Hooking and anti-Hoking paranoia dance !

[Krisler12]

It is well known that there are various methods of hooking and anti-hooking and so on.

I want to hook an application which is very possible that it has implemented all anti-hooking methods.

Also it is very possible that once connected to its online server that server to verify if it is hooked or not and/or if its code is modified or not by doing its md5/crc checksum etc. It must connect to the server and it is very important to be connected to the server because it is an online game.

Now, theory:

1. There are more than one API hooking methods.

2. There also could be more than one anti-API hooking methods which detects if your app is hooked or not and/or unhook it.

3. Very possible that there is more than one anti-anti-API hooking methods which prevent those methods described at point 2 to do their job.

4. I don't know. Are they also methods which prevent the job of the methods described at point 3 ?

5. Also, there are methods for preventing job of the methods described at point 4 too ? Until what level it could go ? anti-anti-anti... what ?

Please, give to me all possible example of methods you know for each 1-5 described points.

Please answer me, it is not a joke, I really want to do something very important and I really want to know all of these.

Thank you in advance !

[Aguila]

if your target is a usermode only application (no driver), you can write your own driver and it is impossible for the application to detect the hook (if you don't make any mistakes). This is the only safe way to hook.

the best usermode hooking method is using hardware breakpoints, because you don't need to modify the target application code. You can also hide this hook pretty well, but there is also an anti-anti method.

[quosego]

I used to hook kernel32 exports, doesn't work in all programs. (You'd need a Getprocaddress call for it.) But they didn't detect it.

Also hooked some late exports stored within the main PE in some patches.

But yeah drivers should work best.

[Krisler12]

if your target is a usermode only application (no driver), you can write your own driver and it is impossible for the application to detect the hook (if you don't make any mistakes). This is the only safe way to hook.

the best usermode hooking method is using hardware breakpoints, because you don't need to modify the target application code. You can also hide this hook pretty well, but there is also an anti-anti method.

Driver method is undetectable ?

There is no way to detect it like IsMyApplication Hooked or something else ?

Where I could find an example of driver hooking ?

You can also hide this hook pretty well, but there is also an anti-anti method.

Please enumerate all of them if possible. All anti-hook and all anti-anti-hook and all anti-anti-anti-hook and so on until no more left !

if your target is a usermode only application (no driver)

What should be the way for a best undetectable hook when there is a driver and not usermode only ?

Are there anti and anti-anti... also ? Which one ?

Thank you very much !

[Aguila]

What should be the way for a best undetectable hook when there is a driver and not usermode only ?

There is no best hook then. Think about malware (rootkits), there are still some anti-rootkit tools that can detect the worst malware.

you should focus on your target and just circumvent it. Think about anti-cheat systems in multiplayer games. They all try to detect hooks, but they all fail, cheating is still possible in all multiplayer games.

Driver method is undetectable ?

There is no way to detect it like IsMyApplication Hooked or something else ?

Where I could find an example of driver hooking ?

google rootkit source codes.

No it is not possible to detect it, if the target application uses only usermode code, so it can't know what happens in kernel mode.

Edited November 9, 2011 by Aguila

[Peter Ferrie]

Of course it can detect it - timed comparison of certain operations. A triggered hardware breakpoint adds loads of cycles to a request. There's no way to hide that kind of impact.

And don't forget that there are only 4 hardware breakpoints in kernel mode. Too bad if someone else wants to use them, too - there's no notification if someone changes the values.