missing hooks

c++ / delphi package - dll injection and api hooking
Post Reply
linden
Posts: 36
Joined: Tue Mar 08, 2005 9:17 am
Location: Japan

missing hooks

Post by linden »

Hello,

Now, I am writing a dll for system wide hooking.
The problem is, I've found that some applications
unhook itself by overwriting the jmp instruction
with the original code (I presume it's comparing
function entry points with their original disc image).
Also, after I've done RenewHook() for
several times, this application simply stops
restoring function entry points, but instead, it
creates a trampoline containing the first few bytes
of the original function, calls the trampoline and
then jumps to somewhere beyond first 6 bytes of the
hooked function, thus completely escaping my hook!
So, I'am stuck now...

Is there any way to go around such problem?
I am considering of hooking CreateFile to prevent
it from accessing the original disc image. And also
considering hooking VirtualProtect to reject any
attempt to overwrite function entry points. But
then, I am doing this for system wide hook... and
is concerned with whether doing so would come up
with any bad side effects...
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Heh, those "some applications" seem to be quite clever! Well, your ideas (hooking CreateFile and VirtualProtect) is exactly what I would have suggested right now, too.

Can you please tell me what those "some applications" are (just for my interest)?

You could try the MIXTURE_MODE. But I'd suggest to do that only in those processes, which undo your hooks, cause the MIXTURE_MODE is not as good as the normal mode. And maybe those applications work around the MIXTURE_MODE, too?
uall
Posts: 254
Joined: Sun Feb 20, 2005 1:24 pm

Post by uall »

an AntiCheat did the same, but it used CreateFileW to get the original file name ;)

u can try http://uall.overclock.ch/ExtIAThook.pas
maybe this works, but try it for one prozess first
linden
Posts: 36
Joined: Tue Mar 08, 2005 9:17 am
Location: Japan

Post by linden »

madshi wrote:Can you please tell me what those "some applications" are (just for my interest)?
Ah... Well, actually, there was only one such application in my PC, and to tell the truth, I wrote it. After I have found such a powerful hooking technique, I was driven to writing something that can escape it (just for my interest :D ). I posted the question this way because I wanted to view the situation from your stance... (How would a hooker work around this situation...) And you did point out my weak point... hook CreateFile and VirtualProtect.
(By the way, hooking IAT and EAT will not work for my hook escaping scheme because I don't do static linking, and I never use GetModuleHandle and GetProcAddress pair as a means to obtain function addresses. My basic idea is, "Don't trust anything in the memory")

Well, now I have to think of a work around in case those two APIs were hooked. Working around hooked VirtualProtect doesn't seem to be a big problem.
But working around hooked CreateFile seems hard.
All I can think of now, is to write a kernel mode module that provides an interface to the userland, and access NtCreateFile and NtReadFile through DeviceIoControl. (let the driver bypass the service dispatcher too!)

But there is still the same problem. What if NtCreateFile and NtReadFile in the kernel mode were hooked using the function entry point overwriting technique?

After all, it seems that the problem comes down to who gets loaded into the system first. The hooker? Or the escaper? The first to be loaded always has a greater advantage...
uall
Posts: 254
Joined: Sun Feb 20, 2005 1:24 pm

Post by uall »

detecting the code overwriting hook is easy by look for the jmp on beginning

if u want to use function which cant be hooked that easily use, load the dll a second time and hide it in memory ( http://uall.overclock.ch/uallCollection.zip ) also you can load the dll by youself (also an example in there)
OldGopher
Posts: 3
Joined: Mon Apr 04, 2005 1:39 pm
Contact:

Post by OldGopher »

Why nobody use Visual C++?

Last time I wrote Pascal code it was 1985. Back to school...
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

OldGopher wrote:Why nobody use Visual C++?

Last time I wrote Pascal code it was 1985. Back to school...
Pascal never let me in hands
Post Reply