Calling API Hookeds Problem
Calling API Hookeds Problem
After protect a file (.EXE on this case), .EXE calls MessageBoxA and that API can be hooked to log or alter his params.
If there any chance to make on VMProtect a API Wrapper to avoid calling the original hooked API?
If there any chance to make on VMProtect a API Wrapper to avoid calling the original hooked API?
Re: Calling API Hookeds Problem
For MessageBox you can use the same trick as VMProtect.
A simple example:
Under certain conditions this trick does not work correctly, but these conditions are so rare that you can ignore it.
A simple example:
Code: Select all
#include <windows.h>
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")
extern "C" NTSTATUS NTAPI ZwRaiseHardError(LONG ErrorStatus, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask,
PULONG_PTR Parameters, ULONG ValidResponseOptions, PULONG Response);
int main()
{
UNICODE_STRING msgBody;
UNICODE_STRING msgCaption;
ULONG ErrorResponse;
const wchar_t cBody[] = L"Some message";
msgBody.Length = sizeof(cBody) - sizeof(wchar_t);
msgBody.MaximumLength = msgBody.Length;
msgBody.Buffer = (wchar_t*)cBody;
const wchar_t cCaption[] = L"Caption";
msgCaption.Length = sizeof(cCaption) - sizeof(wchar_t);
msgCaption.MaximumLength = msgCaption.Length;
msgCaption.Buffer = (wchar_t*)cCaption;
const ULONG_PTR msgParams[] = {
(ULONG_PTR)&msgBody,
(ULONG_PTR)&msgCaption,
(ULONG_PTR)(MB_OK | MB_ICONWARNING)
};
ZwRaiseHardError(0x50000018L, 0x00000003L, 3, (PULONG_PTR)msgParams, NULL, &ErrorResponse);
return 0;
}
Last edited by Catharsis on Sun Feb 12, 2023 1:15 pm, edited 2 times in total.
Re: Calling API Hookeds Problem
This example can be improved by performing a manual map for ntdll
Re: Calling API Hookeds Problem
Because your msgParams have wrong structure. They must have 4 parameters (the latest parameter specifies the timeout and usually it equals INFINITE):Catharsis wrote: Under certain conditions this trick does not work correctly, but these conditions are so rare that you can ignore it.
const ULONG_PTR msgParams[] = {
(ULONG_PTR)&msgBody,
(ULONG_PTR)&msgCaption,
(ULONG_PTR)(MB_OK | MB_ICONWARNING),
INFINITE
};
ZwRaiseHardError(0x50000018L, 4, 3, (PULONG_PTR)msgParams, NULL, &ErrorResponse); // 0x50000018L = STATUS_SERVICE_NOTIFICATION | HARDERROR_OVERRIDE_ERRORMODE
Re: Calling API Hookeds Problem
Возможно с количеством параметров Вы правы, так как код не мой, а был взят с одного из форумов, но с 3 параметрами тоже работает (видимо из-за счастливого стечения обстоятельств).
Под редким условием я подразумевал настройку ACL для процесса. Окно отображается, но оно пустое (без нужного текста).
При надобности я могу зарепортить в отдельной теме с демкой для воспроизведения проблемы
Под редким условием я подразумевал настройку ACL для процесса. Окно отображается, но оно пустое (без нужного текста).
При надобности я могу зарепортить в отдельной теме с демкой для воспроизведения проблемы
Re: Calling API Hookeds Problem
Без нужного текста - это скорее всего проблемы с инициализацией UNICODE_STRING, либо с массивом аргументов (например сам массив не выровнен на границу 4/8 байт).
Code: Select all
__forceinline void InitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
{
if (SourceString)
DestinationString->MaximumLength = (DestinationString->Length = (USHORT)(wcslen(SourceString) * sizeof(WCHAR))) + sizeof(UNICODE_NULL);
else
DestinationString->MaximumLength = DestinationString->Length = 0;
DestinationString->Buffer = (PWCH)SourceString;
}
Re: Calling API Hookeds Problem
MessageBox was just a example, what we can do with anothers APIs ?
Can VMP add a API Wrapping?
Can VMP add a API Wrapping?
Re: Calling API Hookeds Problem
Для реализации в VMP эта проблема тоже актуальна. Отправил репорт на info@vmpsoft.com с описанием и файлами для демонстрации (Subject письма: "ZwRaiseHardError bug")Admin wrote:Без нужного текста - это скорее всего проблемы с инициализацией UNICODE_STRING, либо с массивом аргументов (например сам массив не выровнен на границу 4/8 байт).
Re: Calling API Hookeds Problem
Any news or plans?
Re: Calling API Hookeds Problem
VMProtect doesn't protect system DLLs against hooks.
Re: Calling API Hookeds Problem
Its there any chance to add a API Wrapper ?Admin wrote:VMProtect doesn't protect system DLLs against hooks.
Re: Calling API Hookeds Problem
What prevents you from implementing a check for the most common hooks yourself?fuzzing wrote: Its there any chance to add a API Wrapper ?
Re: Calling API Hookeds Problem
Because there are too many ways of hook a APi.Catharsis wrote:What prevents you from implementing a check for the most common hooks yourself?fuzzing wrote: Its there any chance to add a API Wrapper ?
Checking for 0xE9 or things like that can be bypassed just changing the instruction hooking method.
Re: Calling API Hookeds Problem
You have now answered your own questionfuzzing wrote:Because there are too many ways of hook a APi.
Re: Calling API Hookeds Problem
Nope, patching the first bytes of a API can be avoided by making somewhat type of API Wrapper like Themida does, but honestly i don't like Themida, i don't use it and i will not use it, im on the VMProtect way, and will be nice if it can add somewhat of API Wrapper too!Catharsis wrote:You have now answered your own questionfuzzing wrote:Because there are too many ways of hook a APi.