0

I am interested in hooking the function which return the content of a directory in Windows. I have came across a tool called EasyHook, however I saw this in their page

Unlike what some (commercial) hooking libraries out there are advertising to boost sales, user-mode hooking can never be an option to apply additional security checks in any safe manner. If you only want to “sandbox” a dedicated process you know well about, and the process in fact doesn’t know about EasyHook, this might succeed! But, don’t ever attempt to write any security software based on user mode hooking. It won’t work, I promise you… This is also why EasyHook does not support a so called “System wide” injection, which in fact is just an illusion, because as I said, with user-mode hooks, this will always be impossible.

http://www.codeproject.com/Articles/27637/EasyHook-The-reinvention-of-Windows-API-hooking

I have asked in the forum there but it seems that no one knows there. Why is this kind of hooking is not suitable for security analysis?

Basically, I would like to change the output of the function so it will return extra non existing files, such that every calling process will see this changes. (This is done for security analysis).

Thanks, Or.

StayOnTarget
  • 11,743
  • 10
  • 52
  • 81
Or Ami
  • 91
  • 1
  • 8
  • Because user-mode hooks run in user mode. That means the user has complete control over them. Which means no security. – Cody Gray - on strike Mar 06 '16 at 11:46
  • System-wide hooking is the kind of technique used by malware to maximize its impact. As well as its anti-dote. Much can be said about it, nothing that belongs on a site like this. Let's just say that the EasyHook authors were not that thrilled about the idea that their library could be abused like that. – Hans Passant Mar 06 '16 at 15:28
  • It says that system wide hooking is impossible with user mode hooks, why is that? – Or Ami Mar 06 '16 at 18:32

0 Answers0