iamwho Posted October 31, 2024 Posted October 31, 2024 Hi all, im trying to understand VEH hooking unfortunately all the examples i tried from github only teach doing it in own process. Im trying to veh hook a function in an exe by injecting a dll. Can anyone help please? 1 1
jackyjask Posted October 31, 2024 Posted October 31, 2024 show at least what you have tried and what issues have you hit 1
iamwho Posted October 31, 2024 Author Posted October 31, 2024 Im using the veh hook library from here https://github.com/hoangprod/LeoSpecial-VEH-Hook main.cpp is the program whose sleep function i want to hook. dllmain.cpp is the dll that i inject into main.exe using process hacker. Unfortunately the hooks dont apply properly or maybe im doing something wrong. dllmain.cpp main.cpp 1
jackyjask Posted October 31, 2024 Posted October 31, 2024 You are doing Hook() and Unhook() in the same init() routine - why is that? 1
iamwho Posted November 1, 2024 Author Posted November 1, 2024 10 hours ago, jackyjask said: You are doing Hook() and Unhook() in the same init() routine - why is that? Called the unhook in DLL_PROCESS_DETACH, still not working. 1
TRISTAN Pro Posted November 1, 2024 Posted November 1, 2024 I'm looking for it with hardware breakpoint. 1
HostageOfCode Posted November 1, 2024 Posted November 1, 2024 So called veh hook is just an page_guard exception and veh handler that handles this exception and redirects the eip to your hook code. You need to understand how it works first in order to make it work. The main disadvantage is that page_guard makes exception on the whole page in memory and you need two call VirtualProtect every time until the target eip is reached which slows down the execution time noticeably. 1
iamwho Posted November 1, 2024 Author Posted November 1, 2024 Thank you @HostageOfCode i solved it! 1
boot Posted November 2, 2024 Posted November 2, 2024 There is nothing mysterious about VEH Hook. Its essence is to register exceptions + set hardware breakpoints by enabling the Dr register. When the process hits a breakpoint, it will jump to our custom exception callback to perform some of our functions. The advantage of doing so is that it can avoid CRC verification. e.g. Vectored Exception Handling https://forum.tuts4you.com/topic/44494-crackme-with-anti-patch/#comment-217358 1 1
ra1n Posted November 2, 2024 Posted November 2, 2024 Might be worth noting that some advanced protections are capable of detecting and ultimately preventing exception based hooking. This is done via placing information in "unused" stack space that windows will overwrite with an EXCEPTION_RECORD upon exception. I believe there is very little that can be done about this, other than potentially using a hypervisor but at that point I don't think you'd need to bother with exception-based hooking. 1
TRISTAN Pro Posted November 2, 2024 Posted November 2, 2024 (edited) 15 hours ago, boot said: There is nothing mysterious about VEH Hook. Its essence is to register exceptions + set hardware breakpoints by enabling the Dr register. When the process hits a breakpoint, it will jump to our custom exception callback to perform some of our functions. The advantage of doing so is that it can avoid CRC verification. e.g. Vectored Exception Handling https://forum.tuts4you.com/topic/44494-crackme-with-anti-patch/#comment-217358 Yes CRC but need to make asm inside the code after hit the hardware breakpoint with exception to change the register. May be yuo can add some anti patched in 32 bit . It will be gratefull. Link for src code Here Edited November 2, 2024 by TRISTAN Pro 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now