Hi there. Is there any way to prevent the global hooks (created, for example, by some malicious codes) from attaching to my process? Or at least some way to de-attach them?
Posted on 2007-05-02 15:28:20 by ti_mo_n
Humm... dunno if there's any clean way (run your app with SYSTEM credentials, or as a different user and force all other users to be non-admins?) - or perhaps hooking either a lot of APIs, or at a lower (Nt* Zw*) level. But I don't know if there's a clean-and-easy way.

For what purpose do you need this?
Posted on 2007-05-02 18:11:00 by f0dder
Mainly educational purposes. I wanted to write such an application (resistant to global hooks) just to prove that I can.

Oh well, looks like I'll have to drop the idea, since there is no clean way to do that, as you say, and I don't like writing HaXX0roUz code ^^
Posted on 2007-05-02 23:05:14 by ti_mo_n
other possible method - most hooks will be on kernel32 or user32...
you could load user32 / kernel32 into memory as a data file, perform
fixups on the data (reloc shit).. and then 'refill' the api's within your
code.. therby getting the 'clean' kernel32 / user32 in your code, bypassing
the hooks...

ultimately, this all depends on the level that the hooks were applied
and whether the kernel32 / user32 / whatever module was actually patched
on disk or not...

its doable though... just depends on your method
Posted on 2007-05-03 06:21:42 by evlncrn8
if you want to skip userland hooks you just have to call kernel directly with "sysenter" (or "int 2E" for <XP).
hence if you dont use any call to dll "kernel32,ntdll" you wont be hooked.
Posted on 2007-05-03 11:25:47 by drizz
problem with that is that the sysenter stuff might change with os'es and/or updates
Posted on 2007-05-04 05:00:21 by evlncrn8