Results 1 to 3 of 3
  1. 2012-07-24, 03:01 PM #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    User/Kernel Delphi Unhooker

    This is “AFX LeakTest” written by Aphex. Delphi source contains a lot of useful material, but the most interesting part of the source is “unhook” unit, which gives you a simplest way for removing user and kernel hooks. Probably, you can build your own SSDT restoring utils.

    Features:
    • Scanning for user mode hooks
    • Scanning for kernel mode hooks
    • Removing User Hooks
    • Removing Kernel Hooks


    What inside:
    • Delphi Hooking Library
    • Access Control API interface
    • NT Status Codes API interface
    • Windows Types API interface
    • Windows Base Types API interface


    Code example:
    Code:
    //USER MODE UNHOOKING

function UnhookExport(hModule: HMODULE; FunctionName: pchar): boolean;
type
  TSections = array [0..0] of TImageSectionHeader;
var
  ModuleName: pchar;
  ImageBase, LoadedImage, pImageBase, pSectionBase: pointer;
  Module: THandle;
  ModuleSize, BytesRead: dword;
  ImageDosHeader: PImageDosHeader;
  ImageNtHeaders: PImageNtHeaders;
  ImageExportDirectory: PImageExportDirectory;
  ExportLoop: integer;
  ExportName: pchar;
  ExportFunction: pointer;
  PNames: pdword;
  PFunctions: pdword;
  PSections: ^TSections;
  SectionLoop: integer;
  SectionBase: pointer;
  VirtualSectionSize, RawSectionSize: dword;
  LoadedAddress: pbyte;
  ExportedAddress: pbyte;
  OldProtection: dword;
  CodeLen: dword;
begin
  Result := False;
  GetMem(ModuleName, MAX_PATH + 1);
  GetModuleFileName(hModule, ModuleName, MAX_PATH + 1);
  ExportedAddress := nil;
  LoadedAddress := nil;
  Module := CreateFile(ModuleName, GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0);
  SetFilePointer(Module, 0, nil, FILE_BEGIN);
  ModuleSize := GetFileSize(Module, nil);
  GetMem(LoadedImage, ModuleSize);
  ReadFile(Module, LoadedImage^, ModuleSize, BytesRead, nil);
  CloseHandle(Module);
  ImageDosHeader := PImageDosHeader(LoadedImage);
  ImageNtHeaders := PImageNtHeaders(cardinal(ImageDosHeader.e_lfanew) + cardinal(LoadedImage));
  ImageBase := VirtualAlloc(nil, ImageNtHeaders.OptionalHeader.SizeOfImage, MEM_RESERVE, PAGE_NOACCESS);
  pImageBase := ImageBase;
  SectionBase := VirtualAlloc(ImageBase, ImageNtHeaders.OptionalHeader.SizeOfHeaders, MEM_COMMIT, PAGE_READWRITE);
  pSectionBase := SectionBase;
  Move(LoadedImage^, SectionBase^, ImageNtHeaders.OptionalHeader.SizeOfHeaders);
  PSections := pointer(pchar(@(ImageNtHeaders.OptionalHeader)) + ImageNtHeaders.FileHeader.SizeOfOptionalHeader);
  for SectionLoop := 0 to ImageNtHeaders.FileHeader.NumberOfSections - 1 do
  begin
    VirtualSectionSize := PSections[SectionLoop].Misc.VirtualSize;
    RawSectionSize := PSections[SectionLoop].SizeOfRawData;
    if VirtualSectionSize < RawSectionSize then VirtualSectionSize := RawSectionSize;
    SectionBase := VirtualAlloc(PSections[SectionLoop].VirtualAddress + pchar(ImageBase), VirtualSectionSize, MEM_COMMIT, PAGE_READWRITE);
    FillChar(SectionBase^, VirtualSectionSize, 0);
    Move(pointer(cardinal(LoadedImage) + PSections[SectionLoop].PointerToRawData)^, SectionBase^, RawSectionSize);
    VirtualFree(SectionBase, 0, MEM_RELEASE);
  end;
  ImageExportDirectory := PImageExportDirectory(ImageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + cardinal(ImageBase));
  PNames := pointer(cardinal(ImageExportDirectory.AddressOfNames) + cardinal(ImageBase));
  PFunctions := pointer(cardinal(ImageExportDirectory.AddressOfFunctions) + cardinal(ImageBase));
  for ExportLoop := 0 to ImageExportDirectory.NumberOfNames - 1 do
  begin
    ExportName := pchar(pdword(PNames)^ + cardinal(ImageBase));
    ExportFunction := pointer(pdword(PFunctions)^ + cardinal(ImageBase));
    if lstrcmpi(ExportName, FunctionName) = 0 then
    begin
      LoadedAddress := ExportFunction;
      Break;
    end;
    Inc(PNames);
    Inc(PFunctions);
  end;
  ImageBase := pointer(GetModuleHandle(ModuleName));
  ImageDosHeader := PImageDosHeader(ImageBase);
  ImageNtHeaders := PImageNtHeaders(cardinal(ImageDosHeader.e_lfanew) + cardinal(ImageBase));
  ImageExportDirectory := PImageExportDirectory(ImageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + cardinal(ImageBase));
  PNames := pointer(cardinal(ImageExportDirectory.AddressOfNames) + cardinal(ImageBase));
  PFunctions := pointer(cardinal(ImageExportDirectory.AddressOfFunctions) + cardinal(ImageBase));
  for ExportLoop := 0 to ImageExportDirectory.NumberOfNames - 1 do
  begin
    ExportName := pchar(pdword(PNames)^ + cardinal(ImageBase));
    ExportFunction := pointer(pdword(PFunctions)^ + cardinal(ImageBase));
    if lstrcmpi(ExportName, FunctionName) = 0 then
    begin
      ExportedAddress := ExportFunction;
      Break;
    end;
    Inc(PNames);
    Inc(PFunctions);
  end;
  if ((LoadedAddress <> nil) and (ExportedAddress <> nil)) then
  begin
    if ((ExportedAddress^ <> 0) and (LoadedAddress^ <> 0) and (ExportedAddress^ <> LoadedAddress^)) then
    begin
      Result := True;
      WriteLn('Unhooking ', FunctionName, '...');
      WriteLn('');
      CodeLen := SizeOfProc(LoadedAddress);
      VirtualProtect(ExportedAddress, CodeLen, PAGE_EXECUTE_READWRITE, @OldProtection);
      CopyMemory(ExportedAddress, LoadedAddress, CodeLen);
      VirtualProtect(ExportedAddress, CodeLen, OldProtection, @OldProtection);
    end;
  end;
  FreeMem(ModuleName);
  FreeMem(LoadedImage);
  VirtualFree(pImageBase, 0, MEM_RELEASE);
  VirtualFree(pSectionBase, 0, MEM_RELEASE);
end;

function CheckExports(ImageBase: pointer; ImageExportDirectory: PImageExportDirectory): boolean;
var
  ExportLoop: integer;
  ExportName: pchar;
  PNames: pdword;
  HooksFound: boolean;
begin
  Result := False;
  PNames := pointer(cardinal(ImageExportDirectory.AddressOfNames) + cardinal(ImageBase));
  for ExportLoop := 0 to ImageExportDirectory.NumberOfNames - 1 do
  begin
    ExportName := pchar(pdword(PNames)^ + cardinal(ImageBase));
    HooksFound := UnhookExport(HMODULE(ImageBase), ExportName);
    if HooksFound = True then Result := True;
    Inc(PNames);
  end;
end;

procedure RemoveUserHooks;
var
  ImageBase: pointer;
  ImageDosHeader: PImageDosHeader;
  ImageNtHeaders: PImageNtHeaders;
  ImageExportDirectory: PImageExportDirectory;
begin
  ImageBase := pointer(GetModuleHandle('kernel32'));
  ImageDosHeader := PImageDosHeader(ImageBase);
  ImageNtHeaders := PImageNtHeaders(cardinal(ImageDosHeader.e_lfanew) + cardinal(ImageBase));
  ImageExportDirectory := PImageExportDirectory(ImageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + cardinal(ImageBase));
  if ImageExportDirectory <> ImageBase then
  begin
    if ImageExportDirectory.NumberOfNames <> 0 then
    begin
      if not CheckExports(ImageBase, ImageExportDirectory) then WriteLn('No user mode hooks found!');
    end;
  end;
end;

    Please register or login to download attachments.

    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium
    Reply With Quote Reply With Quote

  2. The Following 6 Users Say Thank You to Dwar For This Useful Post:

    emoisback, topera
  4. 2012-07-24, 03:23 PM #2
    emoisback
    emoisback is offline
    Full member
    Join Date
    2011 Dec
    Location
    Indonesia there i'm
    Posts
    508
    Thanks Thanks Given 
    83
    Thanks Thanks Received 
    244
    Thanked in
    68 Posts
    Rep Power
    13
    Thanks Dwar, i think we can bypass protection with this tools...
    i'll write it use delphi too..and call from C# to disable

    have example or step to removing kernel mode hook??
    Last edited by emoisback; 2012-07-24 at 03:51 PM.
    Learn from PGC for Share on PGC..


    For another Stuff i have make try to find it [Please, register to view links]
    If i have help you, please thanks and respect ..
    Reply With Quote Reply With Quote
  5. 2014-03-26, 09:08 PM #3
    jamalcoder
    jamalcoder is offline
    Guest
    Join Date
    2014 Mar
    Posts
    1
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    nice share bro for SDDT hook i'm using Ddelphi DDK
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. [Delphi] Delphi elementclient inject
    By marcelo380 in forum Perfect World
    Replies: 0
    Last Post: 2012-06-08, 09:13 PM
  2. [Help] NPC User Lan House
    By LKMaster in forum Aika Online
    Replies: 5
    Last Post: 2012-03-22, 12:21 AM
  3. [Vbulletin Plugin] Post This Month / User
    By emoisback in forum Web, PHP
    Replies: 1
    Last Post: 2012-01-17, 10:54 AM
  4. [Delphi] Delphi Training Video
    By Dwar in forum Programming Tutorials
    Replies: 0
    Last Post: 2010-11-29, 04:10 PM
  5. CE kernel mode in 64bits
    By mottapesbr in forum General Game Research
    Replies: 2
    Last Post: 2010-11-03, 12:20 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules