RE: Detect Api hooking 10-07-2023, 04:57 AM
#3
Not exactly about API, but in general. Approach which I use in my apps:
1. You need to control important block of memory. CRC (hash) of important block.
2. Then from different places of app execute code which check memory.
3. If memory is damaged, don't alert about this. NEVER. Even don't check this actually. You need to use this CRC as part of logic for your app.
As example you calculate some value Z, in one part of program add to it predefined CRC of memory which you await. And then in another block of code sub CRC which you actually found. So if memory is not damaged, everything will be ok. If you memory is damaged, you app will be buggy. What is important - bug have no right to ruin your program. It goal to add g1itches and make app useless/unstable by UNKNOWN reasons.
This is common principle.
You also need to have some "official" defence mechanism, something simple, which is easy to find and eliminate (to calm down hacker).
You can add a salt of random, so app will be buggy each time in different place, add control over memory which calculate Z value (double check), and so on.
Any alert, attempt to find address of real API and call it, anti-debugging and so on is easy to detect and eliminate. But when your app just g1itching randomly it is boring and people often blame self in stupidity.
1. You need to control important block of memory. CRC (hash) of important block.
2. Then from different places of app execute code which check memory.
3. If memory is damaged, don't alert about this. NEVER. Even don't check this actually. You need to use this CRC as part of logic for your app.
As example you calculate some value Z, in one part of program add to it predefined CRC of memory which you await. And then in another block of code sub CRC which you actually found. So if memory is not damaged, everything will be ok. If you memory is damaged, you app will be buggy. What is important - bug have no right to ruin your program. It goal to add g1itches and make app useless/unstable by UNKNOWN reasons.
This is common principle.
You also need to have some "official" defence mechanism, something simple, which is easy to find and eliminate (to calm down hacker).
You can add a salt of random, so app will be buggy each time in different place, add control over memory which calculate Z value (double check), and so on.
Any alert, attempt to find address of real API and call it, anti-debugging and so on is easy to detect and eliminate. But when your app just g1itching randomly it is boring and people often blame self in stupidity.
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)