Solved

How to implement anti-hook?

Posted on 2002-07-30
8
297 Views
Last Modified: 2013-12-03
I want to implement a feature: when my app starts up, I don't want that any other app calls SetWindowsHookEx() to inject a dll into my process space.

So, I intercept SetWindowsHookEx() and LoadLibraryA(). But I can't see any LoadLibrary() call in my process space.

Does anyone know how the OS loads the hook dll into other process? Or can I implement this feature in other way? Thanks.

Best Regards,
Fengtao
0
Comment
Question by:fengtao2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 20

Accepted Solution

by:
Madshi earned 200 total points
ID: 7187659
Windows will probably call some internal functions, something like "InternalLoadLibrary", which you don't know the address of.

You can of course hook SetWindowsHookEx, but you have to do it system wide, and that's not so easy.

Also, if a serious programmer wants to inject a dll into your process, he *might* use SetWindowsHookEx, but he also might use CreateRemoteThread, which is a much better technique anyway. So you will have to hook CreateRemoteThread as well, but only in winNT family, win9x doesn't export CreateRemoteThread.

Regards, Madshi.
0
 
LVL 1

Author Comment

by:fengtao2000
ID: 7189514
Hi Madshi,

Thank you for valuable comment.

I also hook the OpenProcess(), so others can not call CreateRemoteThread() to inject into my process.

Who know the "InternalLoadLibrary" or something like that?

Best Regards,
Fengtao
0
 
LVL 20

Expert Comment

by:Madshi
ID: 7189848
>> Who know the "InternalLoadLibrary" or something like that?

Why do you need this? If you hook SetWindowsHookEx, it should be good enough, should it not?

You would have to disassemble the windows system dlls, which are involved, to find out about such internal functions.

Regards, Madshi.
0
 
LVL 1

Author Comment

by:fengtao2000
ID: 7192315
I must allow other apps call SetWindowsHookEx() to inject into all processes except for me, so hook only SetWindowsHookEx() isn't enough, or there is a way I don't find out?

Best Regards,
Fengtao
0
 
LVL 20

Expert Comment

by:Madshi
ID: 7192591
Ouch, well, this will get difficult. Here are some ideas:

(1) You could try to disassemble the relevant system dlls to see what's going on in SetWindowsHookEx.
(2) How does SetWindowsHookEx enumerate the processes into which the dll is injected? Maybe by calling EnumWindows? In that case hooking EnumWindows and hiding your windows could be a solution.
(3) Perhaps SetWindowsHookEx calls some process enumeration APIs, in that case hooking those APIs might help.

It's gonna be really difficult. Sorry...

Regards, Madshi.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After several hours of googling I could not gather any information on this topic. There are several ways of controlling the USB port connected to any storage device. The best example of that is by changing the registry value of "HKEY_LOCAL_MACHINE\S…
Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question