[Tigzy]

Why you want to unhook? To use free from hooks API, or what?

For fun ;)
This is more for challenging than to use absolutely in my product.

Hook can be installed deeper in function or/and it can be existing instruction patch.

Yes, but as I'm able to retrieve the original function from disk, I can go deeper to compare
And if this is hot patch from any program, I can get the module where it lies and compare to a WL. All this design is already done for my SSDT hooks which can also be legit

cmpxchg8b, cmpxchg16b

Thanks, I guess this is atomic functions?

---

I saw cli / sti could have been good, but not for multiprocessor systems.
I can't stop interrupts on every processor, cause we cannot decide which one we use.

[lorddoskias]

There is this very ugly hack where you can dispatch a DPC on every cpu core to spin in an empty while(custom-condition), do your patching and then set the custom-condition so that you can exit the DPC. But this is inherently unsafe :)

[Tigzy]

But this is inherently unsafe

This is maybe unsafier than doing nothing except praying for no BSOD :D

[lorddoskias]

How so? In one case you will be exchanging atomically 8/16 bytes at a time and in the DPC case you can exchange however many you like, as long as you can guarantee that the code is nonpaged since the page fault handler won't be able to kick in if you incur a page fault? Now, if any of the cores was in the middle of executing a hooked portion of an instruction and you overwrite it - thing might get messy, but the same can happen if you use the cmpxchg instructions - you overwrite 8/16 bytes of a larger inline hook and then it can crash again?

[nullptr]

Why not just call a clean stub that then jumps into the hooked function further down the track? That way you avoid any need to unhook.

[Tigzy]

Cause the need to unhook is system wide, not only for my app.
This is to cut the malware selfprotection

[Tigzy]

Hello

Just to say with the uglyiest way to do the app is stable, with no BSOD, and the inline hook is restored.
Tested on IceWord, by removing NtOpenProcess / NtTerminateProcess hooks, I'm able to kill it with task manager

Code: Select all

void RestoreInlineByAdress (DWORD dw_addr, BYTE* bytesToRestore, DWORD beginAtOffset)
{	
	int i = 0;	
	for (i = 0 ; i < BytesToGetFromNtos ; i++)
	{
		*((PBYTE)(dw_addr+beginAtOffset+i)) = bytesToRestore[i];
	}
}

BytesToGetFromNtos is 16...

@EP_X0FF: Do you have a short example on how to use cmpxchg16b ?

I found this : http://stackoverflow.com/questions/4825 ... 6b-correct
But seems too complicated to work in the kernel (template, volatile, ...)

[EP_X0FF]

@EP_X0FF: Do you have a short example on how to use cmpxchg16b ?

I found this : http://stackoverflow.com/questions/4825 ... 6b-correct
But seems too complicated to work in the kernel (template, volatile, ...)

It is not recommended to use if you plan to support all machines, for example early versions even AMD 64-bit hardware do not support this instruction. The CMPXCHG16B instruction is available in 64-bit mode only. It is an extension of the functionality provided by CMPXCHG8B that operates on 128-bits of data, instuction compares 128 bit value in rdx:rax with the dest (r128) value. If they equal Zero flag is set and rcx:rbx copied in r128. Else the rdx:rax loaded with value in the r128.

Suggestion, before looking for any kind of C++ and other BS code snippets - check MSDN/Intel manuals first.
http://www.intel.com/content/dam/www/pu ... 325462.pdf

[Tigzy]

Ok, thanks.
Will work with my ugly loop for the moment. I will look at this, and at the synchronisations APIs provided by microsoft (spinlock, ...)

EDIT: That is a big doc... :shock:

[Tigzy]

In some case I got BSoD due to read-only memory writing (tried to unhook Avast :D ).
I guess maybe Avast protects its hooks...

Is there a mean to not crash the system with that? maybe with a try ... catch ?