Reputation: 1895
Checking if an API is monitored (hooked?)
My application uses some APIs like GetProcAddress and CreateProcess that cause sometimes antiviruses to flag it as malicious even though it is not.
What I am trying to do is check whether a specific API is being monitored or hooked and if it is then I won't call that part of the code.
How do I check whether a certain API is hooked?
This is a Windows application written in C.
Thanks.
Upvotes: 0
Views: 3944
Answers (1)
Reputation: 70931
On win32 there are no offical methods to detect and/or place hooks (besides the SetWindowsHookEx() (http://msdn.microsoft.com/en-us/library/windows/desktop/ms644990) et al functions which only cover a very small set of functionality).
Detecting a hook depends on how the hook was applied.
There are two popular methods to place a hook:
- Import/Export table patching
- Code overwriting
For details (pros/cons) on the different methods to place hooks please consider reading here http://help.madshi.net/ApiHookingMethods.htm.
Each method of hooking requieres a different approach to detect it.
For methods to detect hooks placed as mentioned above please look under "ApiHookCheck Algorithm" here http://www.security.org.sg/code/apihookcheck.html. There are sample sources available on this page, which I did not test.
Upvotes: 1
Related Questions
- Hooking API Calls in Current Process?
- Finding all calls to windows api from a programming perspective
- How to monitor Windows system API calls an application makes?
- Hook api call in a parent process
- Windows API Hook C++
- (Windows) Monitoring API calls in C
- Hooking in win32
- How to intercept each trying to use API function in C#?
- Windows API Programming
- How can Windows API calls to an application/service be monitored?