 |
|
|
please can u convert this source to exe and sended by mail to me : rabih_saleh@hotmail.co.uk , another question can i hide registry entry ?  ( ( ( ( ( please i need help for this.
|
|
|
|
|
|
|
I test your code,it can inject the dll to running exe.
but when i run regedit.exe ,the application regedit.exe will be crashed!
why ,please give me reason .
i test it in winxp sp2 and winsk sp3.alse failed
|
|
|
|
|
|
|
I build the code of testdll,but failed with the mess:
Compiling...
apihijack.cpp
c:\hidereg\testdll\apihijack.cpp(158) : error C2440: '=' : cannot convert from 'unsigned long' to 'void *'
Conversion from integral type to pointer type requires reinterpret_cast, C-style cast or function-style cast
c:\hidereg\testdll\apihijack.cpp(196) : error C2440: '=' : cannot convert from 'unsigned long *' to 'unsigned long'
This conversion requires a reinterpret_cast, a C-style cast or function-style cast
c:\hidereg\testdll\apihijack.cpp(203) : error C2446: '>' : no conversion from 'unsigned long *' to 'unsigned long'
This conversion requires a reinterpret_cast, a C-style cast or function-style cast
c:\hidereg\testdll\apihijack.cpp(203) : error C2040: '>' : 'unsigned long' differs in levels of indirection from 'unsigned long *'
c:\hidereg\testdll\apihijack.cpp(204) : error C2440: '=' : cannot convert from 'unsigned long *' to 'unsigned long'
This conversion requires a reinterpret_cast, a C-style cast or function-style cast
dllmain.cpp
Error executing cl.exe.
TestDLL.dll - 5 error(s), 0 warning(s)
how to solute it?
|
|
|
|
|
|
|
Is there any problem of using this program on Windows 2003 Platform.
I've met a lot of error message.
What's the problem of this program.
I want to modify this bug.
Help me, Please.
Thanks in advance!
csjung
|
|
|
|
|
|
|
Why the hooked function can't access to a callback? It can't read memory where jmp instruction is. How to solve this problem?
|
|
|
|
|
|
|
okay that was a nice code but can you tell me whats the stpes needed to add a new thing to br hooked without getting any problems please reply as soon as possible thanks, thumbs up
|
|
|
|
|
|
|
I want to hook IoCreateFile function, now.
Can i apply this method to hook IoCreateFile?
Then, How?
Thanks in advance!
csjung
|
|
|
|
|
|
|
Can i use it to hook the api CreateProcessW?
|
|
|
|
|
|
|
Hi!
I've put the code to my application but i don't want to use the dll in the example...
But it looks like it doesn't work without the dll?
cyberguru
|
|
|
|
|
|
|
The other apps can only access the
hooked funktion if it is inside of a dll.
|
|
|
|
|
|
|
Dear ALL,
I am developing an application for Windows 2000 in MFC VC++ Version 6.0.
My application runs as an interactive service.
I used your dll in my program which is used to hide given key(s) from the registry. The program works fine and hides the given keys from registry. But when i log off my system and login, the following error occurs:
...............................
SAS Window: Winlogon.exe Application error.
The instruction at "0x01007f2d" refereced memory at "0x00006c". The memory could not be read. Click ok to close and cancel to debug.
...............................
On clicking ok the system restarts.
I think I need to free the dll before logging out. So I tried FreeLibrary in QueryEndSession, but it didnot helped.
Is there any other way to free the dll.
Or any other way out to solve the problem ?
The program is working fine when I restart and login (probably because at that time the dll is freed and loaded again,, but the same is not in case of log off and log in)
Thanks
Rohit
|
|
|
|
|
|
|
Instead of just returning 1 when the value should not be displayed, you should return the call to the old function with an increased index and for the next time the hook is called with the same key, also increase the index.
Of course you have to store somewhere how many items you've skipped accross function calls and on per key basis. If you also hook up the other Registry functions, the key would be completely stealth and unaccessible.
btw, are you realizing which security issue this is? I don't want to go into detail, but maybe someone could write a totally stealthed program (at least for normal applications, not for services or drivers). It's difficult to hook up hundreds of API functions and the program would be really, really big, but really dangerous.
It would be a great problem if you weren't able to see which programs are running in the background.
|
|
|
|
|
|
|
Hi Tim Kosse
I test ur suggection
But the problem is still there
and i tryed this code that dont hide anythink
but when i taking msconfig that will display error
LONG MyRegEnumValue(
HKEY hKey,
DWORD dwIndex,
LPWSTR lpValueName,
LPDWORD lpcValueName,
LPDWORD lpReserved,
LPDWORD lpType,
LPBYTE lpData,
LPDWORD lpcbData
){
LONG ret;
RegEnumValueWtype oldfn=(RegEnumValueWtype)RegDLL_Hooks.Functions
[0].OrigFn;
char ss[10];
ret=oldfn(hKey,dwIndex+1,lpValueName,lpcValueName,lpReserved,lpType,lpD
ata,lpcbData);
return ret;
}
|
|
|
|
|
|
|
hee
my msconfig problem is still there
what can i do?
i fwe dont remove that problem this can no use
help me if u can
hirosh
|
|
|
|
|
|
|
You should insert a key word 'WINAPI' into your own function like this:
LONG WINAPI MyRegEnumValue(...)
Then, all of your trouble above will disappear !
good luck to you ...
|
|
|
|
|
|
|
...yeah like hooking (psapi.dll) EnumProcessModules (to hide dll) and EnumProcesses to hide trojan. Nice idea for Back Orifice 2000 add in 
Even better idea would be to hook some more apis (CreateFile, FindFirst, FindNext,CreateProcess(to spawn dll as soon as program starts),...) so the trojan would be hidden even on disk. Maybe even stick it into NTFS streams (try to create program with name "bla.txt:stream1"). With some dll injection and proces rights elevation, you can actually insert remote thread into services, system processes (winlogon.exe; hmm what would i do there... what are those 2 *cool* edit boxes ) etc. so quite resonable stealth could be achived. Actually program wouldnt be *that* huge at all and there aint that much of apis to hook.
Lets see when i can finish that (ADO with bugs, databases with "too many" tables, annoying customers waiting for new update, working till night,...)
hehe guess that program wont see its light *ever*, so dont bother (I hardly believe that some teenager is able to code that).
|
|
|
|
|
|
|
Don't forget to hook up LoadLibrary, else someone could load the API functions directly from the system DLLs
There are really a lot of API functions. You have too hook all registry functions, all file functions, most shell functions (SHBrowse), the process functions and some other functions. To really hide a program, it has to hook up hundreds of api functions. And the program really need much of memory, since it has to remember the state of different api calls (most obviously for the enum functions)
I think exploiting the hooks for stealth programs is just too complex. The most efficient method for trojans and other spyware is still this: "Click here for free XXX pics", and the actual trojan should contain a small pic viewer.
Signature? I've no need for it!
|
|
|
|
|
|
|
Did you check NTRootkit? Ring 0 trojan... some people really have too much spare time 
|
|
|
|
|
|
|
yes,DO you have any question?
|
|
|
|
|
|
|
Yaaa
i still can't remove the msconfig problem
and i have no idea about how to recover that problem
if we dont remove that msconfig problem
this can no use
So help me if u can
hirosh
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Rant 
Admin