Page 1 of 2
					
				Calling API Hookeds Problem
				Posted: Sun Feb 12, 2023 7:51 am
				by fuzzing
				After protect a file (.EXE on this case), .EXE calls MessageBoxA and that API can be hooked to log or alter his params.
If there any chance to make on VMProtect a API Wrapper to avoid calling the original hooked API?
			 
			
					
				Re: Calling API Hookeds Problem
				Posted: Sun Feb 12, 2023 1:10 pm
				by Catharsis
				For MessageBox you can use the same trick as VMProtect.
A simple example:
Code: Select all
#include <windows.h>
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")
extern "C" NTSTATUS NTAPI ZwRaiseHardError(LONG ErrorStatus, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask,
    PULONG_PTR Parameters, ULONG ValidResponseOptions, PULONG Response);
int main()
{
    UNICODE_STRING msgBody;
    UNICODE_STRING msgCaption;
    ULONG ErrorResponse;
   const wchar_t cBody[] = L"Some message";
    msgBody.Length = sizeof(cBody) - sizeof(wchar_t);
    msgBody.MaximumLength = msgBody.Length;
    msgBody.Buffer = (wchar_t*)cBody;
   const wchar_t cCaption[] = L"Caption";
    msgCaption.Length = sizeof(cCaption) - sizeof(wchar_t);
    msgCaption.MaximumLength = msgCaption.Length;
    msgCaption.Buffer = (wchar_t*)cCaption;
    const ULONG_PTR msgParams[] = {
        (ULONG_PTR)&msgBody,
        (ULONG_PTR)&msgCaption,
        (ULONG_PTR)(MB_OK | MB_ICONWARNING)
    };
    ZwRaiseHardError(0x50000018L, 0x00000003L, 3, (PULONG_PTR)msgParams, NULL, &ErrorResponse);
    return 0;
}
Under certain conditions this trick does not work correctly, but these conditions are so rare that you can ignore it.
 
			
					
				Re: Calling API Hookeds Problem
				Posted: Sun Feb 12, 2023 1:13 pm
				by Catharsis
				This example can be improved by performing a manual map for ntdll
			 
			
					
				Re: Calling API Hookeds Problem
				Posted: Sun Feb 12, 2023 3:27 pm
				by Admin
				Catharsis wrote:
Under certain conditions this trick does not work correctly, but these conditions are so rare that you can ignore it.
Because your msgParams have wrong structure. They must have 4 parameters (the latest parameter specifies the timeout and usually it equals INFINITE):
const ULONG_PTR msgParams[] = {
        (ULONG_PTR)&msgBody,
        (ULONG_PTR)&msgCaption,
        (ULONG_PTR)(MB_OK | MB_ICONWARNING),
        INFINITE
    };
    ZwRaiseHardError(0x50000018L, 4, 3, (PULONG_PTR)msgParams, NULL, &ErrorResponse); // 0x50000018L = STATUS_SERVICE_NOTIFICATION | HARDERROR_OVERRIDE_ERRORMODE
 
			
					
				Re: Calling API Hookeds Problem
				Posted: Sun Feb 12, 2023 4:49 pm
				by Catharsis
				Возможно с количеством параметров Вы правы, так как код не мой, а был взят с одного из форумов, но с 3 параметрами тоже работает (видимо из-за счастливого стечения обстоятельств).
Под редким условием я подразумевал настройку ACL для процесса. Окно отображается, но оно пустое (без нужного текста).
При надобности я могу зарепортить в отдельной теме с демкой для воспроизведения проблемы
			 
			
					
				Re: Calling API Hookeds Problem
				Posted: Sun Feb 12, 2023 5:08 pm
				by Admin
				Без нужного текста - это скорее всего проблемы с инициализацией UNICODE_STRING, либо с массивом аргументов (например сам массив не выровнен на границу 4/8 байт).
Code: Select all
__forceinline void InitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
{
	if (SourceString)
		DestinationString->MaximumLength = (DestinationString->Length = (USHORT)(wcslen(SourceString) * sizeof(WCHAR))) + sizeof(UNICODE_NULL);
	else
		DestinationString->MaximumLength = DestinationString->Length = 0;
	DestinationString->Buffer = (PWCH)SourceString;
}
 
			
					
				Re: Calling API Hookeds Problem
				Posted: Sun Feb 12, 2023 9:19 pm
				by fuzzing
				MessageBox was just a example, what we can do with anothers APIs ?
Can VMP add a API Wrapping?
			 
			
					
				Re: Calling API Hookeds Problem
				Posted: Mon Feb 13, 2023 10:23 am
				by Catharsis
				Admin wrote:Без нужного текста - это скорее всего проблемы с инициализацией UNICODE_STRING, либо с массивом аргументов (например сам массив не выровнен на границу 4/8 байт).
Для реализации в VMP эта проблема тоже актуальна. Отправил репорт на 
info@vmpsoft.com с описанием и файлами для демонстрации (Subject письма: "ZwRaiseHardError bug")
 
			
					
				Re: Calling API Hookeds Problem
				Posted: Wed Feb 15, 2023 4:26 am
				by fuzzing
				Any news or plans?
			 
			
					
				Re: Calling API Hookeds Problem
				Posted: Wed Feb 15, 2023 1:15 pm
				by Admin
				VMProtect doesn't protect system DLLs against hooks.
			 
			
					
				Re: Calling API Hookeds Problem
				Posted: Thu Feb 16, 2023 11:15 am
				by fuzzing
				Admin wrote:VMProtect doesn't protect system DLLs against hooks.
Its there any chance to add a API Wrapper ?
 
			
					
				Re: Calling API Hookeds Problem
				Posted: Thu Feb 16, 2023 11:23 am
				by Catharsis
				fuzzing wrote:
Its there any chance to add a API Wrapper ?
What prevents you from implementing a check for the most common hooks yourself?
 
			
					
				Re: Calling API Hookeds Problem
				Posted: Sat Feb 18, 2023 12:08 pm
				by fuzzing
				Catharsis wrote:fuzzing wrote:
Its there any chance to add a API Wrapper ?
What prevents you from implementing a check for the most common hooks yourself?
 
Because there are too many ways of hook a APi.
Checking for 0xE9 or things like that can be bypassed just changing the instruction hooking method.
 
			
					
				Re: Calling API Hookeds Problem
				Posted: Sun Feb 19, 2023 2:36 pm
				by Catharsis
				fuzzing wrote:Because there are too many ways of hook a APi.
You have now answered your own question
 
			
					
				Re: Calling API Hookeds Problem
				Posted: Sun Feb 19, 2023 9:59 pm
				by fuzzing
				Catharsis wrote:fuzzing wrote:Because there are too many ways of hook a APi.
You have now answered your own question
 
Nope, patching the first bytes of a API can be avoided by making somewhat type of API Wrapper like Themida does, but honestly i don't like Themida, i don't use it and i will not use it, im on the VMProtect way, and will be nice if it can add somewhat of API Wrapper too!