Apr 14, 2011 at 8:09 PM
Edited Apr 15, 2011 at 10:02 PM
First I'd like to say that your approach to comment/vote on free projects seems really bold. That said you get a proper bold response back. I know this is a childish behavior, but after all you are following big footsteps when you manage to stay a child...
To prevent everyone else from wasting his/her time, I already did this by posting here, the conclusion is that how someone can even think, while all documentation shipping with EasyHook everywhere claims the instabilities involved in hooking (especially
in general and not just for EasyHook), about writing such a post like above is beyond me...
> However I'm sorry, I have to say EasyHook is inherently unsafe from a computer science point of view.
Well whats up with you? Do you have even any idea what you are talking about? I guess not. No, EasyHook is not safe, neither is any hooking library out there. BTW this is clearly stated in the "Security advisor" within the "Tutorial and Introduction"...
Hooking is unsafe itself and is the main reason for windows to be unstable. The main reason why PatchGuard has been introduced because Microsoft want's to get rid of all these 3rd party kernel manipulations, hookings having 90% of all blue screens caused by
3rd party drivers... I wonder why Microsoft even allows hooking at all. Well and voting one star because you don't understand all of this is very interesting ;).
> It may work well in many cases, it can detect some cases that are unsafe and refuse to hook.
Yeah and often you may walk blindfolded over a minefield and sometimes you might be blown...
> it is nearly impossible to detect all those cases.
Oh really? Hmm that's interesting, so you are saying your post makes no sense at all? Well in that case I really have nothing to add :).
> We are talking about crashing the processes that are hooked!
Well that is what everyone knows when starting the whole hooking thing... And now even you have discovered it yourself.
>1) what if the hooked function jumps back to the first, second, third, etc. assembler instruction?
Nothing, because code that can't be dynamically adjusted is not relocated. If you mean a function jumping back from somewhere internal... Well considered it as covered by the following: Hooking encrypted code with EasyHook, yeah? Again the evidence that
you don't know what you are talking about... Why not stating that you shouldn't use EasyHook to fix bugs in nuclear plant software? Maybe I am now responsible for latest disasters right? I even have various claims within the license and the tutorial so in
fact EasyHook, as well as any other hooking software and in fact most other software too, is something like a cigarette. Everyone, except you who ignores all security advisors, knows that it can be dangerous but they use it anyway on their convenience...
>But I doubt you can do it completely, especially if obfuscation technologies are applied to the code, e.g. it is encrypted.
You guy seem to be a real genius. But keep thinking and guessing, this is a free world...
> And once you assume other tools and APIs may modify code at run time, all kind of additional nasty possibilities have to be considered.
No they don't have to because hooking itself is inherently unstable. What you are pointing out here is what you should know before actually starting API hooking.
>3) Is EasyHook otherwise safe to use with other hooking apis? I don't think so.
Well again thanks for pointing out the obvious...
> In general I think just deactivating the hook and leaving it in place is the safe way to go.
EasyHook is doing this if the entry point has changed.
>4) There is an obvious memory leak in RtlMoveMemory() in EasyHook_2.5_Beta_Source_Code\EasyHookDll\Rtl\memory.c.
If it is so obvious why not correct it instead of just crying?
>Otherwise there may be another source for rare and hard to explain crashes if two threads (on different CPU cores) try to hook the same function at the same time.
Yeah right, and if you step some more left in Iraq you might actually get blown up by a bomb instead of getting shot in the head. Great logic here, again.
>Christoph, I would be glad if you can prove me completely wrong.
You already did it yourself. You whole post refers to the general issue of API hooking and has NOTHING to do with EasyHook in specific.
>But what I have seen in the code scares me a lot.
What I read here scares me a lot.
> If it usually works, that is because other developers are conservative and do not use risky techniques, especially not one like this.
No most developers might know what they are doing and hooking is actually a risky technique and it makes simply no sense to use it in any security software or stable software at all. And those who don't why should I care?
> 5) Are you sure assigning a 64 bit variable in C is atomic?
Ignoring the fact that thread are suspended, who cares? This is not rocket science it is hooking, god dammit.
> so please don't make developers use it in software that some day might be running on
*Abrakadaba* May all developers be enlightened... Me, the god has spoken!
>but it clearly shows the limits of this approach,
Hell yes, so because the approach is limited, which in fact has nothing to do with EasyHook, that's the reason to vote one star and write such a post? In fact because it shows the limits, you should thank it for doing so, since most commercial products keep
you in illusion that hooking is safe. So what are you doing here at all?
Your way of "contributing" to free OpenSource software which in fact does its job better (or at least did it by the time it has been released) than most commercial products out there can mean either one of three things:
1) You don't understand what you are talking about
2) You are from one of these competing commercial products.
3) Or you are just ****** nuts...
The only thing that intrigues me at present is why, even though you seem to have at least some technical knowledge, you are totally messing up facts and concepts and produce such a garbage and offending post (this is what you get in return; especially because
of your vote without even asking first if your concerns do make any sense at all)? BTW most of the general facts about hooking you have pointed out are indeed true. But obviously you have no idea what to do with this "knowledge" except to start some senseless
flaming and discussions... Or did you just wanted to throw in some decoupled "knowledge" of your own to show that Axel666 is also there and has an opinion?
Well what am I doing here I am just wasting my time, but after all you made my day xD...