flat assembler
Message board for the users of flat assembler.

Index > Windows > hooking is bad?

Author
Thread Post new topic Reply to topic
b1528932



Joined: 21 May 2010
Posts: 287
b1528932 11 Sep 2010, 16:21
should microsoft ban hooking?
i have been thinking. theymade a lot harder to hook kernel, why not do the same for user processes? it should be possible to edit memory protection only for dynamicly allocated range, dlls (or other memory mapped files) should not be modyfiable (or at least not writeable). Debuggers would have to use other methods than inserting int3, such as hardware breakpoints/single step, and perhaps not present/supervisor page.

question is why. to break undocumented apps and increase quality of software.
hooking can be done correctly on some cpus, but not all, and its hardware specyfic. and of course not reliable if 2+ install hook in same place.
Post 11 Sep 2010, 16:21
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 11 Sep 2010, 17:03
b1528932,

If debugger have some technique to interrupt debuggee's execution, how Microsoft will stop hookers (pun intended Wink) from using the very same approach?

Any software solution will be defeated with in-circuit emulation/JTAG/XDP easily (though costly).
Post 11 Sep 2010, 17:03
View user's profile Send private message Reply with quote
b1528932



Joined: 21 May 2010
Posts: 287
b1528932 11 Sep 2010, 21:01
its not about defeting software solutions, but rather forcing people to use better methods implementing hooks.
Post 11 Sep 2010, 21:01
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 12 Sep 2010, 04:58
b1528932,

I believe I understood your point. Microsoft should modify Windows to render current hooking methods useless to force people to find and use better methods? Now it sounds awkward.
Post 12 Sep 2010, 04:58
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4020
Location: vpcmpistri
bitRAKE 12 Sep 2010, 05:45
Windows needs a red light district. Laughing
Post 12 Sep 2010, 05:45
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 12 Sep 2010, 05:50
64bit windows disallows hooks. Drivers must use the provided OS interface to catch events.
Post 12 Sep 2010, 05:50
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 12 Sep 2010, 10:51
revolution: I thought the point was whether *user*mode hooking should be disallowed Smile

Anyway, I can't see how you would (entirely) disable hooking - at least not for users running with admin privileges, so you might as well not try. You already can't place hooks in an admin-priv process from LUA process, that's good enough imho.
Post 12 Sep 2010, 10:51
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 12 Sep 2010, 11:20
Disallowing hooks is basically to stop malware and promote DRM.

There are lots of good reasons to use hooks, but unfortunately malware can use it for bad purposes.

So we have to have a trade-off:

If you completely disallow hooks (like W64 kernel) then you have to provide alternative methods that allow the good things but disallow the bad things (driver signing and defined event interfaces).

Whereas if you allow hooks (W32) then you have to deal with misbehaving hookers (malware) with things like AVs.
Post 12 Sep 2010, 11:20
View user's profile Send private message Visit poster's website Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 12 Sep 2010, 13:22
revolution,

Does 64-bit Windows disallow user-mode hooks completely? Looks like there are some solutions already, EasyHook for example (though I won't test it any time soon).
Post 12 Sep 2010, 13:22
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 12 Sep 2010, 13:24
AFAIK only the kernel is protected from hooking.
Post 12 Sep 2010, 13:24
View user's profile Send private message Visit poster's website Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 12 Sep 2010, 19:50
NT x64 prevents kernel patching. There are ways of providing alternatives for hooking other than patching. However, I don't know enough about driver programming to know whether alternatives are provided by NT x64.

P.S. Kernel patching in x86 was never supported. I guess they just chose to wait so they don't break compatibility for legit products that use patching in x86.
Post 12 Sep 2010, 19:50
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 13 Sep 2010, 05:24
I've read Patching Policy for x64-Based Systems article, and this sentence makes me smile: "Patching any part of the kernel (detected only on AMD64-based systems)". Doesn't it means that other restrictions apply to AMD64 only, too?
Post 13 Sep 2010, 05:24
View user's profile Send private message Reply with quote
b1528932



Joined: 21 May 2010
Posts: 287
b1528932 13 Sep 2010, 18:20
Quote:
P.S. Kernel patching in x86 was never supported. I guess they just chose to wait so they don't break compatibility for legit products that use patching in x86.

Legit is by definition documented.
if something use patching, it deserve to be broken. Patching is acceptable only for rootkits, when you target one specyfic machine, but not as a product for many users.
Post 13 Sep 2010, 18:20
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 14 Sep 2010, 01:10
documented != supported Confused
Most AVs use patching, I guess they didn't want to piss off Norton...
Post 14 Sep 2010, 01:10
View user's profile Send private message Reply with quote
JoeCoder1



Joined: 13 Jun 2011
Posts: 62
JoeCoder1 13 Jun 2011, 08:16
As far as I am concerned, they cannot stop you from modifying your own system if you paid for a license. Either you bought a copy for your own use or you didn't. Anyway they waste too much code on trying to prevent hacks but 2 minutes after each beta or new release some Chinese or Russian guys post cracks. Microsoft should just concentrate on writing good code and realize there are guys smarter than them and they can't stop them. You could probably get Windows to be 1/10th of the current size if you took out all the ineffective anti-piracy code in it and increase the stability and usability 10 times.
Post 13 Jun 2011, 08:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 13 Jun 2011, 08:23
JoeCoder1 wrote:
As far as I am concerned, they cannot stop you from modifying your own system if you paid for a license.
Actually that word that I highlighted is the problem. The terms of the license prohibit some actions. If you perform these certain actions then the license is broken and you lose the right to use the OS. Of course in the real world, away from all the legal nonsense, you are free to change anything you like in your own system and no one would ever know (or care) about it (unless you happen to own anything made by Apple).
Post 13 Jun 2011, 08:23
View user's profile Send private message Visit poster's website Reply with quote
JoeCoder1



Joined: 13 Jun 2011
Posts: 62
JoeCoder1 13 Jun 2011, 08:53
I don't think that part of the license is enforceable. Until somebody cites a court case, I assume I can do whatever I want with whatever I buy. If you don't like it, sue me :p
Post 13 Jun 2011, 08:53
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 14 Jun 2011, 00:38
well i'm just happy that microsoft let their customers code for their OS for free or do whatever they want with it, unlike Sony who have to work their butts off just to patch the PSP's firmware to avoid people from running "free code".
Post 14 Jun 2011, 00:38
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 676
Location: Mar del Plata
Enko 14 Jun 2011, 13:16
typedef wrote:
well i'm just happy that microsoft let their customers code for their OS for free or do whatever they want with it, unlike Sony who have to work their butts off just to patch the PSP's firmware to avoid people from running "free code".

For developing for sony, you have to pay the license Cool
no money, no coding for sony Wink
Post 14 Jun 2011, 13:16
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 14 Jun 2011, 16:21
Enko wrote:

For developing for sony, you have to pay the license Cool
no money, no coding for sony Wink


i know . u pay like USD$10K for the whole dev package and tools..but i have the free psp sdk made by some hackers who cracked their encryption key and now ppl can sign their homebrew apps and not need any loaders for the psp.
the firmware can also be downgraded only by a kernel exploit..lol
sony cracks me up lol
Post 14 Jun 2011, 16:21
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.