Little Question About RestoreCode

c++ / delphi package - dll injection and api hooking

Little Question About RestoreCode

Postby pambol » Tue Apr 02, 2019 12:32 am

Are RestoreCode able restore own hooks? i mean if i hook ExitProcess.

Code: Select all
HookApi('kernel32.dll', 'ExitProcess', @InterceptExitProcess, @TrampolineExitProcess);

procedure InterceptExitProcess(uExitCode: UINT); stdcall;


And call
Code: Select all
RestoreCode(GetProcAddress(GetModuleHandleA('kernel32.dll'), 'ExitProcess'))

My application should close when i call ExitProcess(0) no?
because it doens't work, even if i create an external dll who hook ExitProcess and inject on my app.

But if i create a dll who hooks ExitProcess using C++ (Detours) RestoreCode works perfectly, or if i get the first 6 bytes from ExitProcess api functions and write it on their address before call ExitProcess function.

So, my question is RestoreCode doesn't work if the hook was did by madcodehook hookapi function?
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Little Question About RestoreCode

Postby iconic » Tue Apr 02, 2019 2:21 am

RestoreCode() works for me with MCH v4. It's not a good way to remove the hook, though. Of course that's what UnHookApi() and UnHookCode() was designed for ;)

Code: Select all
    ExitProcessNext: procedure(dwExitCode: DWORD); stdcall;

procedure ExitProcessCallback(dwExitCode: DWORD); stdcall;
    OutputDebugString('ExitProcess() Hook Callback Executed');

procedure TForm1.FormCreate(Sender: TObject);
    pFunc: Pointer;
    pFunc := GetProcAddress(GetModuleHandle('kernel32.dll'), 'ExitProcess');
    HookApi('kernel32.dll', 'ExitProcess', @ExitProcessCallback, @ExitProcessNext);
    RestoreCode(pFunc); // <---
    // Should work (shouldn't see any debug message)

Also, on modern versions of Windows, *most* kernel32.dll APIs are actually forwarded to kernelbase.dll so if I called ExitProcess() from kernelbase.dll hooks on ExitProcess() from kernel32.dll would be completely bypassed. Just worth mentioning

Site Admin
Posts: 967
Joined: Wed Jun 08, 2005 5:08 am

Re: Little Question About RestoreCode

Postby madshi » Tue Apr 02, 2019 8:23 am

iconic is faster than me, as usual. Thanks for providing great support, I really appreciate it! :D

My first guess as to why RestoreCode() might not have "worked" for pambol would also be kernel32.dll vs kernelbase.dll. In some situations I think madCodeHook automatically hooks kernelbase.dll instead of kernel32.dll, from what I recall. Would have to double check my own code to know for sure in which situations that's done, though. It's been a while I worked on that code area...
Site Admin
Posts: 10275
Joined: Sun Mar 21, 2004 5:25 pm

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 32 guests