from your copied DLL. You could also use an executable memory mapped view of the file as long as you map with PAGE_EXECUTE_XxX with SEC_IMAGE and FILE_MAP_EXECUTE.

--Iconic
iconic
 
Posts: 808
Joined: Wed Jun 08, 2005 5:08 am

Re: Avoid existing hook ?

Postby dpsoftware » Wed Jun 08, 2016 10:57 am

Thank you both for your suggestions.

Is there any way to tell for sure that a hook is in use ? It would enable confirmation that the slow down was linked to a hook and I am not barking up the wrong tree.
dpsoftware
 
Posts: 2
Joined: Tue Jun 07, 2016 10:01 am

Re: Avoid existing hook ?

Postby madshi » Wed Jun 08, 2016 11:02 am

There are different kind of hooks. E.g. import and/or export table hooks. Or code overwriting hooks. You can detect code overwriting hooks by checking whether the first instruction is a JMP. That's usually (not always, but usually) a sign that the API is hooked by using code overwriting. See here for more information about various API hooking methods:

http://help.madshi.net/ApiHookingMethods.htm
madshi
Site Admin
 
Posts: 9412
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 2 guests