| |
| |
|
| - Page 1 - |
|
Frank
Abbing | A small Tool of me on API-Hooking Base. In of/ one Listbox go any Dlls aufgelistest, The straight of Programs loaded get.
simply Exe Starting and then any programs started. its Dlls should now gelistet and be it pieps short.
Please testing time, whether it yet somewhere hakt. |
|
| |
| |
| |
|
| |
| |
| - Page 2 - |
|
|
Frank
Abbing | make I Yes, therefore skin it even not there. for 2000 existieren means only 3 Trampolin-Bytes, XP are it 5. therefore crashed it at Rücksprung into originale routine.
either berücksichtige I now The jeweilige NT-Version, or I building The API complete in my code one. The second Possibility is flexibler. |
|
| |
| |
| |
|
|
Frank
Abbing | | These new version should too with 2000 functions. testing could I But not. |
|
| |
| |
| |
|
|
| Frank Abbing
make I Yes, therefore skin it even not there. for 2000 existieren means only 3 Trampolin-Bytes, XP are it 5. therefore crashed it at Rücksprung into originale routine.
either berücksichtige I now The jeweilige NT-Version, or I building The API complete in my code one. The second Possibility is flexibler.
Hello Frank...
time a couple thoughts:
Why berücksichtigst You not The Opcodes? so many are the still not. some having even only one byte, others against it even 6 (if a address angesprungen becomes):
means: Check, where gültiger Opcode end.
Why copy You then not whom (valid) Opcode from the DLL and spring it then simply on? You müssest only look, that the Stack again fit. on the end the copied Opcodes write You again whom Opcode of/ one further Call instruction.
too in the API must then but the Stack again adjusted go (look time with QEditor, Opcodes, RET and CALL).
PS: Testergebnis follows yet. |
|
| |
| |
| |
|
|
| Hello Frank...
unfortunately under windows2000 yet the same trouble:
The first DLL becomes displayed, thereafter dismisses itself the gehookte Program with Error Message.
as i me Shatter respected have, have I a good deal with API rumgefuscht. the what there happens, comes me very famous to - there sscheint something with the Stack not any more To voices and the API fetch itself a Pointer of Stack, the not a gültige address verweist. look time to, whether there Perhaps somewhere something (Perhaps with Call) on the Stack shoved becomes, what there to the Perform the restlichen API first again runtergenommen go must. XP validiert such Pointer apparently ( runs indeed stabiler), 2000 reacted always with crash - only so a supposition through my previous Basteleien. |
|
| |
| |
| |
|
|
Frank
Abbing | Oh, Have one byte dezimal ausgewertet, instead of hexadezimal...
in the attachment the new Version, The now hopefully runs.
Why berücksichtigst You not The Opcodes? so many are the still not. some having even only one byte, others against it even 6 (if a address angesprungen becomes):
means: Check, where gültiger Opcode end.
I write a Jmp-commands on whom beginning the API, the in My routine jumping. The überschriebenen Bytes/Opcodes work I then at the beginning of my routine there. The problem was, the 2000 and XP different Anfänge own. MS backing API-Hooking ex WindowsXP and has therefore any APIs so modifiziert (the futile MOV EDI,EDI eingefügt) , that the first 5 Bytes now slight by a Jmp supplant go can. Later spring I again behind whom Jmp-commands and let The API normal weiterlaufen. this is The with Hackern übliche engineering, which Trampolin name (even there and back jumping).
in lieu of one Jumps can also one PUSH sprungaddr / RETN using go. These engineering own but one 6 bytes grosses Trampolin.
These method can you too slight using, circa nachzuprüfen, whether a API gehookt or not. is the first ausgelesene byte the API not $55 and not $8B, is the API with safety Inline-gehooked. |
 |
| |
| |
| |
|
|
| Hello Frank...
Interessante Info! look you please times The API AreFileApisAnsi from the Kernel32 on.
is the first ausgelesene byte the API not $55 and not $8B, is the API with safety Inline-gehooked.
i think time, i'd evtl. something hinbekommen, what on all Systemen and with all APIs runs. If I time integrally large pleasure have, set I there Perhaps too time dran. |
|
| |
| |
| |
|
|
| Hello Frank, goes now too under windows2000. having only a problem with the Profan editor, the lying but well not on you. 
Very interestingly, what windows there power! Look I me yet hither on. |
|
| |
| |
| |
|
|
Frank
Abbing | super! under Vista functions it ditto, the has Rolf a little while ago tested. Vista has The equal Dll-Startcodes How XP.
now can I Sinnvolles program, after the welt now standing.  |
|
| |
| |
| |
|
|
Dieter
Zornow | i think your Tool is too dangerous, I have Yes the trouble, that by me always
only The psapi.dll displayed becomes otherwise nothing. The Dll is a Microsoft DLL and coming with SP2 she'll among other things of Explorer and my Virenprogramm loaded.
at that testing your last Version has my Firewall gemeldet, that my Virenprogramm exits go must, there memory überschrieben watts. So not integrally safe The thing. i think that my Completed: the Virenscanner and the Firewall together depends.
Virenscanner Antivir, Firewall Outpost
Greeting
Dieter |
|
| |
| Er ist ein Mann wie ein Baum. Sie nennen ihn Bonsai., Win 7 32 bit und Win 7 64 bit, mit XProfan X2 | 03/25/07 ▲ |
|
| |
|
|
Frank
Abbing | Dieter, Perhaps hookt one other Program ditto in your system. might his, that You a Trojaner eingefangen have?
AntiVir is Yes now not sonderlich sure. i was not pleased so, after it number of times Trojaner by me durchgelassen has and my system generally too charged.
I use only yet Avast, the notice one none and bislang is yet nothing durchgekommen. |
|
| |
| |
| |
|
|
| Hello Dieter...
now Better get going interestingly! what says your system To ProcessHider on of my Homepage? Bidde bidde test times!
first but time with ProcHunter look, whether there Perhaps still one Trojaner (RootKit) his Unwesen treibt. |
|
| |
| |
| |
|
|
Dieter
Zornow | Hello Frank,
I have my system now with some Root Kit Scannern tested, none has something
found. there's only yet whom driver of my Firewall the 2 Fubktionen hooked.
the behaviour with your Tool is too reproduzierbar. You überschreibst through your Hooks a Speicherbereich and if there straight one Program is or this using, crashes it ex therefore think I do not safe the whole.
@Andeas,
I have your Process-Hider time probiert, so far I it to judge can runs everything
normal. i'm only noticed, if I a integrally normal application cache
is tappt im dunkeln only your Tool invisible too to refresh. The Taskmanager shows tappt im dunkeln moreover integrally normal under Applications on.
I have too Prochunter ausprobiert, it shows no versteckten Processe. only if
I Native ID abhake go red Entries found, there but only The ID and no
names showing, not in the Editbox, can I tappt im dunkeln not zuordnen. I have me some Rootkit Scanner from the internet pulled, most search too
to Hooks
Greeting
Dieter |
|
| |
| Er ist ein Mann wie ein Baum. Sie nennen ihn Bonsai., Win 7 32 bit und Win 7 64 bit, mit XProfan X2 | 03/25/07 ▲ |
|
| |
|
(762)
Deutsch
English
Français
Español
Italia