View Full Version : Preventing API hooking????
yaa
September 19th, 2002, 16:08
Hello,
I was wondering if there is any way to prevent hooking a given API???
Is this how some applications are able to prevent being dumped or is it done some other way???
Thx,
Regards,
YAA
disavowed
September 20th, 2002, 00:17
Quote:
Originally posted by yaa
Is this how some applications are able to prevent being dumped or is it done some other way???[/B] |
some protections do hook readprocessmemory to try to prevent themselves from being dumped
dion
September 20th, 2002, 03:55
i think what you should do is not prevent but checking whether its hooked or not. you can check routine signature to ensure authenthication.
regards
cyberheg
September 20th, 2002, 06:27
So the big question is even if you stop targets from beeing dumped from programs like procdump, lord pe or similar, will it stop icedump? In most cases it won't which is why it's kinda stupid to implement such anti hooking stuff. I mean most people don't get fooled by such anyway since they use icedump.
The interesting question is if it's possible also to do a anti action against icedump.
// CyberHeg
SiNTAX
September 20th, 2002, 08:08
Quote:
Originally posted by dion
i think what you should do is not prevent but checking whether its hooked or not. you can check routine signature to ensure authenthication.
|
How can you verify the authenticity of an API?! Every windows/DLL version can have a different checksum or am I missing something?
dion
September 20th, 2002, 11:45
well, SiNTAX, actually i dont know either. and this one is protector's job to find out [ie how sig verifier from microsoft work for every dll, maybe?]. btw, yaa, what kind of hooking do you want to prevent, a global or local?
regards
[NtSC]
September 20th, 2002, 18:06
Hello.
You can get the Base of the DLL,your APi-Functions belongs to and compare those first Bytes..
For Example : Dll-Base: BFxxxxxx ; Api-Function: BFxxxxxx
If that Adress kinda differs much,you can be sure something
isnt as it should be.
For other Stuff you could check the Modules,loaded by a Program.
If neat Things like ApiHooks (Hi EliCZ) are used, u should find 1 more Module as your Program usually has...
Cheers,[NtSC]
yaa
September 20th, 2002, 20:27
How can an app prevent being dumped by hooking the readprocessmemory API???
Regards,
YAA
Hwoarang
September 20th, 2002, 20:58
it's a lame way to prevent reading of the process memory..the hook should probably check the PID and if it's the application which should not be dumped..blabla
^DAEMON^
September 21st, 2002, 14:47
hmmm probably u should take a look @ ifsmgr
^DAEMON^
disavowed
September 21st, 2002, 14:57
Quote:
Originally posted by yaa
How can an app prevent being dumped by hooking the readprocessmemory API??? |
http://216.239.35.100/search?q=cache

EyvVKhSIfcC:daemon.anticrack.de/antidump.txt
SiNTAX
September 21st, 2002, 18:17
Quote:
Originally posted by disavowed
http://216.239.35.100/search?q=cache EyvVKhSIfcC:daemon.anticrack.de/antidump.txt |
; this program here is *PRETTY* good, but everything can be defeated
; @ least this will stop most crackers
LOL...
int 5 --> NOP
But guess that was not the point

Hwoarang
September 22nd, 2002, 00:36
hum about that anti-dump code...why ring0 and not VirtualProtectEx:P
SiNTAX
September 22nd, 2002, 01:00
Quote:
Originally posted by Hwoarang
hum about that anti-dump code...why ring0 and not VirtualProtectEx:P |
Maybe because of this:
Quote:
Windows 95/98/Me: You cannot use VirtualProtectEx on any memory region located in the shared virtual address space (from 0x80000000 through 0xBFFFFFFF).
|
?!
But then.. 95/98/ME is FINALLY dying a slow death.. about time!
Hwoarang
September 22nd, 2002, 01:33
It worx to deprotect any address within Kernel32 memory range under Win9x
^DAEMON^
September 23rd, 2002, 13:07
bugger, this are small samples... it's not a solution to include into a "protection"... it's just the IDEA!
and it's more or less useless to work on anti-dumping code since there is always a solution to dump... (code_mangling is better)
^DAEMON^
SiNTAX
September 23rd, 2002, 13:28
Quote:
Originally posted by ^DAEMON^
bugger, this are small samples... it's not a solution to include into a "protection"... it's just the IDEA!
and it's more or less useless to work on anti-dumping code since there is always a solution to dump... (code_mangling is better)
^DAEMON^ |
Ehehe I was aware of that.. hence the 'LOL... But guess that was not the point '
^DAEMON^
September 23rd, 2002, 16:49
np
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.