Detect another API hook..?

c++ / delphi package - dll injection and api hooking
Post Reply
jonny_valentine
Posts: 109
Joined: Thu Dec 30, 2004 9:59 pm
Location: UK

Detect another API hook..?

Post by jonny_valentine »

Hello ppl,

Is it possible someone could counterract the madchook by implmenting their own API hook and making the madchook return false results?

Lets assume they MUST load my software which uses madchook, but beforehand they already loaded another API hook, which detects when madchook starts and gives it false results.. any way to stop that?

I could do a crc or md5 check to detect if they have replaced the madchook.dll with their own version, but they could just API hook the API hook! :confused:

Maybe when my app starts i could detect if another API hook is present somehow?

Cheers,

Jon
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Your hook dll is loaded into the context of each running process. So if someone would want to hook madCodeHook's APIs he'd have to be present in each process, too - and before madCodeHook can do its work. That's possible, but quite difficult. When building your hook dll with MSVC++ you can use the static lib to link madCodeHook's API code into your hook dll. This way there's nothing left what someone else could hook. (The static lib is only available in the commercial edition of madCodeHook). When using Delphi, madCodeHook is by default linked into your hook dll, so there's nothing to hook, either.

What could happen is that the "InjectLibrary" API is hooked, which is only called by your application. You could check whether InjectLibrary worked alright by e.g. increasing a shared counter in your hook dll. That way you could check whether your hook dll got injected and how often.

I think the biggest risk is that someone uninstalls the hooks, after they have already been installed. That's not too easy, but quite possible.
jonny_valentine
Posts: 109
Joined: Thu Dec 30, 2004 9:59 pm
Location: UK

Post by jonny_valentine »

Thanks Madshi..

Ok, I've managed to get the madchook to work with visual basic as far as injecting my c++ dll into all processes. Havent bothered with IPC yet.. before i do, continuing with the post topic.. is it possible to detect if another hook is present?
For example, detecting if another process called loadlibrary or getproc address.. these would alert me if another program has been injected or at least trying to hook a function.. im clueless.

I basically want to be alerted when another program is trying to inject a dll into the running process.

ive made a .dll write a log file when its parent process calls a particular api function.. all worked for things like mouse and keyboard api calls, but the addition of the loadlibrary callback i made caused the system to crash.

Any ideas?


Thanks.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

jonny_valentine wrote:ive made a .dll write a log file when its parent process calls a particular api function.. all worked for things like mouse and keyboard api calls, but the addition of the loadlibrary callback i made caused the system to crash.
Check out the HookLoadLibrary demo shipping with madCodeHook.
LibX
Posts: 5
Joined: Sat Jan 08, 2005 6:49 pm

Post by LibX »

function GetRealProcAddress(hModule: HMODULE; lpProcName: pchar): pointer;
var
Proc: pointer;
CodeInfo: TCodeInfo;
FunctionInfo: TFunctionInfo;
begin
Proc := GetProcAddress(hModule, lpProcName);
Result := Proc;
CodeInfo := ParseCode(Proc);
if not (CodeInfo.Call or CodeInfo.Jmp) then Exit;
FunctionInfo := ParseFunction(Proc);
if FunctionInfo.CodeLen <> 5 then Exit;
repeat
Result := FunctionInfo.FarCalls[Low(FunctionInfo.FarCalls)].Target;
FunctionInfo := ParseFunction(FunctionInfo.FarCalls[Low(FunctionInfo.FarCalls)].Target);
until FunctionInfo.CodeLen = 10;
end;

try this ;) its using madDisAsm
Post Reply