A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #153  by Dreg
 Mon Mar 15, 2010 9:03 am
EasyHook starts where Microsoft Detours ends.

This is my favorite engine, very interesting the Thread Deadlock Barrier:

This project supports extending (hooking) unmanaged code (APIs) with pure managed ones, from within a fully managed environment like C# using Windows 2000 SP4 and later, including Windows XP x64, Windows Vista x64 and Windows Server 2008 x64. Also 32- and 64-bit kernel mode hooking is supported as well as an unmanaged user-mode API which allows you to hook targets without requiring a NET Framework on the customers PC. An experimental stealth injection hides hooking from most of the current AV software.

http://www.codeplex.com/easyhook <- The engine URL
http://appstract.googlecode.com/files/Thesis-v1.pdf <- Literature Related to EasyHook

The following is an incomplete list of features:

* A so called "Thread Deadlock Barrier" will get rid of many core problems when hooking unknown APIs; this technology is unique to EasyHook
* You can write managed hook handlers for unmanaged APIs
* You can use all the convenience managed code provides, like NET Remoting, WPF and WCF for example
* A documented, pure unmanaged hooking API
* Support for 32- and 64-bit kernel mode hooking (also check out my PatchGuard 3 bypass driver which can be found in the release list)
* No resource or memory leaks are left in the target
* Experimental stealth injection mechanism that won't raise attention of any current AV Software
* EasyHook32.dll and EasyHook64.dll are pure unmanaged modules and can be used without any NET framework installed!
* All hooks are installed and automatically removed in a stable manner
* Support for Windows Vista SP1 x64 and Windows Server 2008 SP1 x64 by utilizing totally undocumented APIs, to still allow hooking into any terminal session.
* Managed/Unmanaged module stack trace inside a hook handler
* Get calling managed/unmanaged module inside a hook handler
* Create custom stack traces inside a hook handler
* You will be able to write injection libraries and host processes compiled for AnyCPU, which will allow you to inject your code into 32- and 64-Bit processes from 64- and 32-Bit processes by using the very same assembly in all cases.
* EasyHook supports RIP-relative addressing relocation for 64-Bit targets.
* No unpacking/installation necessary.
* The Visual Studio Redistributable is not required.
 #154  by Dreg
 Mon Mar 15, 2010 9:05 am
The Microsoft Detours Engine:

Overview

Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.

Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.

http://research.microsoft.com/en-us/projects/detours/ <- Engine URL
http://research.microsoft.com/apps/pubs ... x?id=68568 <- Galen Hunt and Doug Brubacher, Detours: Binary Interception of Win32 Functions, in Third USENIX Windows NT Symposium, USENIX, July 1999
 #241  by Meriadoc
 Tue Mar 16, 2010 9:51 am
EasyHook and Bypassing (Disable) Patchguard was some really great work.
 #1303  by __Genius__
 Sun Jun 20, 2010 12:20 pm
Magic Api Hook Engine v1.0
this is a simple UserMode(Ring3) all around process api hooker
just for WinNT family
Open Source with Samples
Code: Select all
http://magic.shabgard.org/MagicApiHook.zip
 #1306  by Evilcry
 Mon Jun 21, 2010 5:58 am
Hi,

Take also a look to Nektra products, especially Deviare, which deliver an easy interface for COM Components hooking
(the same techique used by advanced rootkit technology to intercept voice chats over Skype)

http://nektra.com/products/deviare-api-hook-windows/

Of great help also Trappola that's a code interception engine.

http://nektra.com/products/trappola-api-hook-library

Regards,
Giuseppe 'Evilcry' Bonfa
 #1366  by nick
 Tue Jun 29, 2010 6:38 pm
Hi,

Nektra offers various decent products.
Also take a look at:
description
madCodeHook offers everything you need to hook code (mostly APIs) in all 32 and 64 bit Windows operating systems from Windows 95 to Windows 7. You can choose whether you want to hook APIs in your own process, or in a specific target process, or system wide.
http://madcollection.madshi.net/madCode ... iption.htm
Advanced Api Hook Library By Ms-Rem
Code: Select all
http://www.wasm.ru/pub/21/hles/advapihook.rar
Code: Select all
http://uall.cheat-project.com/uallCollection/
Cheers