Prevent unhook api

c++ / delphi package - dll injection and api hooking
Post Reply
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Prevent unhook api

Post by pambol »

How i can prevent an app remove my user mode hook?
i'm hooking some apis and after a while they stop working, i tested creating a thread with RenewHook and hooks still working.
But i don't want use a thread for that.
iconic
Site Admin
Posts: 994
Joined: Wed Jun 08, 2005 5:08 am

Re: Prevent unhook api

Post by iconic »

You can use the PAGE_GUARD memory access flag around your target API and single-step the code in your vectored exception handler callback function. Any access should trigger your exception handler to be called and allows you to watch your memory access fairly well and control flow from there directly using the CPU registers through a context that’s passed in to it.

Depending on how many hooks you’ve set you might have some slowdown but generally nothing too noticeable unless the API is called a lot. Best option is to use virtualization to trap this but unless you’re experienced in this area, more specifically writing hypervisors or VMMs, it will be confusing and more difficult to implement.

Here’s a somewhat interesting article:
https://www.codeproject.com/Articles/12 ... Analyze-Su

—Iconic
Post Reply