a question about vehhook

[luciouskami]

I have a question about vehhook.
I found polyhook2 use AddVectorExceptionHandler ,but when RtlVectorExceptionHandler been hooked，my hook will be detected,so is there any solution to aviod this?Thank you.

[stevemk14ebr]

You could try doing a memcmp in a loop and comparing the bytes on disk from kernel32.dll to those loaded in memory. If that check results in a difference, then memcpy the bytes from disk into memory to overwrite any hooks other people have placed. This is the typical way to defeat inline hooks.

If that's not sufficient you could follow the hook that's already placed on rtladdvectoredexceptionhandler and hook that callback, forcing the third party hook to return early before it does whatever checks it's doing.

Whatever you choose your bypass will have to be specific to your target I'm afraid.

[luciouskami]

Thank you.i try to memcmp the first opcode of rtladdvectoredexceptionhandler, if it equals 0xE9,I read the origin code from disk then jmp to rtladdvectoredexceptionhandler+5 i think it would be a solution