fengtao2000
asked on
How to implement anti-hook?
I want to implement a feature: when my app starts up, I don't want that any other app calls SetWindowsHookEx() to inject a dll into my process space.
So, I intercept SetWindowsHookEx() and LoadLibraryA(). But I can't see any LoadLibrary() call in my process space.
Does anyone know how the OS loads the hook dll into other process? Or can I implement this feature in other way? Thanks.
Best Regards,
Fengtao
So, I intercept SetWindowsHookEx() and LoadLibraryA(). But I can't see any LoadLibrary() call in my process space.
Does anyone know how the OS loads the hook dll into other process? Or can I implement this feature in other way? Thanks.
Best Regards,
Fengtao
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>> Who know the "InternalLoadLibrary" or something like that?
Why do you need this? If you hook SetWindowsHookEx, it should be good enough, should it not?
You would have to disassemble the windows system dlls, which are involved, to find out about such internal functions.
Regards, Madshi.
Why do you need this? If you hook SetWindowsHookEx, it should be good enough, should it not?
You would have to disassemble the windows system dlls, which are involved, to find out about such internal functions.
Regards, Madshi.
ASKER
I must allow other apps call SetWindowsHookEx() to inject into all processes except for me, so hook only SetWindowsHookEx() isn't enough, or there is a way I don't find out?
Best Regards,
Fengtao
Best Regards,
Fengtao
Ouch, well, this will get difficult. Here are some ideas:
(1) You could try to disassemble the relevant system dlls to see what's going on in SetWindowsHookEx.
(2) How does SetWindowsHookEx enumerate the processes into which the dll is injected? Maybe by calling EnumWindows? In that case hooking EnumWindows and hiding your windows could be a solution.
(3) Perhaps SetWindowsHookEx calls some process enumeration APIs, in that case hooking those APIs might help.
It's gonna be really difficult. Sorry...
Regards, Madshi.
(1) You could try to disassemble the relevant system dlls to see what's going on in SetWindowsHookEx.
(2) How does SetWindowsHookEx enumerate the processes into which the dll is injected? Maybe by calling EnumWindows? In that case hooking EnumWindows and hiding your windows could be a solution.
(3) Perhaps SetWindowsHookEx calls some process enumeration APIs, in that case hooking those APIs might help.
It's gonna be really difficult. Sorry...
Regards, Madshi.
ASKER
Thank you for valuable comment.
I also hook the OpenProcess(), so others can not call CreateRemoteThread() to inject into my process.
Who know the "InternalLoadLibrary" or something like that?
Best Regards,
Fengtao