Posted October 31, 2024Oct 31 Hi all, im trying to understand VEH hooking unfortunately all the examples i tried from github only teach doing it in own process. Im trying to veh hook a function in an exe by injecting a dll. Can anyone help please?
October 31, 2024Oct 31 Author Im using the veh hook library from here https://github.com/hoangprod/LeoSpecial-VEH-Hook main.cpp is the program whose sleep function i want to hook. dllmain.cpp is the dll that i inject into main.exe using process hacker. Unfortunately the hooks dont apply properly or maybe im doing something wrong. dllmain.cpp main.cpp
November 1, 2024Nov 1 Author 10 hours ago, jackyjask said: You are doing Hook() and Unhook() in the same init() routine - why is that? Called the unhook in DLL_PROCESS_DETACH, still not working.
November 1, 2024Nov 1 So called veh hook is just an page_guard exception and veh handler that handles this exception and redirects the eip to your hook code. You need to understand how it works first in order to make it work. The main disadvantage is that page_guard makes exception on the whole page in memory and you need two call VirtualProtect every time until the target eip is reached which slows down the execution time noticeably.
November 2, 2024Nov 2 There is nothing mysterious about VEH Hook. Its essence is to register exceptions + set hardware breakpoints by enabling the Dr register. When the process hits a breakpoint, it will jump to our custom exception callback to perform some of our functions. The advantage of doing so is that it can avoid CRC verification. e.g. Vectored Exception Handling https://forum.tuts4you.com/topic/44494-crackme-with-anti-patch/#comment-217358
November 2, 2024Nov 2 Might be worth noting that some advanced protections are capable of detecting and ultimately preventing exception based hooking. This is done via placing information in "unused" stack space that windows will overwrite with an EXCEPTION_RECORD upon exception. I believe there is very little that can be done about this, other than potentially using a hypervisor but at that point I don't think you'd need to bother with exception-based hooking.
November 2, 2024Nov 2 15 hours ago, boot said: There is nothing mysterious about VEH Hook. Its essence is to register exceptions + set hardware breakpoints by enabling the Dr register. When the process hits a breakpoint, it will jump to our custom exception callback to perform some of our functions. The advantage of doing so is that it can avoid CRC verification. e.g. Vectored Exception Handling https://forum.tuts4you.com/topic/44494-crackme-with-anti-patch/#comment-217358 Yes CRC but need to make asm inside the code after hit the hardware breakpoint with exception to change the register. May be yuo can add some anti patched in 32 bit . It will be gratefull. Link for src code Here Edited November 2, 2024Nov 2 by TRISTAN Pro
Create an account or sign in to comment