c++ / delphi package - dll injection and api hooking
- Posts: 50
- Joined: Sat Jun 23, 2018 1:15 am
How i can prevent an app remove my user mode hook?
i'm hooking some apis and after a while they stop working, i tested creating a thread with RenewHook and hooks still working.
But i don't want use a thread for that.
- Site Admin
- Posts: 994
- Joined: Wed Jun 08, 2005 5:08 am
You can use the PAGE_GUARD memory access flag around your target API and single-step the code in your vectored exception handler callback function. Any access should trigger your exception handler to be called and allows you to watch your memory access fairly well and control flow from there directly using the CPU registers through a context that’s passed in to it.
Depending on how many hooks you’ve set you might have some slowdown but generally nothing too noticeable unless the API is called a lot. Best option is to use virtualization to trap this but unless you’re experienced in this area, more specifically writing hypervisors or VMMs, it will be confusing and more difficult to implement.
Here’s a somewhat interesting article:
https://www.codeproject.com/Articles/12 ... Analyze-Su