Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding C & C++ Detect API hooking

Thread Rating:
  • 427 Vote(s) - 3.49 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
Detect API hooking

Offline unfairness378168


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Jan 2021
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#1
06-08-2017, 09:43 AM
Hey, so recently I have been wondering how to detect API hooking to aid prevent cracking, I have been reading up on methods and so far I understand there are two ways of doing it:
  1. Check Calls to VirtualProtect
  2. Hook the IAT address of the process and save bytes into memory, then copy again at a later stage and compare

I am new to anti RE but would love to know any other ways/information about this.
Reply

Offline morphologist679226


Retired Staff
*********
Retired Staff
Posts: 0
Threads: 0
Joined: Aug 2021
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
07-03-2017, 07:35 PM
I personally am attached to comparing old IAT data to new IAT data, its easy to implement and hard to get around. However my advice would not be to focus so much on anti-debugging but instead proper obfuscation. If you want to see some killer examples of this,

[To see links please register here]

is excellent and has a lot of documentation inside.
Reply

Offline underlife8775


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Feb 2020
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
04-25-2018, 10:46 PM
You could compare bytes of a function to what they should be by reading the file off the disk. Also, make sure functions don't start with something like a jmp or call when they aren't supposed to.
Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through