For Madshi: Do you know a guy named Aphex? :)

c++ / delphi package - dll injection and api hooking
Post Reply
denisb
Posts: 33
Joined: Tue Dec 07, 2004 3:48 pm

For Madshi: Do you know a guy named Aphex? :)

Post by denisb »

If not you should, he sure knows you. I saw some of his work. Thank God he's a "good guy"...or is he? ...just kiddi' Aphex!

And I saw how how does hooking and code injection. I figured that if I hook CreateRemoteThread, VirtualAllocEx and WriteProcessMemory then I can actually get a antivirus or a system trip-wire thing. Yes, Aphex I did see your code hooking bypass sample, the one where you totally trashed Tiny Firewall (damn, I really liked that buggy :( ). And I figured let's try it on my app. Since Aphex said Tiny didn't move a finger while he was playin' havoc in the system I figured that at least I should try to do is sense when somebody wants to use those darn functions. And, Madshi this one goes to you:
My app, which uses madCodeHook started acting very very weird, and I mean X-File style :D

Is it possible that (since I don't have the source of madCodeHook to get the full picture) what Aphex does and the way I'm tryin' to catch him (namely, hook those pesky functions mentioned above) could somehow confuse madCodeHook and cause it to enter a infinte loop or something like that?

Just my 2c question...

Cheers
Denis
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Let's say you hooked API "xyz". Now let's say that API is called. As a result your hook callback function gets called. What happens if inside of this hook callback function "xyz" is called again? In that case we would have an endless recursion, so we'd get a stack overflow.

When you have hooking problems, you should always begin with empty hook callback functions (= only calling the original API and not doing anything else). If the problem goes away that way, the content of the hooking callbacks had a problem. If the problem doesn't go away, the problem must be somewhere else.

Also try to begin with hooking just one API. Add the other API hooks one after the other, after you got the first one working.
denisb
Posts: 33
Joined: Tue Dec 07, 2004 3:48 pm

Post by denisb »

Obviously you are right. I should call the original function in my hook function rather then calling the next hook in the chain to prevent a loop.
Gotcha.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Calling the original function will result in a endless recursive. You need to call NextHook.
denisb
Posts: 33
Joined: Tue Dec 07, 2004 3:48 pm

Post by denisb »

I am calling nexthook, and renewhook too. Still when hooking VirtualAllocEx the system hangs.
Also when hooking WriteProcessMemory I get the same thing.
It could be that this function calls itself back...I've seen the same thing happen with other APIs which call themselfs back with different parameters, I think they're overloaded somewhere and after a little zig zag the call ends up where it started.

The thing is, only when hooking these two functions I get crashes.
It's not that bad actually, I think that hooking ALL LoadLibrary flavours as well as CreateRemoteThread is sufficient to get a warning flag up whenever something suspicious happens.
I saw that hooking the NTDLL functions is not a good ideea if the hook has to ask for permission from a userland app. It takes exactly 0.285 seconds to crash the system :D
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

denisb wrote:I am calling nexthook, and renewhook too. Still when hooking VirtualAllocEx the system hangs.
Have you tried with an empty (= nexthook call only) callback function?
denisb wrote:I saw that hooking the NTDLL functions is not a good ideea if the hook has to ask for permission from a userland app. It takes exactly 0.285 seconds to crash the system :D
Hooking NtDll APIs is generally no problem at all.

Edit: E.g. the HookProcessTermination demo hooks NtTerminateProcess!
denisb
Posts: 33
Joined: Tue Dec 07, 2004 3:48 pm

Post by denisb »

My bad with NTDLL.DLL I was hooking the mappings of LoadLibrary flavours from kernel32.dll onto the NTDLL.DLL counterparts. I also forgot to mention that I am hooking system processes also and this causes problems when a service calls my hook which calls my app which displays a dialog to allow/deny the call..yup it's a twisted world we lieve in...My bad indeed, but I have to hook into processes as well :D...I really have to :D


I'll be damned if I understand it anymore!!
now it works...darn it!! the VirtualAllocEx hook works now...
:):):) but who the heck uses VirtualAllocEx anyway?!?!...don't answer that! ;)

anyway...thanks for the patience madshi...
Post Reply