Page 1 of 1

Little Question About RestoreCode

PostPosted: Tue Apr 02, 2019 12:32 am
by pambol
Are RestoreCode able restore own hooks? i mean if i hook ExitProcess.

Code: Select all
HookApi('kernel32.dll', 'ExitProcess', @InterceptExitProcess, @TrampolineExitProcess);

procedure InterceptExitProcess(uExitCode: UINT); stdcall;


And call
Code: Select all
RestoreCode(GetProcAddress(GetModuleHandleA('kernel32.dll'), 'ExitProcess'))

My application should close when i call ExitProcess(0) no?
because it doens't work, even if i create an external dll who hook ExitProcess and inject on my app.

But if i create a dll who hooks ExitProcess using C++ (Detours) RestoreCode works perfectly, or if i get the first 6 bytes from ExitProcess api functions and write it on their address before call ExitProcess function.

So, my question is RestoreCode doesn't work if the hook was did by madcodehook hookapi function?

Re: Little Question About RestoreCode

PostPosted: Tue Apr 02, 2019 2:21 am
by iconic
RestoreCode() works for me with MCH v4. It's not a good way to remove the hook, though. Of course that's what UnHookApi() and UnHookCode() was designed for ;)

Code: Select all
    ExitProcessNext: procedure(dwExitCode: DWORD); stdcall;

procedure ExitProcessCallback(dwExitCode: DWORD); stdcall;
    OutputDebugString('ExitProcess() Hook Callback Executed');

procedure TForm1.FormCreate(Sender: TObject);
    pFunc: Pointer;
    pFunc := GetProcAddress(GetModuleHandle('kernel32.dll'), 'ExitProcess');
    HookApi('kernel32.dll', 'ExitProcess', @ExitProcessCallback, @ExitProcessNext);
    RestoreCode(pFunc); // <---
    // Should work (shouldn't see any debug message)

Also, on modern versions of Windows, *most* kernel32.dll APIs are actually forwarded to kernelbase.dll so if I called ExitProcess() from kernelbase.dll hooks on ExitProcess() from kernel32.dll would be completely bypassed. Just worth mentioning


Re: Little Question About RestoreCode

PostPosted: Tue Apr 02, 2019 8:23 am
by madshi
iconic is faster than me, as usual. Thanks for providing great support, I really appreciate it! :D

My first guess as to why RestoreCode() might not have "worked" for pambol would also be kernel32.dll vs kernelbase.dll. In some situations I think madCodeHook automatically hooks kernelbase.dll instead of kernel32.dll, from what I recall. Would have to double check my own code to know for sure in which situations that's done, though. It's been a while I worked on that code area...