?
Solved

detect API hooking.

Posted on 2003-03-03
5
Medium Priority
?
737 Views
Last Modified: 2010-04-04
hello, how can i detect if someone is hooking my App's API calls ?
0
Comment
Question by:wsock32_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 20

Expert Comment

by:Madshi
ID: 8063568
What do you mean with your "App's API calls"? You can check whether someone hooked any APIs in the context of your process. Is that what you want?

In that case you will have to check the import table, the export table and the code itself of all relevant modules (exe + dlls) in your process. That's possible, but quite difficult. The best way is to load the original module files from the hard disk and compare the important parts (import table, export table and code) with the loaded module images.

However, please note that a debugger hooks APIs, so such a hooking detection would fire inside of Delphi's IDE. Also some system dlls might use API hooking themselves or overwrite their own code. In that case the hooking detection would fire, too.

Regards, Madshi.
0
 

Author Comment

by:wsock32_
ID: 8063625
yes, lets say im calling GetCurrentDir() API command and someone is hooking that to return something else,

any examples of what ur talking about Madshi? ( the import/export,code comparing)
0
 
LVL 20

Expert Comment

by:Madshi
ID: 8063649
There are serveral API hooking techniques available. If you want a perfect detection you need to check all what I said.

Sorry, I've no code or examples, also no time to write something for you. This is really difficult stuff and would need quite a bit of time. And after all I'm working on making API hooking possible, not on preventing/detecting it...   :-)
0
 

Author Comment

by:wsock32_
ID: 8063694
damn.. i need something to get me started here, :(
0
 
LVL 20

Accepted Solution

by:
Madshi earned 100 total points
ID: 8063750
Well, if you want something to get started you can look here:

http://www.codeproject.com/system/hooksys.asp

This shows how to hook APIs with import table patching. This is only one of many hooking methods, but it's the most often used. If you understand how it works inside you can make your own code about how to detect it.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The uses clause is one of those things that just tends to grow and grow. Most of the time this is in the main form, as it's from this form that all others are called. If you have a big application (including many forms), the uses clause in the in…
Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question