ohh ok i see what you r talking about now. my windows knowledge is rather limited so i have nothin constructive 2 add, sorry. i can tell u in linux how tho, the method of 'attaching' to a process's address space is by using the ptrace() system call. if a process sets the PTRACE_NO_TRACE flag (or something to that effect), then other process's cannot attach themselves to it. i'd imagine windows has slightly similar thing.
Fuck. I wrote a big essay on how to do it only to be confronted by a screen asking me to logon, then I lost it all.:evil:
Here I go again..
API hooking is usually done by placing a jmp opcode at the start of the function the programmer wants to hook. This jmp would push the flow of code over to a function of his own, where he could check the arguments of the call, etc, then could either carry on executing the API, or return back to the callee function without having done such.
There are two basic ways to prevent this that I can think of from the top of my mind at the moment. The first being this, using the api function GetProcAddress as an example:
mov eax, GetProcAddress
cmp dword ptr ds:[eax], 0xE9 // 0xE9 is the jmp opcode
Unfortunatly, this one would probably be easily detectable by crackers. The alternative to that would be to do this, using GetProcAddress as an example again:
Now, since the jmp opcode takes up 5 bytes (hence add eax, 5), and you're going to want to jump over it, you're going to need to make up for the opcodes that you have skipped. i.e the first five bytes worth.
There is fundamental flaw with this technique, though. The opcodes that you jump over could vary according to the version of the dll that you're working with. This would severely limit the compatability scope of your application.
If you wanted to fix this, you'd have to dynamically read the opcodes from the dll with ReadProcessMemory for example, and parse the bytes read with a reiterating select() (not all opcodes are the same size, you'd have to account for this). You could then append a jmp command to the opcodes which were read, and simply call the function. For example: