Prevent unhook api

c++ / delphi package - dll injection and api hooking

Prevent unhook api

Postby pambol » Fri Dec 20, 2019 12:09 am

How i can prevent an app remove my user mode hook?
i'm hooking some apis and after a while they stop working, i tested creating a thread with RenewHook and hooks still working.
But i don't want use a thread for that.
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Prevent unhook api

Postby iconic » Fri Dec 20, 2019 6:57 am

You can use the PAGE_GUARD memory access flag around your target API and single-step the code in your vectored exception handler callback function. Any access should trigger your exception handler to be called and allows you to watch your memory access fairly well and control flow from there directly using the CPU registers through a context that’s passed in to it.

Depending on how many hooks you’ve set you might have some slowdown but generally nothing too noticeable unless the API is called a lot. Best option is to use virtualization to trap this but unless you’re experienced in this area, more specifically writing hypervisors or VMMs, it will be confusing and more difficult to implement.

Here’s a somewhat interesting article: ... Analyze-Su

Site Admin
Posts: 974
Joined: Wed Jun 08, 2005 5:08 am

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 23 guests