Little Question About RestoreCode

c++ / delphi package - dll injection and api hooking
Post Reply
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Little Question About RestoreCode

Post by pambol »

Are RestoreCode able restore own hooks? i mean if i hook ExitProcess.

Code: Select all

HookApi('kernel32.dll', 'ExitProcess', @InterceptExitProcess, @TrampolineExitProcess);

procedure InterceptExitProcess(uExitCode: UINT); stdcall;
begin
  ShowMessage('InterceptExitProcess');

  //TrampolineExitProcess(uExitCode);
end;
And call

Code: Select all

RestoreCode(GetProcAddress(GetModuleHandleA('kernel32.dll'), 'ExitProcess'))
My application should close when i call ExitProcess(0) no?
because it doens't work, even if i create an external dll who hook ExitProcess and inject on my app.

But if i create a dll who hooks ExitProcess using C++ (Detours) RestoreCode works perfectly, or if i get the first 6 bytes from ExitProcess api functions and write it on their address before call ExitProcess function.

So, my question is RestoreCode doesn't work if the hook was did by madcodehook hookapi function?
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: Little Question About RestoreCode

Post by iconic »

RestoreCode() works for me with MCH v4. It's not a good way to remove the hook, though. Of course that's what UnHookApi() and UnHookCode() was designed for ;)

Code: Select all

var
    ExitProcessNext: procedure(dwExitCode: DWORD); stdcall;


procedure ExitProcessCallback(dwExitCode: DWORD); stdcall;
begin
    OutputDebugString('ExitProcess() Hook Callback Executed');
    ExitProcessNext(dwExitCode);
end;


procedure TForm1.FormCreate(Sender: TObject);
var
    pFunc: Pointer;
begin
    pFunc := GetProcAddress(GetModuleHandle('kernel32.dll'), 'ExitProcess');
    HookApi('kernel32.dll', 'ExitProcess', @ExitProcessCallback, @ExitProcessNext);
    RestoreCode(pFunc); // <---
    // Should work (shouldn't see any debug message)
    ExitProcess(0);
end;
Also, on modern versions of Windows, *most* kernel32.dll APIs are actually forwarded to kernelbase.dll so if I called ExitProcess() from kernelbase.dll hooks on ExitProcess() from kernel32.dll would be completely bypassed. Just worth mentioning

--Iconic
madshi
Site Admin
Posts: 10434
Joined: Sun Mar 21, 2004 5:25 pm

Re: Little Question About RestoreCode

Post by madshi »

iconic is faster than me, as usual. Thanks for providing great support, I really appreciate it! :D

My first guess as to why RestoreCode() might not have "worked" for pambol would also be kernel32.dll vs kernelbase.dll. In some situations I think madCodeHook automatically hooks kernelbase.dll instead of kernel32.dll, from what I recall. Would have to double check my own code to know for sure in which situations that's done, though. It's been a while I worked on that code area...
Post Reply