Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[REQUEST] VEH hooking an exe at runtime

Featured Replies

Posted

Hi all, im trying to understand VEH hooking unfortunately all the examples i tried from github only teach doing it in own process. Im trying to veh hook a function in an exe by injecting a dll. Can anyone help please?

show at least what you have tried

and what issues have you hit

 

  • Author

Im using the veh hook library from here

https://github.com/hoangprod/LeoSpecial-VEH-Hook

main.cpp is the program whose sleep function i want to hook.

dllmain.cpp is the dll that i inject into main.exe using process hacker.

Unfortunately the hooks dont apply properly or maybe im doing something wrong.

dllmain.cpp main.cpp

You are doing Hook() and Unhook() in the same init() routine - why is that?

  • Author
10 hours ago, jackyjask said:

You are doing Hook() and Unhook() in the same init() routine - why is that?

Called the unhook in DLL_PROCESS_DETACH, still not working.

I'm looking for it with hardware breakpoint.

So called veh hook is just an page_guard exception and veh handler that handles this exception and redirects the eip to your hook code. You need to understand how it works first in order to make it work. The main disadvantage is that page_guard makes exception on the whole page in memory and you need  two call VirtualProtect every time until the target eip is reached which slows down the execution time noticeably.

  • Author

Thank you @HostageOfCode i solved it!

There is nothing mysterious about VEH Hook. Its essence is to register exceptions + set hardware breakpoints by enabling the Dr register. When the process hits a breakpoint, it will jump to our custom exception callback to perform some of our functions. The advantage of doing so is that it can avoid CRC verification.

e.g.

Vectored Exception Handling

https://forum.tuts4you.com/topic/44494-crackme-with-anti-patch/#comment-217358

Might be worth noting that some advanced protections are capable of detecting and ultimately preventing exception based hooking. This is done via placing information in "unused" stack space that windows will overwrite with an EXCEPTION_RECORD upon exception. I believe there is very little that can be done about this, other than potentially using a hypervisor but at that point I don't think you'd need to bother with exception-based hooking.

15 hours ago, boot said:

There is nothing mysterious about VEH Hook. Its essence is to register exceptions + set hardware breakpoints by enabling the Dr register. When the process hits a breakpoint, it will jump to our custom exception callback to perform some of our functions. The advantage of doing so is that it can avoid CRC verification.

e.g.

Vectored Exception Handling

https://forum.tuts4you.com/topic/44494-crackme-with-anti-patch/#comment-217358

Yes CRC but need to make asm inside the code after hit the hardware breakpoint with exception to change the register.

May be yuo can add some anti patched in 32 bit .

It will be gratefull.

Link for src code

Here

Edited by TRISTAN Pro

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.