Page 1 of 1

Prevent unhook api

PostPosted: Fri Dec 20, 2019 12:09 am
by pambol
How i can prevent an app remove my user mode hook?
i'm hooking some apis and after a while they stop working, i tested creating a thread with RenewHook and hooks still working.
But i don't want use a thread for that.

Re: Prevent unhook api

PostPosted: Fri Dec 20, 2019 6:57 am
by iconic
You can use the PAGE_GUARD memory access flag around your target API and single-step the code in your vectored exception handler callback function. Any access should trigger your exception handler to be called and allows you to watch your memory access fairly well and control flow from there directly using the CPU registers through a context that’s passed in to it.

Depending on how many hooks you’ve set you might have some slowdown but generally nothing too noticeable unless the API is called a lot. Best option is to use virtualization to trap this but unless you’re experienced in this area, more specifically writing hypervisors or VMMs, it will be confusing and more difficult to implement.

Here’s a somewhat interesting article: ... Analyze-Su