madshi.net

uall · Joined: 20 Feb 2005 Posts: 254

Hi, I am writing a small programm which displays all current installed user hooks. I've create msall support for madCHook, maybe someone can test it, and say if it works. Thx

http://uall.cheat-project.com/madShow.exe

neji · Joined: 09 Mar 2005 Posts: 155

It seems to be working

uall · Joined: 20 Feb 2005 Posts: 254

File was updated, now with GUI and it shows madHooks for all Processes.

madshi · Site Admin Joined: 21 Mar 2004 Posts: 5844

What are you doing this for? Obviously I wouldn't want to have a "madCodeHook hook breaking kit" floating around the internet which could be used by malware to break existing madCodeHook security hooks.

linden · Joined: 08 Mar 2005 Posts: 36 Location: Japan

Well, madCodeHook is one of the most well known hooking library around which is used by many commercial products. It's natural that somebody would come up with something that specifically targets at madCodeHook. Besides, code overwriting hooking method is, by itself, so offensive that I think there are just many programmers who "just don't like it" regardless of whether that hook is installed for legitimate reason or not.
(I too, don't like some unknown dll been forcefully loaded into my program and mess around with it)

Also, hook detection and bypassing isn't that hard, if a method can bypass code overwriting hook, it will naturally bypass madCodeHook. Any experienced programmer can write hook bypasses, and there are many hook bypassing tech's published in game-cheat sites...which is accessible for anyone interested in breaking "security hooks"... So, I don't think you need to get too sensitive wink

uall · Joined: 20 Feb 2005 Posts: 254

1) Many pople on this forum asked, how they can unhook user mode code hooks. I want to write a program which can unhook every function for all user mdoe hooking technices I know. And I thin I will find here many people who can test it.
2) Your hooking unit is used on many malware programs, and with thew unhooker you can unload them.
3) Here are many devolpers with madChook, and i think they sometimes have the problem that the Inject application crashes. And you cant compile a new library when its loaded into memory. With this program you can unload it.
4) my security opinion with usermode hook != your opinion, if you dont like it delete it, there are lots of those programs which can unhook downloadable on rootkit.com (almost for unloading malware) My ist the first one who can do that for madChook. And as lon as i dont give the source, no script kiddie can add this to their malware. An those who can debug, they can do it alone. Thats 7lines of code...

madshi · Site Admin Joined: 21 Mar 2004 Posts: 5844

iconic · Joined: 08 Jun 2005 Posts: 603

Hello Uall,
madCodeHook hooks are easily detectable since madshi extends the API header of the hooked function and uses 6-byte absolute jump unlike traditional 5 byte unconditional jmp used in code overwriting. The question I have for you is why the interest in detecting and optionally unhooking usermode madCodeHooks when you clearly stated that usermode hooks are no longer interesting to you due to the ease of bypassing them and other programs already exist to do this? If I write a program to detect and optionally allow to unhook your hook functions in your uallCollection would you be as understanding as Madshi is about his own collection? You also mention that madCodeHook is used in malware programs, just about any publicly available hooking collection/sdk is and I'm sure your collection is no different, especially to people who bypass VAC and things of that nature to program game cheats which is now actually illegal and lawsuits can be drawn up from it since Valve has pushed the envelope on this.

--Iconic

uall · Joined: 20 Feb 2005 Posts: 254

"madCodeHook hooks are easily detectable since madshi extends the API header of the hooked function and uses 6-byte absolute jump unlike traditional 5 byte unconditional jmp used in code overwriting"

1) Detecting madshis hooks is a little bit harder than looking for a 6 byte jump (you have to use an other method) cause you cant look for every export - madshi supports CodeHook in normal nonexported function too.
Or do you want to scan the whole memory, ive use a betetr way in this example

" why the interest in detecting and optionally unhooking usermode madCodeHooks"

2) I only learn if I debug such hooking methods (and madshis hook is my own application, cause the hook dll is injected into it)

"when you clearly stated that usermode hooks are no longer interesting to you"
3) Usermode code hooks are still interesting, but _I_ would not use them fory any security programs -> for other programs they are usefull. And becasue of 64bit and no time, i dont spend so much time in it to update my own collection

"ease of bypassing them and other programs already exist to do this"
4) Thats right, you can easy bypass them. But other programs dont look which exatcly hook method is used. They maybe can unhook madhis hok, by if i add functionality for every special hook, its better. I can unhook madChook by using the madChook unhook function, thats a stable way. Other unhooker uses a standard method to do it -> can crash all.

"If I write a program to detect and optionally allow to unhook your hook functions in your uallCollection"
5) Feel free to do it. My code is open source. You can also use it for malware or virus or other "bad" things. My collection is written for Cheats hooking etc. Even if its detected by AVs or ACs, its free and you can simply bypass it. Do what you want it doesnt cares. And i think madshi would be very happy if all bad persons would use my collection, then his isnt detected as virus anymore smile

"You also mention that madCodeHook is used in malware programs"
6) Thats fact. If my collection would be much stabler, maybe they would use it malware and virus - and they can do. Havent the time to update it , I have done it in my freetime and doesnt earn money with it. I create it to LEAN much about hooking, beduggin, win9x/NT system.

"who bypass VAC and things of that nature to program game cheats which is now actually illegal "
7) Not illegal, its against the EULA, and valves bans. But they can never do something more.

iconic · Joined: 08 Jun 2005 Posts: 603

Valve Corporation has already taken "legal" action as in a court of law drawn charges against game cheaters individually AND cheat networks as a whole, that's also a fact uall and if you google you will see this too. As far as it being right or wrong, that's not really my business because I no longer game nor do I or would I ever write a game cheat, this is simply my preference.

Based on what you said, I do understand your motive and I've nothing against it really, I honestly just don't see this being very beneficial unless you have some reason you need to know what a hooker is using. Myself, I don't care too much about usermode anymore and have opted for kernel mode hooking much like EliCz's available packages since this is more interesting and there are already so many ring-3 hooking packages available to the public, most even open source. Thanks for your explanation.

--Iconic