Windows anti-message hook (2)

Windows message hooks are generally familiar. It is widely used. It is familiar with the use of keyboard hooks to obtain the keyboard input of the target process, so as to obtain various types of passwords for ulterior motives. Is there a way for a friend to prevent his software from being monitored by others' global hooks? The answer is yes, but there are also some defects.

1. How to inject global hooks into other processes

The message hook is provided by the Win32 subsystem. Its core component uses ntusersetwindowshookex to provide users with system services for setting message hooks. Users can use it to register global hooks. When the system obtains certain events, such as user buttons and keyboard drivers, it transmits scanning codes to the keyevent processing function of win32k. The processing function determines whether there is a corresponding hook, and then callhook. At this point, the system obtains the hook object information. If the target process does not load the corresponding DLL, it will load it (using the keusermodecallback "call" User routine, which is different from the APC call, it is a copy of the interrupted return environment, and its call is "immediate ).

After entering the kiusercallbackdispatcher in the user State, kiusercallbackdispatcher obtains the required functions and Parameters Based on the transmitted data, and then calls them. For the above example, to load the hook DLL, The loadlibraryexw is called, and then enters ldrloaddll. After loading, the result is returned. The subsequent steps are not described.

From the above discussion, we can come up with the simplest anti-intrusion solution: hook the corresponding API before loading the hook DLL to make loading fail, but there is a defect: the system will not give up because of one failure. Every time a message is generated, the system will try to load the DLL in your process to call the hook. This has some slight impact on the performance, but it should not be felt. The remaining problem is that not all loadlibraryexws should be intercepted, which is easy to solve, such as determining the return address. The following is an example of how to add some judgments so that some hook DLL files that can be loaded are loaded.

Here, the hook api uses Microsoft's detours library, which can be modified on its own.


The following is the program code:

Typedef hmodule (_ stdcall * loadlib) (lpcwstr lpwlibfilename, handle hfile, DWORD dwflags); extern "C" {partition (hmodule _ stdcall partition (lpcwstr lpwfillibename, handle hfile, DWORD dwflags), loadlibraryexw);} ulong USER32 = 0; hmodule _ stdcall mine_loadlibraryexw (lpcwstr lpwlibfilename, handle hfile, DWORD dwflags) {ulong ADDR; _ ASM mov eax, [EBP + 4] _ ASM mov ADDR, eax if (USER32 & 0xffff0000) = (ADDR & 0xffff0000) {return 0;} hmodule res = (loadlib (real_loadlibraryexw )) (lpwlibfilename, hfile, dwflags); Return res;} bool processattach () {combine (pbyte) real_loadlibraryexw, (pbyte) mine_loadlibraryexw); Return true;} bool processdetach () {detourremove (pbyte) extract, (pbyte) mine_loadlibraryexw); Return true;} canti_hookapp: canti_hookapp () // call processattach {USER32 = (ulong) before using the user interface service) getmodulehandle ("user32.dll"); processattach ();}

Apihook with IAT in Windows core programming is not comprehensive.

 ::GetProcAddress(::GetModuleHandle("kernel32.dll"),   "SetWindowsHookA");   

You can bypass it.

The best method for apihook is to directly modify the code of the API entry point.

At the same time, hook getprocaddress is not enough, but it is useless if the other party uses the search PE function to export the table.

Prevent IAT hooks. If I encrypt the IAT of a PE file and call it through decryption, I CAN (extremely complicated)

I did not expect a good solution to prevent JMP hooks.
To prevent debugging, I can determine whether int3 has interrupted the code at the API entrance (simple)

In fact, the core of anti-interception of message Hooks is to use API Interception to cancel hook interception.

If the API Interception is cracked, the message hook anti-interception fails.