madCodeHook & console

[LeVuHoang]

I know that madCodeHook does not work with console but is there any way to hook SetWindowsHookEx for a console application?
Here is C++ code which I would like to hook SetWindowsHookA:
http://www.fire-lion.com/levuhoang/keylog.zip

[jjlucsy]

I know that madCodeHook does not work with console

It doesn't? News to me. In fact, I just loaded up a console and my hook dll was injected. Anything specific you think doesn't work?

[iconic]

So you're saying that you can't hook SetWindowsHookExA() at all with madCodeHook? That doesn't make much sense at all to me.

[LeVuHoang]

The file I posted above can log keystores and it is written in console mode.
So, madCodeHook does not work with that application. I would like to have any solution which can hook into console application to prevent log key (SetWindowsHook).
Here is help on madshi documentation:

It works only for processes which handle messages, not all processes do so. For example most console applications don't

http://help.madshi.net/DllInjecting.htm

My application hooked SetWindowsHook and it worked perfect with GUI application, not the console above

[jjlucsy]

My application hooked SetWindowsHook and it worked perfect with GUI application, not the console above

Can you show the code that does not work? Like I said before, madCodeHook does work with console mode applications. The line you quoted is refering to SetWindowsHookEx, not madCodeHook.

[LeVuHoang]

Here is a part of my code:

Code: Select all

function SetWindowsHookACallback(nFilterType: Integer; pfnFilterProc: TFNHookProc): HHOOK; stdcall;
begin
  OutputDebugString(PAnsiChar('SetWindowsHookA: ' + getFilePath(GetCurrentProcessId)));
  Result :=SetWindowsHookANext(nFilterType, pfnFilterProc);
end; // SetWindowsHookACallback

HookAPI('user32.dll', 'SetWindowsHookA', @SetWindowsHookACallback, @SetWindowsHookANext);

and I found that, the OurputDebugString never be called.
Here are functions which I hooked:

Code: Select all

  HookAPI('user32.dll', 'SetWindowsHookExW', @SetWindowsHookExWCallback, @SetWindowsHookExWNext);
  HookAPI('user32.dll', 'SetWindowsHookW', @SetWindowsHookWCallback, @SetWindowsHookWNext);
  HookAPI('user32.dll', 'SetWindowsHookExA', @SetWindowsHookExACallback, @SetWindowsHookExANext);
  HookAPI('user32.dll', 'SetWindowsHookA', @SetWindowsHookACallback, @SetWindowsHookANext);

[jjlucsy]

The code looks fine, but how are you injecting your code into the processes you wish to trap? HookAPI will only trap the current process.
Also, are you using DbgView or equivalent program to trap the OutputDebugString rather than a debugger? I ask because a debugger will only pick up the output for the debugged process, not any of the injected processes. DbgView will pick up all output.

[madshi]

Sorry for the late reply!

Here is help on madshi documentation:

It works only for processes which handle messages, not all processes do so. For example most console applications don't

http://help.madshi.net/DllInjecting.htm

That part of my documentation talks about disadvantages you have if you use SetWindowsHookEx for dll injection instead of using madCodeHook. If you use madCodeHook's dll injection then there is no limitation at all and console processes are hooked just fine.

I found that, the OurputDebugString never be called.

OutputDebugString is not reliable. Try creating a dummy text file instead. Or use the madCodeHook IPC functions.

[LeVuHoang]

hi,
I've just uploaded the demo source & keylogger source here:
http://www.fire-lion.com/levuhoang/keylog.zip

It can capture SetWindowsHook from other process but not keylog.exe console.
I used IPC Message to transfer message to main application. Please check.
Thank you

[LeVuHoang]

is there anybody have an idea about this?

[madshi]

Hello,

I've just checked this. Here's what I found:

(1) The hook dll is loaded into the keylogger just fine.
(2) The hook installation works just fine.
(3) After the hook installation the API is hooked correctly.
(4) In the moment when the keylogger calls the API, the hook seems to be removed.

I'm not sure why the hook is removed. The source code of the keylogger is not complete. Maybe it intentionally uninstalls the SetWindowsHookEx API hook?

[LeVuHoang]

hi madshi,
I don't know. That keylogger and source I got from this site:
http://www.matousec.com/projects/securi ... ing-suite/

As I remembered that, madCodeHook can *rehook* automatically if its hook is removed?
So, what can I do with this situation?

[madshi]

As I remembered that, madCodeHook can *rehook* automatically if its hook is removed?

Not automatically because there is no way in user land to be notified about when a specific memory location is changed. So madCodeHook doesn't notice that the hook is uninstalled. However, madCodeHook checks all hooks whenever a new dll is loaded. So in that moment hooks which were removed would be installed again. Of course you can also manually invoke the checking and reinstalling by calling "RenewHook". However, that wouldn't help because even if you do it in a thread in an endless loop (which would put that thread to 100% CPU consumption) it's still possible that the program can uninstall the hook and call the API before your thread manages to reinstall the hook.

If you want to have it really safe, you'll probably have to hook VirtualProtect (or maybe better NtProtectVirtualMemory) and WriteProcessMemory (or maybe better NtWriteProcessMemory). If you want to have it even more safe, you could move some of your code down to kernel/driver land.

I've just checked the source code from that site. Check out the function "com_hook_load_libraries" in the unit "common-hook.c" and you'll understand why your hook fails to work in this specific case...

[Afra]

sorry for my reply to such an old topic. Any of you guys know the keylogger for Mac Lion?