?
Solved

How to implement anti-hook?

Posted on 2002-07-30
8
Medium Priority
?
326 Views
Last Modified: 2013-12-03
I want to implement a feature: when my app starts up, I don't want that any other app calls SetWindowsHookEx() to inject a dll into my process space.

So, I intercept SetWindowsHookEx() and LoadLibraryA(). But I can't see any LoadLibrary() call in my process space.

Does anyone know how the OS loads the hook dll into other process? Or can I implement this feature in other way? Thanks.

Best Regards,
Fengtao
0
Comment
Question by:fengtao2000
  • 3
  • 2
5 Comments
 
LVL 20

Accepted Solution

by:
Madshi earned 800 total points
ID: 7187659
Windows will probably call some internal functions, something like "InternalLoadLibrary", which you don't know the address of.

You can of course hook SetWindowsHookEx, but you have to do it system wide, and that's not so easy.

Also, if a serious programmer wants to inject a dll into your process, he *might* use SetWindowsHookEx, but he also might use CreateRemoteThread, which is a much better technique anyway. So you will have to hook CreateRemoteThread as well, but only in winNT family, win9x doesn't export CreateRemoteThread.

Regards, Madshi.
0
 
LVL 1

Author Comment

by:fengtao2000
ID: 7189514
Hi Madshi,

Thank you for valuable comment.

I also hook the OpenProcess(), so others can not call CreateRemoteThread() to inject into my process.

Who know the "InternalLoadLibrary" or something like that?

Best Regards,
Fengtao
0
 
LVL 20

Expert Comment

by:Madshi
ID: 7189848
>> Who know the "InternalLoadLibrary" or something like that?

Why do you need this? If you hook SetWindowsHookEx, it should be good enough, should it not?

You would have to disassemble the windows system dlls, which are involved, to find out about such internal functions.

Regards, Madshi.
0
 
LVL 1

Author Comment

by:fengtao2000
ID: 7192315
I must allow other apps call SetWindowsHookEx() to inject into all processes except for me, so hook only SetWindowsHookEx() isn't enough, or there is a way I don't find out?

Best Regards,
Fengtao
0
 
LVL 20

Expert Comment

by:Madshi
ID: 7192591
Ouch, well, this will get difficult. Here are some ideas:

(1) You could try to disassemble the relevant system dlls to see what's going on in SetWindowsHookEx.
(2) How does SetWindowsHookEx enumerate the processes into which the dll is injected? Maybe by calling EnumWindows? In that case hooking EnumWindows and hiding your windows could be a solution.
(3) Perhaps SetWindowsHookEx calls some process enumeration APIs, in that case hooking those APIs might help.

It's gonna be really difficult. Sorry...

Regards, Madshi.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to make a Windows 7 gadget that accepts files dropped from the Windows Explorer.  It also illustrates how to give your gadget a non-rectangular shape and how to add some nifty visual effects to text displayed in a your gadget.…
With most software applications trying to cater to multiple user needs nowadays, the focus is to make them as configurable as possible. For e.g., when creating Silverlight applications which will connect to WCF services, the service end point usuall…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question