Hello,

I was wondering if there is any way to prevent hooking a given API???
Is this how some applications are able to prevent being dumped or is it done some other way???
Thx,

Regards,
YAA

some protections do hook readprocessmemory to try to prevent themselves from being dumped

i think what you should do is not prevent but checking whether its hooked or not. you can check routine signature to ensure authenthication.

regards

So the big question is even if you stop targets from beeing dumped from programs like procdump, lord pe or similar, will it stop icedump? In most cases it won't which is why it's kinda stupid to implement such anti hooking stuff. I mean most people don't get fooled by such anyway since they use icedump.
The interesting question is if it's possible also to do a anti action against icedump.

// CyberHeg

How can you verify the authenticity of an API?! Every windows/DLL version can have a different checksum or am I missing something?

well, SiNTAX, actually i dont know either. and this one is protector's job to find out [ie how sig verifier from microsoft work for every dll, maybe?]. btw, yaa, what kind of hooking do you want to prevent, a global or local?

regards

Hello.
You can get the Base of the DLL,your APi-Functions belongs to and compare those first Bytes..

For Example : Dll-Base: BFxxxxxx ; Api-Function: BFxxxxxx

If that Adress kinda differs much,you can be sure something
isnt as it should be.

For other Stuff you could check the Modules,loaded by a Program.
If neat Things like ApiHooks (Hi EliCZ) are used, u should find 1 more Module as your Program usually has...

Cheers,[NtSC]

How can an app prevent being dumped by hooking the readprocessmemory API???

Regards,
YAA

it's a lame way to prevent reading of the process memory..the hook should probably check the PID and if it's the application which should not be dumped..blabla

hmmm probably u should take a look @ ifsmgr

^DAEMON^

http://216.239.35.100/search?q=cacheEyvVKhSIfcC:daemon.anticrack.de/antidump.txt

; this program here is *PRETTY* good, but everything can be defeated
; @ least this will stop most crackers

LOL...

int 5 --> NOP


But guess that was not the point

hum about that anti-dump code...why ring0 and not VirtualProtectEx:P

Maybe because of this:



?!

But then.. 95/98/ME is FINALLY dying a slow death.. about time!

It worx to deprotect any address within Kernel32 memory range under Win9x

bugger, this are small samples... it's not a solution to include into a "protection"... it's just the IDEA!

and it's more or less useless to work on anti-dumping code since there is always a solution to dump... (code_mangling is better)

^DAEMON^

Ehehe I was aware of that.. hence the 'LOL... But guess that was not the point '

np