Hi there. Is there any way to prevent the global hooks (created, for example, by some malicious codes) from attaching to my process? Or at least some way to de-attach them?
Humm... dunno if there's any clean way (run your app with SYSTEM credentials, or as a different user and force all other users to be non-admins?) - or perhaps hooking either a lot of APIs, or at a lower (Nt* Zw*) level. But I don't know if there's a clean-and-easy way.
For what purpose do you need this?
For what purpose do you need this?
Mainly educational purposes. I wanted to write such an application (resistant to global hooks) just to prove that I can.
Oh well, looks like I'll have to drop the idea, since there is no clean way to do that, as you say, and I don't like writing HaXX0roUz code ^^
Oh well, looks like I'll have to drop the idea, since there is no clean way to do that, as you say, and I don't like writing HaXX0roUz code ^^
other possible method - most hooks will be on kernel32 or user32...
you could load user32 / kernel32 into memory as a data file, perform
fixups on the data (reloc shit).. and then 'refill' the api's within your
code.. therby getting the 'clean' kernel32 / user32 in your code, bypassing
the hooks...
ultimately, this all depends on the level that the hooks were applied
and whether the kernel32 / user32 / whatever module was actually patched
on disk or not...
its doable though... just depends on your method
you could load user32 / kernel32 into memory as a data file, perform
fixups on the data (reloc shit).. and then 'refill' the api's within your
code.. therby getting the 'clean' kernel32 / user32 in your code, bypassing
the hooks...
ultimately, this all depends on the level that the hooks were applied
and whether the kernel32 / user32 / whatever module was actually patched
on disk or not...
its doable though... just depends on your method
if you want to skip userland hooks you just have to call kernel directly with "sysenter" (or "int 2E" for <XP).
hence if you dont use any call to dll "kernel32,ntdll" you wont be hooked.
hence if you dont use any call to dll "kernel32,ntdll" you wont be hooked.
problem with that is that the sysenter stuff might change with os'es and/or updates