Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: Preventing API hooking????

  1. #1

    Question Preventing API hooking????

    Hello,

    I was wondering if there is any way to prevent hooking a given API???
    Is this how some applications are able to prevent being dumped or is it done some other way???
    Thx,

    Regards,
    YAA

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281

    Re: Preventing API hooking????

    Originally posted by yaa
    Is this how some applications are able to prevent being dumped or is it done some other way???[/B]
    some protections do hook readprocessmemory to try to prevent themselves from being dumped

  3. #3
    dion
    Guest
    i think what you should do is not prevent but checking whether its hooked or not. you can check routine signature to ensure authenthication.

    regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    So the big question is even if you stop targets from beeing dumped from programs like procdump, lord pe or similar, will it stop icedump? In most cases it won't which is why it's kinda stupid to implement such anti hooking stuff. I mean most people don't get fooled by such anyway since they use icedump.
    The interesting question is if it's possible also to do a anti action against icedump.

    // CyberHeg

  5. #5
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    Originally posted by dion
    i think what you should do is not prevent but checking whether its hooked or not. you can check routine signature to ensure authenthication.
    How can you verify the authenticity of an API?! Every windows/DLL version can have a different checksum or am I missing something?

  6. #6
    dion
    Guest
    well, SiNTAX, actually i dont know either. and this one is protector's job to find out [ie how sig verifier from microsoft work for every dll, maybe?]. btw, yaa, what kind of hooking do you want to prevent, a global or local?

    regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Registered User
    Join Date
    Jan 2002
    Location
    Ger***y
    Posts
    39

    ...

    Hello.
    You can get the Base of the DLL,your APi-Functions belongs to and compare those first Bytes..

    For Example : Dll-Base: BFxxxxxx ; Api-Function: BFxxxxxx

    If that Adress kinda differs much,you can be sure something
    isnt as it should be.

    For other Stuff you could check the Modules,loaded by a Program.
    If neat Things like ApiHooks (Hi EliCZ) are used, u should find 1 more Module as your Program usually has...

    Cheers,[NtSC]

  8. #8
    How can an app prevent being dumped by hooking the readprocessmemory API???

    Regards,
    YAA

  9. #9
    Hwoarang
    Guest

    caution, this guy is working for Bitarts:P

    it's a lame way to prevent reading of the process memory..the hook should probably check the PID and if it's the application which should not be dumped..blabla
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    ^DAEMON^
    Guest

    to cyberheq

    hmmm probably u should take a look @ ifsmgr

    ^DAEMON^
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Originally posted by yaa
    How can an app prevent being dumped by hooking the readprocessmemory API???
    http://216.239.35.100/search?q=cache:oEyvVKhSIfcC:daemon.anticrack.de/antidump.txt

  12. #12
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    Originally posted by disavowed
    http://216.239.35.100/search?q=cacheEyvVKhSIfcC:daemon.anticrack.de/antidump.txt
    ; this program here is *PRETTY* good, but everything can be defeated
    ; @ least this will stop most crackers

    LOL...

    int 5 --> NOP


    But guess that was not the point

  13. #13
    Hwoarang
    Guest

    Talking

    hum about that anti-dump code...why ring0 and not VirtualProtectEx:P
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    Originally posted by Hwoarang
    hum about that anti-dump code...why ring0 and not VirtualProtectEx:P
    Maybe because of this:

    Windows 95/98/Me: You cannot use VirtualProtectEx on any memory region located in the shared virtual address space (from 0x80000000 through 0xBFFFFFFF).
    ?!

    But then.. 95/98/ME is FINALLY dying a slow death.. about time!

  15. #15
    Hwoarang
    Guest

    yeah right

    It worx to deprotect any address within Kernel32 memory range under Win9x
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Api hooking
    By w_a_r_1 in forum The Newbie Forum
    Replies: 8
    Last Post: January 31st, 2011, 19:22
  2. .NET hooking
    By rendari in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: January 30th, 2008, 15:59
  3. Preventing the Exploitation of SEH Overwrites
    By Uninformed Journal in forum Blogs Forum
    Replies: 0
    Last Post: October 22nd, 2007, 12:22
  4. Preventing Decompilers / Disassemblers
    By BOB in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: March 18th, 2003, 18:47
  5. api hooking
    By 4oh4 in forum Advanced Reversing and Programming
    Replies: 21
    Last Post: December 6th, 2001, 21:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •