+- Sinisterly (https://sinister.ly)
+-- Forum: Coding (https://sinister.ly/Forum-Coding)
+--- Forum: C, C++, & Obj-C (https://sinister.ly/Forum-C-C-Obj-C)
+--- Thread: Detect Api hooking (/Thread-Detect-Api-hooking--169497)
Detect Api hooking - Houston1337 - 09-15-2022
Hey, so recently I have been wondering how to detect API hooking to aid prevent cracking, I have been reading up on methods and so far I understand there are two ways of doing it:
Check Calls to VirtualProtect
Hook the IAT address of the process and save bytes into memory, then copy again at a later stage and compare
I am new to anti RE but would love to know any other ways/information about this.
RE: Detect Api hooking - Confidential - 02-12-2023
- Check for suspicious DLL loads
- Check for known bad hash values
- Check for tampering with the import address table (IAT)
- Use anti-debugging techniques
- Monitor process memory
RE: Detect Api hooking - vekm - 10-07-2023
Not exactly about API, but in general. Approach which I use in my apps:
1. You need to control important block of memory. CRC (hash) of important block.
2. Then from different places of app execute code which check memory.
3. If memory is damaged, don't alert about this. NEVER. Even don't check this actually. You need to use this CRC as part of logic for your app.
As example you calculate some value Z, in one part of program add to it predefined CRC of memory which you await. And then in another block of code sub CRC which you actually found. So if memory is not damaged, everything will be ok. If you memory is damaged, you app will be buggy. What is important - bug have no right to ruin your program. It goal to add g1itches and make app useless/unstable by UNKNOWN reasons.
This is common principle.
You also need to have some "official" defence mechanism, something simple, which is easy to find and eliminate (to calm down hacker).
You can add a salt of random, so app will be buggy each time in different place, add control over memory which calculate Z value (double check), and so on.
Any alert, attempt to find address of real API and call it, anti-debugging and so on is easy to detect and eliminate. But when your app just g1itching randomly it is boring and people often blame self in stupidity.
RE: Detect Api hooking - BLKVED - 01-30-2024
Check region hashes on file/disk compare it to the ones loaded in memory
If something is hooked in memory it's going to be different from the original one on disk !
something used by modern anticheat