infilter2.txt

Cracker终结者——提供最优秀的软件保护技术

!!! All Infilter examples are bad because they work with unknown processes !!!

Before testing Infilter examples you should decrease your rights in order to
Infilter doesn't hook system processes (log on as guest).
 Because Infilter2?.dll import from ApiHooks.dll, ApiHooks.dll must be located
in search path common for all processes, for example in windows systen directory.
 These Infilter examples are for NT only; every process is hooked, every new
process is hooked. For W9X you should hook (HARDly) CreateProcessA, LoadModule and
WinExec functions as showed in Exec example.
 It is important to have ApiHooks.dll in search path - copy it to windows
directory.
 If you're admin you'll get x-2-s-n of hooked. s = special processes like
regsvc.exe refuse infilter+apihooks. n = number of native processes (like
smss.exe and os2ss.exe). Typically you'll get x-5 of x: Idle+System +smss +regsvc
+lsass.exe in W2K. Lsass.exe returns ErrorTimeOut but is hooked later.
 Use TH32- and PSAPI-list for checking.

 2A method is standard method: infilter all processes and EstablishApiHooks
on every new process.
 2B method is pure LoadAndCall method: infilter all processes and LoadAndCall
on every new process.
 2C method is DllMain + LoadAndCall method: infilter all processes and LoadAndCall
on every new process.


2A method:
Advantages:
 ApiHooks.dll is not required for hooking current process. Hooks are established
by EAH* functions. (But in this example is ApiHooks.dll required for applying
hooks to new processes). Exlusion of modules is not needed.
Disadvantages:
 Hooks are static: what's in ApiHookChain is hooked (if given ModuleExport is
present and ApiNameOrOrd exists). Example: I want to hook every new process;
I need to hook in NT some NTDLL function and in W9X CreateProcess & Co. functions.
In W9X is it OK -> NTDLL doesn't export wanted functions, but in NT is hooked
everything -> it is redundant and may cause difficulties. Something like
cmp OStype, NT
jne Ignore
must be added to NewApi routines in order to rule redundant hooked APIs out.
 Unhooking is realised in DllMain(DLL_PROCESS_ATTACH).

2B method:
Advantages:
 Hooks are dynamic: Hook what do you want via HookApi. Dll doesn't need to have
DllMain. Communication is realised thru exported function (here Ord 1), it is
advantage - you can send your commands.
Disadvantages:
 ApiHooks.dll is required for hooking everything. It will cause errors when
ApiHooks.dll is not present in search path of target process. Exclusion of the dll
and ballast dlls is needed. If dll is unloaded without notification process may
crash.
 Unhooking is realised via the 2nd call (notification) to Entry (here Ord 1).

2C method:
Advantages:
 Hooks are dynamic: Hook what do you want via HookApi. Dll must have DllMain.
Disadvantages:
 ApiHooks.dll is required for hooking everything. It will cause errors when
ApiHooks.dll is not present in search path of target process. Exclusion of the dll
and ballast dlls is needed.
 Unhooking is realised in DllMain(DLL_PROCESS_ATTACH).


So, what is the best?
Dll with static hooks suitable for given OS.