Is it possible to tell which APIs have been hooked in Windows XP using VB? Thank you
Printable View
Is it possible to tell which APIs have been hooked in Windows XP using VB? Thank you
I'm pretty sure your answer is no, but what is a "hooked API"?
Here, try this. I modified it quite a bit from this link. This version only will run on NT. To run on 64 bit systems, different APIs are needed. Add a listbox and command button to a form & copy & paste.
P.S. To run on Win9x systems, that was shown in the link I provided.Code:Option Explicit
Private Declare Function GetCurrentProcessId Lib "kernel32.dll" () As Long
Private Declare Function CloseHandle Lib "kernel32.dll" _
(ByVal Handle As Long) As Long
Private Declare Function OpenProcess Lib "kernel32.dll" _
(ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, _
ByVal dwProcId As Long) As Long
Private Declare Function GetModuleFileNameExA Lib "psapi.dll" _
(ByVal hProcess As Long, ByVal hModule As Long, _
ByVal ModuleName As String, ByVal nSize As Long) As Long
Private Declare Function EnumProcessModules Lib "psapi.dll" _
(ByVal hProcess As Long, ByRef lphModule As Long, _
ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Const PROCESS_QUERY_INFORMATION = 1024
Private Const PROCESS_VM_READ = 16
Private Const MAX_PATH = 260
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Sub Command1_Click()
List1.Clear
Dim cbNeeded As Long
Dim Modules() As Long
Dim lRet As Long
Dim ModuleName As String
Dim hProcess As Long
'Get a handle to the Process
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, _
0, GetCurrentProcessId)
'Got a Process handle
If hProcess <> 0 Then
'Get an array of the module handles for the specified process
ReDim Modules(1 To 1)
lRet = EnumProcessModules(hProcess, Modules(1), 4, cbNeeded)
If lRet Then
ReDim Modules(1 To cbNeeded \ 4)
Call EnumProcessModules(hProcess, Modules(1), cbNeeded, cbNeeded)
'Get the ModuleFileName
ModuleName = Space(MAX_PATH)
For cbNeeded = 1 To UBound(Modules)
lRet = GetModuleFileNameExA(hProcess, Modules(cbNeeded), _
ModuleName, MAX_PATH)
List1.AddItem Left(ModuleName, lRet)
Next
End If
'Close the handle to the process
lRet = CloseHandle(hProcess)
End If
End Sub
MartinLiss, when I say "hooked API", I mean APIs that are redirected to somewhere else such as to another API. They are APIs that are intercepted by another program. I'm not sure how else to explain it. LaVolpe, that code just seems to enumerate all modules loaded in the current process. I'm looking for something like APIHookCheck 1.01 (http://www.security.org.sg/code/apihookcheck.html) but the website is down, it's written in another language, and I think it uses some kind of driver. You can find the cached version at http://72.14.253.104/search?q=cache:...hookcheck.html but it doesn't have the file to download.
I know what you mean now. There is a type of vTable hack where an API is modified to "jump" to another address that wasn't intended. This is a hacking mechanism whereby one can spy on any process or create a virus via modules in the process. The most common are of course User32, Kernel32 and Shell32.
I wouldn't know how to go about it, but I could take an educated guess. Some DLLs are always loaded at the same address in every process: User32 & Kernel32 I believe fall in this category. Therefore, if one already knows what the DLL should look like without being hacked (i.e., a clean copy in a resfile), then one could easily compare the bytes in the clean DLL with the bytes already loaded in the processes memory space. Getting the handle of the active DLL is easy: LoadLibrary can do that and to get a specific function: GetProcAddress.
Okay, let me ask you why you need to know this?Quote:
Originally Posted by abazabam
I'm trying to create a protection scheme from my program. And don't tell me, "There's no such thing as an uncrackable program". I know but I'm just trying to create one for beginner to slightly below average crackers. Right now, I'm working on an an anti-registry monitoring program. So, the program will check if any registry APIs are hooked. So, no need to get all suspicious :D