+- Sinisterly (https://sinister.ly)
+-- Forum: Coding (https://sinister.ly/Forum-Coding)
+--- Forum: C, C++, & Obj-C (https://sinister.ly/Forum-C-C-Obj-C)
+--- Thread: Detect API hooking (/Thread-Detect-API-hooking)
Detect API hooking - Mafia - 06-08-2017
Hey, so recently I have been wondering how to detect API hooking to aid prevent cracking, I have been reading up on methods and so far I understand there are two ways of doing it:
- Check Calls to VirtualProtect
- Hook the IAT address of the process and save bytes into memory, then copy again at a later stage and compare
I am new to anti RE but would love to know any other ways/information about this.
RE: Detect API hooking - ClawsMissingBall - 07-03-2017
I personally am attached to comparing old IAT data to new IAT data, its easy to implement and hard to get around. However my advice would not be to focus so much on anti-debugging but instead proper obfuscation. If you want to see some killer examples of this, marble frameworks is excellent and has a lot of documentation inside.
RE: Detect API hooking - Confidential - 04-26-2018
You could compare bytes of a function to what they should be by reading the file off the disk. Also, make sure functions don't start with something like a jmp or call when they aren't supposed to.