For Madshi: Do you know a guy named Aphex? :)
For Madshi: Do you know a guy named Aphex? :)
If not you should, he sure knows you. I saw some of his work. Thank God he's a "good guy"...or is he? ...just kiddi' Aphex!
And I saw how how does hooking and code injection. I figured that if I hook CreateRemoteThread, VirtualAllocEx and WriteProcessMemory then I can actually get a antivirus or a system trip-wire thing. Yes, Aphex I did see your code hooking bypass sample, the one where you totally trashed Tiny Firewall (damn, I really liked that buggy ). And I figured let's try it on my app. Since Aphex said Tiny didn't move a finger while he was playin' havoc in the system I figured that at least I should try to do is sense when somebody wants to use those darn functions. And, Madshi this one goes to you:
My app, which uses madCodeHook started acting very very weird, and I mean X-File style
Is it possible that (since I don't have the source of madCodeHook to get the full picture) what Aphex does and the way I'm tryin' to catch him (namely, hook those pesky functions mentioned above) could somehow confuse madCodeHook and cause it to enter a infinte loop or something like that?
Just my 2c question...
Cheers
Denis
And I saw how how does hooking and code injection. I figured that if I hook CreateRemoteThread, VirtualAllocEx and WriteProcessMemory then I can actually get a antivirus or a system trip-wire thing. Yes, Aphex I did see your code hooking bypass sample, the one where you totally trashed Tiny Firewall (damn, I really liked that buggy ). And I figured let's try it on my app. Since Aphex said Tiny didn't move a finger while he was playin' havoc in the system I figured that at least I should try to do is sense when somebody wants to use those darn functions. And, Madshi this one goes to you:
My app, which uses madCodeHook started acting very very weird, and I mean X-File style
Is it possible that (since I don't have the source of madCodeHook to get the full picture) what Aphex does and the way I'm tryin' to catch him (namely, hook those pesky functions mentioned above) could somehow confuse madCodeHook and cause it to enter a infinte loop or something like that?
Just my 2c question...
Cheers
Denis
Let's say you hooked API "xyz". Now let's say that API is called. As a result your hook callback function gets called. What happens if inside of this hook callback function "xyz" is called again? In that case we would have an endless recursion, so we'd get a stack overflow.
When you have hooking problems, you should always begin with empty hook callback functions (= only calling the original API and not doing anything else). If the problem goes away that way, the content of the hooking callbacks had a problem. If the problem doesn't go away, the problem must be somewhere else.
Also try to begin with hooking just one API. Add the other API hooks one after the other, after you got the first one working.
When you have hooking problems, you should always begin with empty hook callback functions (= only calling the original API and not doing anything else). If the problem goes away that way, the content of the hooking callbacks had a problem. If the problem doesn't go away, the problem must be somewhere else.
Also try to begin with hooking just one API. Add the other API hooks one after the other, after you got the first one working.
I am calling nexthook, and renewhook too. Still when hooking VirtualAllocEx the system hangs.
Also when hooking WriteProcessMemory I get the same thing.
It could be that this function calls itself back...I've seen the same thing happen with other APIs which call themselfs back with different parameters, I think they're overloaded somewhere and after a little zig zag the call ends up where it started.
The thing is, only when hooking these two functions I get crashes.
It's not that bad actually, I think that hooking ALL LoadLibrary flavours as well as CreateRemoteThread is sufficient to get a warning flag up whenever something suspicious happens.
I saw that hooking the NTDLL functions is not a good ideea if the hook has to ask for permission from a userland app. It takes exactly 0.285 seconds to crash the system
Also when hooking WriteProcessMemory I get the same thing.
It could be that this function calls itself back...I've seen the same thing happen with other APIs which call themselfs back with different parameters, I think they're overloaded somewhere and after a little zig zag the call ends up where it started.
The thing is, only when hooking these two functions I get crashes.
It's not that bad actually, I think that hooking ALL LoadLibrary flavours as well as CreateRemoteThread is sufficient to get a warning flag up whenever something suspicious happens.
I saw that hooking the NTDLL functions is not a good ideea if the hook has to ask for permission from a userland app. It takes exactly 0.285 seconds to crash the system
Have you tried with an empty (= nexthook call only) callback function?denisb wrote:I am calling nexthook, and renewhook too. Still when hooking VirtualAllocEx the system hangs.
Hooking NtDll APIs is generally no problem at all.denisb wrote:I saw that hooking the NTDLL functions is not a good ideea if the hook has to ask for permission from a userland app. It takes exactly 0.285 seconds to crash the system
Edit: E.g. the HookProcessTermination demo hooks NtTerminateProcess!
My bad with NTDLL.DLL I was hooking the mappings of LoadLibrary flavours from kernel32.dll onto the NTDLL.DLL counterparts. I also forgot to mention that I am hooking system processes also and this causes problems when a service calls my hook which calls my app which displays a dialog to allow/deny the call..yup it's a twisted world we lieve in...My bad indeed, but I have to hook into processes as well ...I really have to
I'll be damned if I understand it anymore!!
now it works...darn it!! the VirtualAllocEx hook works now...
:):) but who the heck uses VirtualAllocEx anyway?!?!...don't answer that!
anyway...thanks for the patience madshi...
I'll be damned if I understand it anymore!!
now it works...darn it!! the VirtualAllocEx hook works now...
:):) but who the heck uses VirtualAllocEx anyway?!?!...don't answer that!
anyway...thanks for the patience madshi...