Results 1 to 7 of 7

Thread: Detect Hooked APIs

  1. #1

    Thread Starter
    Hyperactive Member
    Join Date
    Jul 2005
    Posts
    400

    Detect Hooked APIs

    Is it possible to tell which APIs have been hooked in Windows XP using VB? Thank you

  2. #2

  3. #3
    VB-aholic & Lovin' It LaVolpe's Avatar
    Join Date
    Oct 2007
    Location
    Beside Waldo
    Posts
    19,541

    Re: Detect Hooked APIs

    Here, try this. I modified it quite a bit from this link. This version only will run on NT. To run on 64 bit systems, different APIs are needed. Add a listbox and command button to a form & copy & paste.
    Code:
    Option Explicit
    Private Declare Function GetCurrentProcessId Lib "kernel32.dll" () As Long
    Private Declare Function CloseHandle Lib "kernel32.dll" _
        (ByVal Handle As Long) As Long
    Private Declare Function OpenProcess Lib "kernel32.dll" _
        (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, _
        ByVal dwProcId As Long) As Long
    Private Declare Function GetModuleFileNameExA Lib "psapi.dll" _
        (ByVal hProcess As Long, ByVal hModule As Long, _
        ByVal ModuleName As String, ByVal nSize As Long) As Long
    Private Declare Function EnumProcessModules Lib "psapi.dll" _
        (ByVal hProcess As Long, ByRef lphModule As Long, _
        ByVal cb As Long, ByRef cbNeeded As Long) As Long
    
    Private Const PROCESS_QUERY_INFORMATION = 1024
    Private Const PROCESS_VM_READ = 16
    Private Const MAX_PATH = 260
    Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
    
    Private Sub Command1_Click()
        List1.Clear
        Dim cbNeeded As Long
        Dim Modules() As Long
        Dim lRet As Long
        Dim ModuleName As String
        Dim hProcess As Long
    
        'Get a handle to the Process
        hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, _
                                0, GetCurrentProcessId)
        'Got a Process handle
        If hProcess <> 0 Then
            'Get an array of the module handles for the specified process
            ReDim Modules(1 To 1)
            lRet = EnumProcessModules(hProcess, Modules(1), 4, cbNeeded)
            If lRet Then
                ReDim Modules(1 To cbNeeded \ 4)
                Call EnumProcessModules(hProcess, Modules(1), cbNeeded, cbNeeded)
                'Get the ModuleFileName
                ModuleName = Space(MAX_PATH)
                For cbNeeded = 1 To UBound(Modules)
                    lRet = GetModuleFileNameExA(hProcess, Modules(cbNeeded), _
                                                ModuleName, MAX_PATH)
                    List1.AddItem Left(ModuleName, lRet)
                Next
            End If
            'Close the handle to the process
            lRet = CloseHandle(hProcess)
        End If
    End Sub
    P.S. To run on Win9x systems, that was shown in the link I provided.
    Last edited by LaVolpe; Oct 14th, 2007 at 01:58 PM.

  4. #4

    Thread Starter
    Hyperactive Member
    Join Date
    Jul 2005
    Posts
    400

    Re: Detect Hooked APIs

    MartinLiss, when I say "hooked API", I mean APIs that are redirected to somewhere else such as to another API. They are APIs that are intercepted by another program. I'm not sure how else to explain it. LaVolpe, that code just seems to enumerate all modules loaded in the current process. I'm looking for something like APIHookCheck 1.01 (http://www.security.org.sg/code/apihookcheck.html) but the website is down, it's written in another language, and I think it uses some kind of driver. You can find the cached version at http://72.14.253.104/search?q=cache:...hookcheck.html but it doesn't have the file to download.

  5. #5
    VB-aholic & Lovin' It LaVolpe's Avatar
    Join Date
    Oct 2007
    Location
    Beside Waldo
    Posts
    19,541

    Re: Detect Hooked APIs

    I know what you mean now. There is a type of vTable hack where an API is modified to "jump" to another address that wasn't intended. This is a hacking mechanism whereby one can spy on any process or create a virus via modules in the process. The most common are of course User32, Kernel32 and Shell32.

    I wouldn't know how to go about it, but I could take an educated guess. Some DLLs are always loaded at the same address in every process: User32 & Kernel32 I believe fall in this category. Therefore, if one already knows what the DLL should look like without being hacked (i.e., a clean copy in a resfile), then one could easily compare the bytes in the clean DLL with the bytes already loaded in the processes memory space. Getting the handle of the active DLL is easy: LoadLibrary can do that and to get a specific function: GetProcAddress.
    Last edited by LaVolpe; Oct 14th, 2007 at 08:04 PM.

  6. #6

  7. #7

    Thread Starter
    Hyperactive Member
    Join Date
    Jul 2005
    Posts
    400

    Re: Detect Hooked APIs

    I'm trying to create a protection scheme from my program. And don't tell me, "There's no such thing as an uncrackable program". I know but I'm just trying to create one for beginner to slightly below average crackers. Right now, I'm working on an an anti-registry monitoring program. So, the program will check if any registry APIs are hooked. So, no need to get all suspicious

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width