madshi.net

high quality low level programming
http://forum.madshi.net/

Little Question About RestoreCode

http://forum.madshi.net/viewtopic.php?f=7&t=28703

Page 1 of 1

Little Question About RestoreCode

Posted: Tue Apr 02, 2019 12:32 am
by pambol
Are RestoreCode able restore own hooks? i mean if i hook ExitProcess.

Code: Select all

HookApi('kernel32.dll', 'ExitProcess', @InterceptExitProcess, @TrampolineExitProcess);

procedure InterceptExitProcess(uExitCode: UINT); stdcall;
begin
  ShowMessage('InterceptExitProcess');

  //TrampolineExitProcess(uExitCode);
end;
And call

Code: Select all

RestoreCode(GetProcAddress(GetModuleHandleA('kernel32.dll'), 'ExitProcess'))
My application should close when i call ExitProcess(0) no?
because it doens't work, even if i create an external dll who hook ExitProcess and inject on my app.

But if i create a dll who hooks ExitProcess using C++ (Detours) RestoreCode works perfectly, or if i get the first 6 bytes from ExitProcess api functions and write it on their address before call ExitProcess function.

So, my question is RestoreCode doesn't work if the hook was did by madcodehook hookapi function?

Re: Little Question About RestoreCode

Posted: Tue Apr 02, 2019 2:21 am
by iconic
RestoreCode() works for me with MCH v4. It's not a good way to remove the hook, though. Of course that's what UnHookApi() and UnHookCode() was designed for ;)

Code: Select all

var
    ExitProcessNext: procedure(dwExitCode: DWORD); stdcall;


procedure ExitProcessCallback(dwExitCode: DWORD); stdcall;
begin
    OutputDebugString('ExitProcess() Hook Callback Executed');
    ExitProcessNext(dwExitCode);
end;


procedure TForm1.FormCreate(Sender: TObject);
var
    pFunc: Pointer;
begin
    pFunc := GetProcAddress(GetModuleHandle('kernel32.dll'), 'ExitProcess');
    HookApi('kernel32.dll', 'ExitProcess', @ExitProcessCallback, @ExitProcessNext);
    RestoreCode(pFunc); // <---
    // Should work (shouldn't see any debug message)
    ExitProcess(0);
end;
Also, on modern versions of Windows, *most* kernel32.dll APIs are actually forwarded to kernelbase.dll so if I called ExitProcess() from kernelbase.dll hooks on ExitProcess() from kernel32.dll would be completely bypassed. Just worth mentioning

--Iconic

Re: Little Question About RestoreCode

Posted: Tue Apr 02, 2019 8:23 am
by madshi
iconic is faster than me, as usual. Thanks for providing great support, I really appreciate it! :D

My first guess as to why RestoreCode() might not have "worked" for pambol would also be kernel32.dll vs kernelbase.dll. In some situations I think madCodeHook automatically hooks kernelbase.dll instead of kernel32.dll, from what I recall. Would have to double check my own code to know for sure in which situations that's done, though. It's been a while I worked on that code area...
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited