Originally posted by: Binay Khandelwal
The code causes access violation in Windows 2000 OS. I tried hooking TabbedTextOut function in user32.dll. In 9x it s properly working for the call TabbedTextOutA. For Wiondows 2000 its causing AccessViolation though the function is trapped.
Binay Khandelwal
ReplyOriginally posted by: Rezmond
Im sure you already know of the faults but il let eceryoen know anyway.
The first is , if the function is dynamically loaded in the applicaiton with "LoadLibrary" and "GetProcAddress" then it wont be in the import table.
Therefore the functions will not be hooked at all.
The second is they assume the function is going to create a window of some sort , they rely on the function to cause an event that will set off the WH_CBT.
Yes you can change this to a different hook or add many hooks but if you have a trojan for instance and u are trying to to stop the trojan then this is not much good. Since a trojan is not likley to create a main window or move the mouse etc. Therefore u cant hook the trojans calls
(e.g BO2k will completely avoid being caught by this app)
Rather than hooking the import table of each module wouldnt it be better to modify the export table of the target dll?
Then every app would be immidiatley effected.
Delphi programs are a good example , just about all functions in a delphi program are dynamically loaded.
It is near impossible to hook anything in a delphi program.
Reply