News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

?? Is it possible to trick api hooks by..

Started by M4D45M, September 30, 2005, 02:21:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

M4D45M

September 30, 2005, 02:21:30 PM
ripping dll functions and paste them into my own assembly code ?

For example the code for CreateRemoteThread (kernel32.dll)
And fro this code also ripping all containing ntdll imports.

What I wanted to know is, if it is possibly to copy the code of
a dll instead of calling it.

Can anybody tell me if this would work anyhow or why it would
definitly not.
(And if this would bypass a fucking standard api hook of some security software)

rags

#1
September 30, 2005, 03:44:58 PM
Quote from: madasm on September 30, 2005, 02:21:30 PM
Can anybody tell me if this would work anyhow or why it would
definitly not.
(And if this would bypass a fucking standard api hook of some security software)
Just curious, by "security software", do you mean anti-virus software, and if you do, why would you want to?
God made Man, but the monkey applied the glue -DEVO

M4D45M

#2
September 30, 2005, 09:34:44 PM
so am i. [curious]
i want to improve my assembly knowledge. [practical]
i prefer security-related issues.
an example could be a anti-virus software hooking
a API function or also a firewall or other
security package software.
i'm interested in how things work in detail.
so i also want to try things new to me,
but i sometimes need a bit help to move
forward and need to get qualified info.

another way i thought of, is to use
the functions entrypoint overwrite method,
but i'm not sure if a hook triggers first.

the goal i wanted to reach is to collect
enough knowledge to code a bypass situation
!by myself!

i want to grow further in knowledge of low level
programming and i'm also interested in
security systems, kryptology, etc.
at the moment i also code a mail client
which supports smtp AUTH with CRAM-MD5.
This requires implementation of HMAC,
which is also very interesting.
til now i learned about a lot of security
situations and with this i were also able
to figure out pretty more things in assembly.

thanx.

hutch--

#3
October 01, 2005, 03:04:43 AM
madasm,

What you are after is ilegal, it involves reverse engineering software that you don't own. There is a perfectly legal way to do even better, get the start address from the function in the DLL at runtime and then copy the function into dynamic memory allocated in the calling app, then you can call the start address of the function locally and it will usuaslly be faster.

Please leve the reverse engineering stuff out of the forum as the rules prohibit such topics.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

M4D45M

#4
October 01, 2005, 10:02:27 AM
sorry.
but thanx anyways.
Print
Go Up Pages1
User actions