How to define an API?

Question

How to define an API?

I tried to detect the API hook, inline and EAT hook.

Currently, I have not found anything about how to detect an EAT hook.

For the Inline Ring 3 hook that I still have:

FARPROC Address = GetProcAddress(GetModuleHandle("kernel32.dll"),"ExitProcess");
if (*(BYTE*)Address == 0xE9 || *(BYTE*)Address == 0x90 || *(BYTE*)Address == 0xC3)
{
 printf("Api hooked\n");
}

The problem is that there are several operation codes that can be used to intercept / change the function prolog, checking JMP / NOP / RET is trivial, I have seen many types of HOOKs like PUSH RET, MOV, RETN, etc ... .

I wonder if anyone knows how to detect these hooks (workarounds) or changes in the API. As well as an EAT hook detection method.

Thank.

+4

c ++ assembly api hook detection

yudoyo Feb 09 '17 at 2:49

source share

3 answers

Ari0nhh · Answer 1 · 2017-02-09T03:50:47+0000

GetProcAddress . , API, , , . API-, , - . , dll . / (, Themida) , " " .

arasoyo · Answer 2 · 2017-02-09T13:56:40+0000

, kernel32.dll dll , IAT , .

, kernel32.dll API DLL.

Norbert Boros · Answer 3 · 2017-04-10T18:44:04+0000

IAT- , .

, memcmp(), () , , IAT .

How to define an API?

More articles: