should microsoft ban hooking?
i have been thinking. theymade a lot harder to hook kernel, why not do the same for user processes? it should be possible to edit memory protection only for dynamicly allocated range, dlls (or other memory mapped files) should not be modyfiable (or at least not writeable). Debuggers would have to use other methods than inserting int3, such as hardware breakpoints/single step, and perhaps not present/supervisor page.

question is why. to break undocumented apps and increase quality of software.
hooking can be done correctly on some cpus, but not all, and its hardware specyfic. and of course not reliable if 2+ install hook in same place.

b1528932,

If debugger have some technique to interrupt debuggee's execution, how Microsoft will stop hookers (pun intended ) from using the very same approach?

Any software solution will be defeated with in-circuit emulation/JTAG/XDP easily (though costly).

its not about defeting software solutions, but rather forcing people to use better methods implementing hooks.

b1528932,

I believe I understood your point. Microsoft should modify Windows to render current hooking methods useless to force people to find and use better methods? Now it sounds awkward.

Windows needs a red light district.

64bit windows disallows hooks. Drivers must use the provided OS interface to catch events.

revolution: I thought the point was whether *user*mode hooking should be disallowed

Anyway, I can't see how you would (entirely) disable hooking - at least not for users running with admin privileges, so you might as well not try. You already can't place hooks in an admin-priv process from LUA process, that's good enough imho.

Disallowing hooks is basically to stop malware and promote DRM.

There are lots of good reasons to use hooks, but unfortunately malware can use it for bad purposes.

So we have to have a trade-off:

If you completely disallow hooks (like W64 kernel) then you have to provide alternative methods that allow the good things but disallow the bad things (driver signing and defined event interfaces).

Whereas if you allow hooks (W32) then you have to deal with misbehaving hookers (malware) with things like AVs.

revolution,

Does 64-bit Windows disallow user-mode hooks completely? Looks like there are some solutions already, EasyHook for example (though I won't test it any time soon).

AFAIK only the kernel is protected from hooking.

NT x64 prevents kernel patching. There are ways of providing alternatives for hooking other than patching. However, I don't know enough about driver programming to know whether alternatives are provided by NT x64.

P.S. Kernel patching in x86 was never supported. I guess they just chose to wait so they don't break compatibility for legit products that use patching in x86.

I've read Patching Policy for x64-Based Systems article, and this sentence makes me smile: "Patching any part of the kernel (detected only on AMD64-based systems)". Doesn't it means that other restrictions apply to AMD64 only, too?

Legit is by definition documented.
if something use patching, it deserve to be broken. Patching is acceptable only for rootkits, when you target one specyfic machine, but not as a product for many users.

documented != supported
Most AVs use patching, I guess they didn't want to piss off Norton...

As far as I am concerned, they cannot stop you from modifying your own system if you paid for a license. Either you bought a copy for your own use or you didn't. Anyway they waste too much code on trying to prevent hacks but 2 minutes after each beta or new release some Chinese or Russian guys post cracks. Microsoft should just concentrate on writing good code and realize there are guys smarter than them and they can't stop them. You could probably get Windows to be 1/10th of the current size if you took out all the ineffective anti-piracy code in it and increase the stability and usability 10 times.

Actually that word that I highlighted is the problem. The terms of the license prohibit some actions. If you perform these certain actions then the license is broken and you lose the right to use the OS. Of course in the real world, away from all the legal nonsense, you are free to change anything you like in your own system and no one would ever know (or care) about it (unless you happen to own anything made by Apple).

I don't think that part of the license is enforceable. Until somebody cites a court case, I assume I can do whatever I want with whatever I buy. If you don't like it, sue me :p

well i'm just happy that microsoft let their customers code for their OS for free or do whatever they want with it, unlike Sony who have to work their butts off just to patch the PSP's firmware to avoid people from running "free code".

For developing for sony, you have to pay the license
no money, no coding for sony

i know . u pay like USD$10K for the whole dev package and tools..but i have the free psp sdk made by some hackers who cracked their encryption key and now ppl can sign their homebrew apps and not need any loaders for the psp.
the firmware can also be downgraded only by a kernel exploit..lol
sony cracks me up lol