Hello ppl,
Is it possible someone could counterract the madchook by implmenting their own API hook and making the madchook return false results?
Lets assume they MUST load my software which uses madchook, but beforehand they already loaded another API hook, which detects when madchook starts and gives it false results.. any way to stop that?
I could do a crc or md5 check to detect if they have replaced the madchook.dll with their own version, but they could just API hook the API hook!
Maybe when my app starts i could detect if another API hook is present somehow?
Cheers,
Jon
Detect another API hook..?
-
- Posts: 109
- Joined: Thu Dec 30, 2004 9:59 pm
- Location: UK
Your hook dll is loaded into the context of each running process. So if someone would want to hook madCodeHook's APIs he'd have to be present in each process, too - and before madCodeHook can do its work. That's possible, but quite difficult. When building your hook dll with MSVC++ you can use the static lib to link madCodeHook's API code into your hook dll. This way there's nothing left what someone else could hook. (The static lib is only available in the commercial edition of madCodeHook). When using Delphi, madCodeHook is by default linked into your hook dll, so there's nothing to hook, either.
What could happen is that the "InjectLibrary" API is hooked, which is only called by your application. You could check whether InjectLibrary worked alright by e.g. increasing a shared counter in your hook dll. That way you could check whether your hook dll got injected and how often.
I think the biggest risk is that someone uninstalls the hooks, after they have already been installed. That's not too easy, but quite possible.
What could happen is that the "InjectLibrary" API is hooked, which is only called by your application. You could check whether InjectLibrary worked alright by e.g. increasing a shared counter in your hook dll. That way you could check whether your hook dll got injected and how often.
I think the biggest risk is that someone uninstalls the hooks, after they have already been installed. That's not too easy, but quite possible.
-
- Posts: 109
- Joined: Thu Dec 30, 2004 9:59 pm
- Location: UK
Thanks Madshi..
Ok, I've managed to get the madchook to work with visual basic as far as injecting my c++ dll into all processes. Havent bothered with IPC yet.. before i do, continuing with the post topic.. is it possible to detect if another hook is present?
For example, detecting if another process called loadlibrary or getproc address.. these would alert me if another program has been injected or at least trying to hook a function.. im clueless.
I basically want to be alerted when another program is trying to inject a dll into the running process.
ive made a .dll write a log file when its parent process calls a particular api function.. all worked for things like mouse and keyboard api calls, but the addition of the loadlibrary callback i made caused the system to crash.
Any ideas?
Thanks.
Ok, I've managed to get the madchook to work with visual basic as far as injecting my c++ dll into all processes. Havent bothered with IPC yet.. before i do, continuing with the post topic.. is it possible to detect if another hook is present?
For example, detecting if another process called loadlibrary or getproc address.. these would alert me if another program has been injected or at least trying to hook a function.. im clueless.
I basically want to be alerted when another program is trying to inject a dll into the running process.
ive made a .dll write a log file when its parent process calls a particular api function.. all worked for things like mouse and keyboard api calls, but the addition of the loadlibrary callback i made caused the system to crash.
Any ideas?
Thanks.
Check out the HookLoadLibrary demo shipping with madCodeHook.jonny_valentine wrote:ive made a .dll write a log file when its parent process calls a particular api function.. all worked for things like mouse and keyboard api calls, but the addition of the loadlibrary callback i made caused the system to crash.
function GetRealProcAddress(hModule: HMODULE; lpProcName: pchar): pointer;
var
Proc: pointer;
CodeInfo: TCodeInfo;
FunctionInfo: TFunctionInfo;
begin
Proc := GetProcAddress(hModule, lpProcName);
Result := Proc;
CodeInfo := ParseCode(Proc);
if not (CodeInfo.Call or CodeInfo.Jmp) then Exit;
FunctionInfo := ParseFunction(Proc);
if FunctionInfo.CodeLen <> 5 then Exit;
repeat
Result := FunctionInfo.FarCalls[Low(FunctionInfo.FarCalls)].Target;
FunctionInfo := ParseFunction(FunctionInfo.FarCalls[Low(FunctionInfo.FarCalls)].Target);
until FunctionInfo.CodeLen = 10;
end;
try this its using madDisAsm
var
Proc: pointer;
CodeInfo: TCodeInfo;
FunctionInfo: TFunctionInfo;
begin
Proc := GetProcAddress(hModule, lpProcName);
Result := Proc;
CodeInfo := ParseCode(Proc);
if not (CodeInfo.Call or CodeInfo.Jmp) then Exit;
FunctionInfo := ParseFunction(Proc);
if FunctionInfo.CodeLen <> 5 then Exit;
repeat
Result := FunctionInfo.FarCalls[Low(FunctionInfo.FarCalls)].Target;
FunctionInfo := ParseFunction(FunctionInfo.FarCalls[Low(FunctionInfo.FarCalls)].Target);
until FunctionInfo.CodeLen = 10;
end;
try this its using madDisAsm