madCodeHook & console
madCodeHook & console
I know that madCodeHook does not work with console but is there any way to hook SetWindowsHookEx for a console application?
Here is C++ code which I would like to hook SetWindowsHookA:
http://www.fire-lion.com/levuhoang/keylog.zip
Here is C++ code which I would like to hook SetWindowsHookA:
http://www.fire-lion.com/levuhoang/keylog.zip
Re: madCodeHook & console
It doesn't? News to me. In fact, I just loaded up a console and my hook dll was injected. Anything specific you think doesn't work?LeVuHoang wrote:I know that madCodeHook does not work with console
The file I posted above can log keystores and it is written in console mode.
So, madCodeHook does not work with that application. I would like to have any solution which can hook into console application to prevent log key (SetWindowsHook).
Here is help on madshi documentation:
My application hooked SetWindowsHook and it worked perfect with GUI application, not the console above
So, madCodeHook does not work with that application. I would like to have any solution which can hook into console application to prevent log key (SetWindowsHook).
Here is help on madshi documentation:
http://help.madshi.net/DllInjecting.htmIt works only for processes which handle messages, not all processes do so. For example most console applications don't
My application hooked SetWindowsHook and it worked perfect with GUI application, not the console above
Can you show the code that does not work? Like I said before, madCodeHook does work with console mode applications. The line you quoted is refering to SetWindowsHookEx, not madCodeHook.LeVuHoang wrote:My application hooked SetWindowsHook and it worked perfect with GUI application, not the console above
Here is a part of my code:
and I found that, the OurputDebugString never be called.
Here are functions which I hooked:
Code: Select all
function SetWindowsHookACallback(nFilterType: Integer; pfnFilterProc: TFNHookProc): HHOOK; stdcall;
begin
OutputDebugString(PAnsiChar('SetWindowsHookA: ' + getFilePath(GetCurrentProcessId)));
Result :=SetWindowsHookANext(nFilterType, pfnFilterProc);
end; // SetWindowsHookACallback
HookAPI('user32.dll', 'SetWindowsHookA', @SetWindowsHookACallback, @SetWindowsHookANext);
Here are functions which I hooked:
Code: Select all
HookAPI('user32.dll', 'SetWindowsHookExW', @SetWindowsHookExWCallback, @SetWindowsHookExWNext);
HookAPI('user32.dll', 'SetWindowsHookW', @SetWindowsHookWCallback, @SetWindowsHookWNext);
HookAPI('user32.dll', 'SetWindowsHookExA', @SetWindowsHookExACallback, @SetWindowsHookExANext);
HookAPI('user32.dll', 'SetWindowsHookA', @SetWindowsHookACallback, @SetWindowsHookANext);
The code looks fine, but how are you injecting your code into the processes you wish to trap? HookAPI will only trap the current process.
Also, are you using DbgView or equivalent program to trap the OutputDebugString rather than a debugger? I ask because a debugger will only pick up the output for the debugged process, not any of the injected processes. DbgView will pick up all output.
Also, are you using DbgView or equivalent program to trap the OutputDebugString rather than a debugger? I ask because a debugger will only pick up the output for the debugged process, not any of the injected processes. DbgView will pick up all output.
Sorry for the late reply!
That part of my documentation talks about disadvantages you have if you use SetWindowsHookEx for dll injection instead of using madCodeHook. If you use madCodeHook's dll injection then there is no limitation at all and console processes are hooked just fine.
LeVuHoang wrote:Here is help on madshi documentation:http://help.madshi.net/DllInjecting.htmIt works only for processes which handle messages, not all processes do so. For example most console applications don't
That part of my documentation talks about disadvantages you have if you use SetWindowsHookEx for dll injection instead of using madCodeHook. If you use madCodeHook's dll injection then there is no limitation at all and console processes are hooked just fine.
OutputDebugString is not reliable. Try creating a dummy text file instead. Or use the madCodeHook IPC functions.LeVuHoang wrote:I found that, the OurputDebugString never be called.
hi,
I've just uploaded the demo source & keylogger source here:
http://www.fire-lion.com/levuhoang/keylog.zip
It can capture SetWindowsHook from other process but not keylog.exe console.
I used IPC Message to transfer message to main application. Please check.
Thank you
I've just uploaded the demo source & keylogger source here:
http://www.fire-lion.com/levuhoang/keylog.zip
It can capture SetWindowsHook from other process but not keylog.exe console.
I used IPC Message to transfer message to main application. Please check.
Thank you
Hello,
I've just checked this. Here's what I found:
(1) The hook dll is loaded into the keylogger just fine.
(2) The hook installation works just fine.
(3) After the hook installation the API is hooked correctly.
(4) In the moment when the keylogger calls the API, the hook seems to be removed.
I'm not sure why the hook is removed. The source code of the keylogger is not complete. Maybe it intentionally uninstalls the SetWindowsHookEx API hook?
I've just checked this. Here's what I found:
(1) The hook dll is loaded into the keylogger just fine.
(2) The hook installation works just fine.
(3) After the hook installation the API is hooked correctly.
(4) In the moment when the keylogger calls the API, the hook seems to be removed.
I'm not sure why the hook is removed. The source code of the keylogger is not complete. Maybe it intentionally uninstalls the SetWindowsHookEx API hook?
hi madshi,
I don't know. That keylogger and source I got from this site:
http://www.matousec.com/projects/securi ... ing-suite/
As I remembered that, madCodeHook can *rehook* automatically if its hook is removed?
So, what can I do with this situation?
I don't know. That keylogger and source I got from this site:
http://www.matousec.com/projects/securi ... ing-suite/
As I remembered that, madCodeHook can *rehook* automatically if its hook is removed?
So, what can I do with this situation?
Not automatically because there is no way in user land to be notified about when a specific memory location is changed. So madCodeHook doesn't notice that the hook is uninstalled. However, madCodeHook checks all hooks whenever a new dll is loaded. So in that moment hooks which were removed would be installed again. Of course you can also manually invoke the checking and reinstalling by calling "RenewHook". However, that wouldn't help because even if you do it in a thread in an endless loop (which would put that thread to 100% CPU consumption) it's still possible that the program can uninstall the hook and call the API before your thread manages to reinstall the hook.LeVuHoang wrote:As I remembered that, madCodeHook can *rehook* automatically if its hook is removed?
If you want to have it really safe, you'll probably have to hook VirtualProtect (or maybe better NtProtectVirtualMemory) and WriteProcessMemory (or maybe better NtWriteProcessMemory). If you want to have it even more safe, you could move some of your code down to kernel/driver land.
I've just checked the source code from that site. Check out the function "com_hook_load_libraries" in the unit "common-hook.c" and you'll understand why your hook fails to work in this specific case...
Re: madCodeHook & console
sorry for my reply to such an old topic. Any of you guys know the keylogger for Mac Lion?