Flag: Tornado!
Hurricane!
|
|
Topic created on: January 21, 2007 09:06 CST by ali  .
Hello All
Sorry, if my questions are too elementary. I am somehow new to reverse code engineering. I am looking for some information about hook-proofing DLLs. Can anyone introduce some sources of information about the issue?
Best Regards
Ali
I don't really think you can hook proof it. There are always kernel mode methods that will thwart you hook proof attempts.
You can do simple preventions against normal hook methods such as verifying integrity of EAT or IAT, or look for BP's at certain functions.
|
> Raindog: I don\'t really think you can hook proof it. There are always kernel mode methods that will thwart you hook proof attempts.
>
> You can do simple preventions against normal hook methods such as verifying integrity of EAT or IAT, or look for BP\'s at certain functions.
Hello Raindog
Thanks for your comments.
Sorry, i don't know too much about Windows internals. Can you explain more about those kernel mode methods?
Best Regards
Ali
Best Regards
|
As a general rule of thumb, when one wishes to reverse engineer (or even harder, protect against reverse engineering) a new platform, one must first understand it well. If you don't understand the EAT and IAT, you better start reading -- there are few, if any, "quick fixes" for RE or anti-RE.
Just my 2 cents...
|
|
Ali, I think you will find the same thing that PSUJobu just said. There might be a few quick fixes, but they all have quick workarounds.
|
Hi Raindog
Thanks, anyway.
Best Regards
|
> PSUJobu: As a general rule of thumb, when one wishes to reverse engineer (or even harder, protect against reverse engineering) a new platform, one must first understand it well. If you don\'t understand the EAT and IAT, you better start reading -- there are few, if any, \"quick fixes\" for RE or anti-RE.
>
> Just my 2 cents...
Hi PSUJobu
Thanks for your guidance. I have already started reading about RE. Well, I think reading is not the only way of understanding; maybe asking questions is another way :) .
Anyway, thanks.
Best Regards
|
|
ofcourse it is , but to understand the answer you need to know some basics . there are different types of user mode and kernel mode Hooking methods , this is a huge topic . for a quick start take a look at Greg's Rootkit book , which is good for newcomers presenting very nice starting points , there you will find good materials about user mode and kernel mode hooks , also take a look at openrce's bookstore . regarding to where you live if you dont have access to amazon bookstore drop me a line :)
|
> ali:
> Hi PSUJobu
> Thanks for your guidance. I have already started reading about RE. Well, I think reading is not the only way of understanding; maybe asking questions is another way :) .
> Anyway, thanks.
Quite true, but MohammadHosein's response is quite valid: you need to understand some basics. I was just cautioning you that there is no quick answer to your question. Countless companies have spent countless sums to prevent RE for various reasons (e.g., protecting intellectual property or preventing software piracy), and countless other companies and individuals have thwarted those efforts. It is a non-trivial, but highly challenging and interesting, problem.
If you have questions as you learn, ask away. OpenRCE is a great forum for open discussions of such topics...
Best of Luck
|
> PSUJobu: > ali:
> > Hi PSUJobu
> > Thanks for your guidance. I have already started reading about RE. Well, I think reading is not the only way of understanding; maybe asking questions is another way :) .
> > Anyway, thanks.
>
> Quite true, but MohammadHosein\'s response is quite valid: you need to understand some basics. I was just cautioning you that there is no quick answer to your question. Countless companies have spent countless sums to prevent RE for various reasons (e.g., protecting intellectual property or preventing software piracy), and countless other companies and individuals have thwarted those efforts. It is a non-trivial, but highly challenging and interesting, problem.
>
> If you have questions as you learn, ask away. OpenRCE is a great forum for open discussions of such topics...
>
> Best of Luck
Hello PSUJobo
Thanks. Certainly, I will ask my questions, thanks a lot.
Best Regards
|
The simplest way of protecting against hooking is to checksum your dll, or if you're trying to protect against API functions being hooked, check the first 5 bytes for patches or any non-standard code(the first 5 bytes of almost every API is the same).
Also, it's important that you force the values in the hardware breakpoints to be set. Rely on the presence of all 4 hardware breakpoints at certain addresses in your code, so that they cannot be used to hook your code invisibly. Do not just rely on checking them via GetThreadContext - as that can be hooked and its results distorted.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}