Little Question About RestoreCode

c++ / delphi package - dll injection and api hooking

Little Question About RestoreCode

Postby pambol » Tue Apr 02, 2019 12:32 am

Are RestoreCode able restore own hooks? i mean if i hook ExitProcess.

Code: Select all
HookApi('kernel32.dll', 'ExitProcess', @InterceptExitProcess, @TrampolineExitProcess);

procedure InterceptExitProcess(uExitCode: UINT); stdcall;
begin
  ShowMessage('InterceptExitProcess');

  //TrampolineExitProcess(uExitCode);
end;


And call
Code: Select all
RestoreCode(GetProcAddress(GetModuleHandleA('kernel32.dll'), 'ExitProcess'))


My application should close when i call ExitProcess(0) no?
because it doens't work, even if i create an external dll who hook ExitProcess and inject on my app.

But if i create a dll who hooks ExitProcess using C++ (Detours) RestoreCode works perfectly, or if i get the first 6 bytes from ExitProcess api functions and write it on their address before call ExitProcess function.

So, my question is RestoreCode doesn't work if the hook was did by madcodehook hookapi function?
pambol
 
Posts: 46
Joined: Sat Jun 23, 2018 1:15 am

Re: Little Question About RestoreCode

Postby iconic » Tue Apr 02, 2019 2:21 am

RestoreCode() works for me with MCH v4. It's not a good way to remove the hook, though. Of course that's what UnHookApi() and UnHookCode() was designed for ;)

Code: Select all
var
    ExitProcessNext: procedure(dwExitCode: DWORD); stdcall;


procedure ExitProcessCallback(dwExitCode: DWORD); stdcall;
begin
    OutputDebugString('ExitProcess() Hook Callback Executed');
    ExitProcessNext(dwExitCode);
end;


procedure TForm1.FormCreate(Sender: TObject);
var
    pFunc: Pointer;
begin
    pFunc := GetProcAddress(GetModuleHandle('kernel32.dll'), 'ExitProcess');
    HookApi('kernel32.dll', 'ExitProcess', @ExitProcessCallback, @ExitProcessNext);
    RestoreCode(pFunc); // <---
    // Should work (shouldn't see any debug message)
    ExitProcess(0);
end;


Also, on modern versions of Windows, *most* kernel32.dll APIs are actually forwarded to kernelbase.dll so if I called ExitProcess() from kernelbase.dll hooks on ExitProcess() from kernel32.dll would be completely bypassed. Just worth mentioning

--Iconic
iconic
Site Admin
 
Posts: 895
Joined: Wed Jun 08, 2005 5:08 am

Re: Little Question About RestoreCode

Postby madshi » Tue Apr 02, 2019 8:23 am

iconic is faster than me, as usual. Thanks for providing great support, I really appreciate it! :D

My first guess as to why RestoreCode() might not have "worked" for pambol would also be kernel32.dll vs kernelbase.dll. In some situations I think madCodeHook automatically hooks kernelbase.dll instead of kernel32.dll, from what I recall. Would have to double check my own code to know for sure in which situations that's done, though. It's been a while I worked on that code area...
madshi
Site Admin
 
Posts: 10061
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 9 guests