PDA

Click to See Complete Forum and Search --> : Avoid or detect API hooking

Pryrates
August 2nd, 2005, 09:22 AM
Hello,

I found many articles about API hooking.

The problem is, that the API hook maps a unknwon (and malicious?) DLL in the address room of the program. Now the DLL can change the IAT (import address table) and control the API calls of the program.

But how can I avoid or detect, if one of my programm is hooked? It is possible to avoid or detect the changes in the IAT?


Bye,
Pryrates.
d_preety
August 17th, 2005, 01:03 PM
Hi,

I have a question.
I am not able to hook my program....How do you do that?

I want to detect one of my window and want to determine when it closes or starts........

I am not able to hook it.

Thanks in advance.
NoHero
August 17th, 2005, 01:10 PM
Hi,

I have a question.
I am not able to hook my program....How do you do that?

I want to detect one of my window and want to determine when it closes or starts........

I am not able to hook it.

Thanks in advance.

If it is your applications window why not just handle WM_CLOSE in your window procedure? :confused:
d_preety
August 17th, 2005, 01:14 PM
Can you give me an Example using Code.

Thanks
Preeti
NoHero
August 17th, 2005, 01:25 PM
Can you give me an Example using Code.

Thanks
Preeti

That's quite easy and does not require hooking... If you have ever created a window using CreateWindow(Ex)() and/or a dialog with DialogBox() or CreateDialog() you will know how a window procedure looks like. And inside just handle WM_CLOSE... :confused:

LRESULT CALLBACK MyWndProc ( HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam )
{
switch ( msg )
{
// others here
case WM_CLOSE:
{
// handle!
} break;
}
}
kirants
August 17th, 2005, 01:35 PM
To d_preety, please create a new thread if you have a question that is not related to a thread. Note that the question of this thread was how to detect hooking, and you seem to have diluted the focus of this thread by posting a different question.

To OP,
But how can I avoid or detect, if one of my programm is hooked? It is possible to avoid or detect the changes in the IAT?
I don't think that is possible. At least not that I am aware of.
d_preety
August 17th, 2005, 02:09 PM
So to detect when a window closes I don't need to hook my application.?
Is that what you are saying?

Just need what you are saying...I am confused..Please help..Thanks

Here is my code:


LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
// Window Callback procedure


//Initialize data to be shared with all instances of DLL
#pragma data_seg("Shared")
HWND hCalWin = NULL;
HWND hApp = NULL;
int num=0;
bool done = FALSE;
HINSTANCE hInstance = NULL;
#pragma data_seg()
//initialize data end of data share

//Uninitialize data to be shared with all intances of DLL
#pragma bss_seg("Shared1")
HWND hndll[100];
int form[100];
long OldWndHndl[100];
bool blnsubclassed[100];
HHOOK hWinHook;
#pragma bss_seg()
//end of uninitialize data

int WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch(fdwReason)
{
case DLL_PROCESS_ATTACH:
{
hInstance = (HINSTANCE) hinstDLL;
}
break;
case DLL_PROCESS_DETACH:
{

}
break;
}
return TRUE;
}


MSG msg;
LRESULT CALLBACK CBTProc (int nCode, WPARAM wParam, LPARAM lParam);

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
CTouchScreenAPI* pTouch;
pTouch = CTouchScreenAPI::Create();
if (pTouch)
{
if (pTouch->Init())
pTouch->Recalibrate();
else
MessageBox(NULL, "Created touchscreen interface OK, but Init() failed", "Info", MB_OK);
}

hCalWin = ::FindWindow(pszABSPOINT_WND_CLASS_NAME, NULL);

//Installing CBT Hook
hWinHook = SetWindowsHookEx(WH_CBT, CBTProc, hInstance, 0);
if (hWinHook == NULL)
{
MessageBox(NULL, "Hook procedure is monitored", "HOOK", MB_OKCANCEL);
return 0;
}

// Getting messages until Wm_Quit

int bRet;
while ( (bRet=GetMessage( &msg, NULL, 0, 0 )) !=0)
{
if (bRet == -1)
{
MessageBox(NULL, "Error in the application", "Message", MB_OKCANCEL);
// handle the error and possibly exit
}
else
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
if (UnhookWindowsHookEx(hWinHook) == 0)
{
MessageBox(NULL, "Windows UnHooked faliure", "UNHOOK", MB_OKCANCEL);

}
MessageBox(NULL, "Terminating Program", "TProgram", MB_OKCANCEL);
return 0;

}

//The CBT hook proc
LRESULT CALLBACK CBTProc (int nCode, WPARAM wParam, LPARAM lParam)

{
if (nCode == HCBT_DESTROYWND)// called when the application window is destroyed
{
if((HWND)wParam == hCalWin)
SendNotifyMessage(hApp, WM_APP +1024, (WPARAM) wParam, (LPARAM)
lParam);//Send the message to the application

//MessageBox(NULL, "Window is destroyed", "Message", MB_OKCANCEL);
//PostQuitMessage(0);
}

return CallNextHookEx(NULL, nCode, wParam, lParam);
}
// end of hook procedure


//Windows Procedure for the subclassed windows
LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
long val;
int count;
for(count=0; count<num; count++)
{
if(hndll[count]==hwnd)
{
val=count;
}
}
long result;
if (uMsg == 273)
if (HIWORD (wParam)==0)
result = SendNotifyMessage(hApp,WM_APP+1024,(WPARAM)(LOWORD(wParam)),
(LPARAM) uMsg);
return CallWindowProc((WNDPROC)OldWndHndl [val], hwnd,uMsg,wParam,lParam);
}