Calling API Hookeds Problem

Issues related to VMProtect
Catharsis
Posts: 23
Joined: Tue Sep 22, 2020 5:27 pm

Re: Calling API Hookeds Problem

Post by Catharsis »

fuzzing wrote:Nope, patching the first bytes of a API can be avoided by making somewhat type of API Wrapper like Themida does, but honestly i don't like Themida, i don't use it and i will not use it, im on the VMProtect way, and will be nice if it can add somewhat of API Wrapper too!
Themida does not prevent hooks in any way. API Wrapping is just hiding the original imports, nothing more.
As I said above, you can implement your own checks for the most common hooks. Alternatively, make a manual map for the library whose functions you are calling. In any case, this is not the responsibility of the protectors.
fuzzing
Posts: 19
Joined: Fri Aug 07, 2020 2:33 am

Re: Calling API Hookeds Problem

Post by fuzzing »

Catharsis wrote:
fuzzing wrote:Nope, patching the first bytes of a API can be avoided by making somewhat type of API Wrapper like Themida does, but honestly i don't like Themida, i don't use it and i will not use it, im on the VMProtect way, and will be nice if it can add somewhat of API Wrapper too!
Themida does not prevent hooks in any way. API Wrapping is just hiding the original imports, nothing more.
As I said above, you can implement your own checks for the most common hooks. Alternatively, make a manual map for the library whose functions you are calling. In any case, this is not the responsibility of the protectors.
Themida's API Wrapper protects the first instructions of a API recreating and obsfucating it from scratch (all info is here) https://iam-hs.com/105 causing that any hooked API doesn't get called.
A protector should make somewhat of protection against hooked APIs, because some programs like API Monitor's rohitab ( http://www.rohitab.com/apimonitor ) hooks all APIs to see how the program works.
Catharsis
Posts: 23
Joined: Tue Sep 22, 2020 5:27 pm

Re: Calling API Hookeds Problem

Post by Catharsis »

fuzzing wrote:(all info is here) https://iam-hs.com/105
It says exactly the same thing as I told you.
Themida destroys the original IAT and replaces the WINAPI calls in the application code with its own bridges, so that the process dump does not identify which WINAPI functions are being used. Only hooks that are installed using IAT patching will not work.
Nothing prevents me from installing the hook by patching the first bytes of the functions directly in the system libraries themselves (which I use successfully, it works fine for any protected application, including Themida).
Functions in system libraries are not protected in any way (you can check this simply by opening the protected application in a debugger and checking the system library functions).
So you're either a troll or you just don't understand how it works.
Post Reply