Don't use Easyhook for kernelmode hooking

Jun 21, 2009 at 8:35 PM
Edited Jun 22, 2009 at 11:51 AM


The feature list claims:

  • All hooks are installed and automatically removed in a stable manner
  • A so called "Thread Deadlock Barrier" will get rid of many core problems when hooking unknown APIs; this technology is unique to EasyHook

This is not true for kernelmode. Installing and uninstalling hooks fails on 32bit machines if another thread is execution during jmp placement or the memory sections is write protected. Next you can't unload the easyhook driver after all hooks have been uninstalled. If you do so the os crashes if a thread coming from a hook method currently executes easyhook driver code.

Howto fix: GainExclusivity from Shadowwalker (use Dpcs to ensure that no thread is executing on the target memory location) .


Jeff and Joe