Thread: Get real address of api not nt version
View Single Post
  #13  
Old 05-21-2018, 22:45
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Family
  
Join Date: Nov 2012
Posts: 239
Rept. Given: 64
Rept. Rcvd 145 Times in 50 Posts
Thanks Given: 210
Thanks Rcvd at 329 Times in 106 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
Hello dosprog
Thank you, I checked you example code and I've done this before and the returned addresses for your sample and my program are same but that's what I'm say is not real address.

For example :
In Windows7 if press CTRL+G in debugger and type the ShowWindow we will redirect to real location of code in user32.dll .
in Windows10 if type the ShowWindow we will redirect to an offset that jumped to NtUserShowWindow and if fallow the jump we redirect to real address of ShowWindow API but in NtUserShowWindow.

In Windows7 and Vista if someone wants to hook ShowWindow api I will detect with comparing bytes in memory and file from user32.dll but in Windows10 I can't do it because of NT APIs.
This is my question, How can I detect api hooking in windows10 or How can I get the returned address from NtUserShowWindow.

Please check the attachment.
Attached Files
File Type: rar Check.rar (597.4 KB, 5 views)
Reply With Quote