iamwho Posted October 31 Share Posted October 31 Hi all, im trying to understand VEH hooking unfortunately all the examples i tried from github only teach doing it in own process. Im trying to veh hook a function in an exe by injecting a dll. Can anyone help please? 1 1 Link to comment
jackyjask Posted October 31 Share Posted October 31 show at least what you have tried and what issues have you hit 1 Link to comment
iamwho Posted October 31 Author Share Posted October 31 Im using the veh hook library from here https://github.com/hoangprod/LeoSpecial-VEH-Hook main.cpp is the program whose sleep function i want to hook. dllmain.cpp is the dll that i inject into main.exe using process hacker. Unfortunately the hooks dont apply properly or maybe im doing something wrong. dllmain.cpp main.cpp 1 Link to comment
jackyjask Posted October 31 Share Posted October 31 You are doing Hook() and Unhook() in the same init() routine - why is that? 1 Link to comment
iamwho Posted Friday at 05:50 AM Author Share Posted Friday at 05:50 AM 10 hours ago, jackyjask said: You are doing Hook() and Unhook() in the same init() routine - why is that? Called the unhook in DLL_PROCESS_DETACH, still not working. 1 Link to comment
TRISTAN Pro Posted Friday at 05:56 AM Share Posted Friday at 05:56 AM I'm looking for it with hardware breakpoint. 1 Link to comment
HostageOfCode Posted Friday at 07:09 AM Share Posted Friday at 07:09 AM So called veh hook is just an page_guard exception and veh handler that handles this exception and redirects the eip to your hook code. You need to understand how it works first in order to make it work. The main disadvantage is that page_guard makes exception on the whole page in memory and you need two call VirtualProtect every time until the target eip is reached which slows down the execution time noticeably. 1 Link to comment
iamwho Posted Friday at 09:28 AM Author Share Posted Friday at 09:28 AM Thank you @HostageOfCode i solved it! 1 Link to comment
boot Posted Saturday at 05:22 AM Share Posted Saturday at 05:22 AM There is nothing mysterious about VEH Hook. Its essence is to register exceptions + set hardware breakpoints by enabling the Dr register. When the process hits a breakpoint, it will jump to our custom exception callback to perform some of our functions. The advantage of doing so is that it can avoid CRC verification. e.g. Vectored Exception Handling https://forum.tuts4you.com/topic/44494-crackme-with-anti-patch/#comment-217358 1 1 Link to comment
ra1n Posted Saturday at 06:19 PM Share Posted Saturday at 06:19 PM Might be worth noting that some advanced protections are capable of detecting and ultimately preventing exception based hooking. This is done via placing information in "unused" stack space that windows will overwrite with an EXCEPTION_RECORD upon exception. I believe there is very little that can be done about this, other than potentially using a hypervisor but at that point I don't think you'd need to bother with exception-based hooking. 1 Link to comment
TRISTAN Pro Posted Saturday at 08:18 PM Share Posted Saturday at 08:18 PM (edited) 15 hours ago, boot said: There is nothing mysterious about VEH Hook. Its essence is to register exceptions + set hardware breakpoints by enabling the Dr register. When the process hits a breakpoint, it will jump to our custom exception callback to perform some of our functions. The advantage of doing so is that it can avoid CRC verification. e.g. Vectored Exception Handling https://forum.tuts4you.com/topic/44494-crackme-with-anti-patch/#comment-217358 Yes CRC but need to make asm inside the code after hit the hardware breakpoint with exception to change the register. May be yuo can add some anti patched in 32 bit . It will be gratefull. Link for src code Here Edited Saturday at 09:22 PM by TRISTAN Pro 1 Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now