Solved

How to implement anti-hook?

Posted on 2002-07-30
8
294 Views
Last Modified: 2013-12-03
I want to implement a feature: when my app starts up, I don't want that any other app calls SetWindowsHookEx() to inject a dll into my process space.

So, I intercept SetWindowsHookEx() and LoadLibraryA(). But I can't see any LoadLibrary() call in my process space.

Does anyone know how the OS loads the hook dll into other process? Or can I implement this feature in other way? Thanks.

Best Regards,
Fengtao
0
Comment
Question by:fengtao2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 20

Accepted Solution

by:
Madshi earned 200 total points
ID: 7187659
Windows will probably call some internal functions, something like "InternalLoadLibrary", which you don't know the address of.

You can of course hook SetWindowsHookEx, but you have to do it system wide, and that's not so easy.

Also, if a serious programmer wants to inject a dll into your process, he *might* use SetWindowsHookEx, but he also might use CreateRemoteThread, which is a much better technique anyway. So you will have to hook CreateRemoteThread as well, but only in winNT family, win9x doesn't export CreateRemoteThread.

Regards, Madshi.
0
 
LVL 1

Author Comment

by:fengtao2000
ID: 7189514
Hi Madshi,

Thank you for valuable comment.

I also hook the OpenProcess(), so others can not call CreateRemoteThread() to inject into my process.

Who know the "InternalLoadLibrary" or something like that?

Best Regards,
Fengtao
0
 
LVL 20

Expert Comment

by:Madshi
ID: 7189848
>> Who know the "InternalLoadLibrary" or something like that?

Why do you need this? If you hook SetWindowsHookEx, it should be good enough, should it not?

You would have to disassemble the windows system dlls, which are involved, to find out about such internal functions.

Regards, Madshi.
0
 
LVL 1

Author Comment

by:fengtao2000
ID: 7192315
I must allow other apps call SetWindowsHookEx() to inject into all processes except for me, so hook only SetWindowsHookEx() isn't enough, or there is a way I don't find out?

Best Regards,
Fengtao
0
 
LVL 20

Expert Comment

by:Madshi
ID: 7192591
Ouch, well, this will get difficult. Here are some ideas:

(1) You could try to disassemble the relevant system dlls to see what's going on in SetWindowsHookEx.
(2) How does SetWindowsHookEx enumerate the processes into which the dll is injected? Maybe by calling EnumWindows? In that case hooking EnumWindows and hiding your windows could be a solution.
(3) Perhaps SetWindowsHookEx calls some process enumeration APIs, in that case hooking those APIs might help.

It's gonna be really difficult. Sorry...

Regards, Madshi.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article surveys and compares options for encoding and decoding base64 data.  It includes source code in C++ as well as examples of how to use standard Windows API functions for these tasks. We'll look at the algorithms — how encoding and decodi…
For most people, the WrapPanel seems like a magic when they switch from WinForms to WPF. Most of us will think that the code that is used to write a control like that would be difficult. However, most of the work is done by the WPF engine, and the W…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question