Jump to content
Tuts 4 You

[REQUEST] VEH hooking an exe at runtime


iamwho

Recommended Posts

Hi all, im trying to understand VEH hooking unfortunately all the examples i tried from github only teach doing it in own process. Im trying to veh hook a function in an exe by injecting a dll. Can anyone help please?

  • Like 1
  • Haha 1
Link to comment
10 hours ago, jackyjask said:

You are doing Hook() and Unhook() in the same init() routine - why is that?

Called the unhook in DLL_PROCESS_DETACH, still not working.

  • Like 1
Link to comment

So called veh hook is just an page_guard exception and veh handler that handles this exception and redirects the eip to your hook code. You need to understand how it works first in order to make it work. The main disadvantage is that page_guard makes exception on the whole page in memory and you need  two call VirtualProtect every time until the target eip is reached which slows down the execution time noticeably.

  • Like 1
Link to comment

There is nothing mysterious about VEH Hook. Its essence is to register exceptions + set hardware breakpoints by enabling the Dr register. When the process hits a breakpoint, it will jump to our custom exception callback to perform some of our functions. The advantage of doing so is that it can avoid CRC verification.

e.g.

Vectored Exception Handling

https://forum.tuts4you.com/topic/44494-crackme-with-anti-patch/#comment-217358

  • Like 1
  • Thanks 1
Link to comment

Might be worth noting that some advanced protections are capable of detecting and ultimately preventing exception based hooking. This is done via placing information in "unused" stack space that windows will overwrite with an EXCEPTION_RECORD upon exception. I believe there is very little that can be done about this, other than potentially using a hypervisor but at that point I don't think you'd need to bother with exception-based hooking.

  • Like 1
Link to comment
15 hours ago, boot said:

There is nothing mysterious about VEH Hook. Its essence is to register exceptions + set hardware breakpoints by enabling the Dr register. When the process hits a breakpoint, it will jump to our custom exception callback to perform some of our functions. The advantage of doing so is that it can avoid CRC verification.

e.g.

Vectored Exception Handling

https://forum.tuts4you.com/topic/44494-crackme-with-anti-patch/#comment-217358

Yes CRC but need to make asm inside the code after hit the hardware breakpoint with exception to change the register.

May be yuo can add some anti patched in 32 bit .

It will be gratefull.

Link for src code

Here

Edited by TRISTAN Pro
  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...