?
Solved

How to implement anti-hook?

Posted on 2002-07-30
8
Medium Priority
?
307 Views
Last Modified: 2013-12-03
I want to implement a feature: when my app starts up, I don't want that any other app calls SetWindowsHookEx() to inject a dll into my process space.

So, I intercept SetWindowsHookEx() and LoadLibraryA(). But I can't see any LoadLibrary() call in my process space.

Does anyone know how the OS loads the hook dll into other process? Or can I implement this feature in other way? Thanks.

Best Regards,
Fengtao
0
Comment
Question by:fengtao2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 20

Accepted Solution

by:
Madshi earned 800 total points
ID: 7187659
Windows will probably call some internal functions, something like "InternalLoadLibrary", which you don't know the address of.

You can of course hook SetWindowsHookEx, but you have to do it system wide, and that's not so easy.

Also, if a serious programmer wants to inject a dll into your process, he *might* use SetWindowsHookEx, but he also might use CreateRemoteThread, which is a much better technique anyway. So you will have to hook CreateRemoteThread as well, but only in winNT family, win9x doesn't export CreateRemoteThread.

Regards, Madshi.
0
 
LVL 1

Author Comment

by:fengtao2000
ID: 7189514
Hi Madshi,

Thank you for valuable comment.

I also hook the OpenProcess(), so others can not call CreateRemoteThread() to inject into my process.

Who know the "InternalLoadLibrary" or something like that?

Best Regards,
Fengtao
0
 
LVL 20

Expert Comment

by:Madshi
ID: 7189848
>> Who know the "InternalLoadLibrary" or something like that?

Why do you need this? If you hook SetWindowsHookEx, it should be good enough, should it not?

You would have to disassemble the windows system dlls, which are involved, to find out about such internal functions.

Regards, Madshi.
0
 
LVL 1

Author Comment

by:fengtao2000
ID: 7192315
I must allow other apps call SetWindowsHookEx() to inject into all processes except for me, so hook only SetWindowsHookEx() isn't enough, or there is a way I don't find out?

Best Regards,
Fengtao
0
 
LVL 20

Expert Comment

by:Madshi
ID: 7192591
Ouch, well, this will get difficult. Here are some ideas:

(1) You could try to disassemble the relevant system dlls to see what's going on in SetWindowsHookEx.
(2) How does SetWindowsHookEx enumerate the processes into which the dll is injected? Maybe by calling EnumWindows? In that case hooking EnumWindows and hiding your windows could be a solution.
(3) Perhaps SetWindowsHookEx calls some process enumeration APIs, in that case hooking those APIs might help.

It's gonna be really difficult. Sorry...

Regards, Madshi.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As more and more people are shifting to the latest .Net frameworks, the windows presentation framework is gaining importance by the day. Many people are now turning to WPF controls to provide a rich user experience. I have been using WPF controls fo…
What my article will show is if you ever had to do processing to a listbox without being able to just select all the items in it. My software Visual Studio 2008 crystal report v11 My issue was I wanted to add crystal report to a form and show…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question