Systemsoftware Mathias Rauen
madshi@gmail.com
Eulenacker 4
Germany · 22175 Hamburg
about us
home 
home    madExcept    madCodeHook choose product here
 news 

2018-11-17
· madCollection 2.8.7.0
· madExcept 4.0.21
· madCodeHook 4.1.1

 downloads 

official version release:
· madCollection.exe

 support 

online documentation:
· http://help.madshi.net

forum:
· http://forum.madshi.net

 2018-11-17 

madCodeHook 4.1.1 comes with the following changes:

· added ex/including Metro app injection functionality
· added support for selectively activating IAT injection
· improved static lib smart linking support
· [driver] fixed potential (rare) blue screen
· [driver] fixed privilege escalation vulnerability

madExcept 4.0.21 comes with the following changes:

· improved 64bit stack tracing reliability
· added uses clause "System.ShareMem" auto sorting
· madExcept no longer patches the EXE/DLL for BCB64

 2018-07-31 

Today madCodeHook 4.1.0 introducess an optional new DLL injection technique: The new technique has a couple of advantages and disadvantages compared to the "old" one. Because of that the old technique stays the default. The new DLL injection technique works by modifying the EXE's import table in such a way that the OS loader believes that your hook DLL would be statically linked to by the EXE. This brings us the following advantages:

  • The OS loader actually now loads your hook DLL for us, when initializing the new process. Which means we don't have to inject any code patches into newly created processes, anymore, or hook any APIs. So this solution should be cleaner and simpler.
  • Your hook DLL will be listed as the first DLL the EXE statically links to. As a result, the OS loader will load your hook DLL first, before any other statically linked DLLs. Which is a big advantage because it means your API hooks will be installed before any statically linked DLLs have a chance to do anything.

There's no free lunch, unfortunately, so the new DLL injection method also comes with a couple of disadvantages:

  • Since the OS considers your hook DLL as being statically linked to by all newly created processes, the OS will refuse to unload your hook DLL from any of these. This practically makes uninjection impossible.
  • The EXE import table uses ANSI chars. So your hook DLL file name/path must consist of ANSI chars, only. No Unicode supported. Maybe you can workaround this issue by using GetShortPathNameW(), though.
  • If for any reason a newly created process is not able to load your hook DLL, the OS loader will show an error message and refuse to let the process run. In a worst case scenario it's possible that no process can be created at all, anymore. So you need to make sure your hook DLL can always be successfully loaded. Avoid statically linking to any weird DLLs, avoid weird manifests and make sure the NTFS rights allow read & execute for all users.

Another bigger change is that the DLL injection driver now supports storing the public key of your signing certificate. Let me explain why this is useful: Recently, Microsoft changed their EV signing procedure. They used to just add their own certificate to your's. But now they completely remove your certificates in some situations, which makes madCodeHook's driver unable to successfully match the driver's signature with the hook DLL's signature. I've made 2 changes now to work around this problem:

  • The driver will now compare the hook DLL's first signature with *all* of the driver's signatures (not just the first one). So you can make the signature matching work by re-adding your own signature to Microsoft's EV signature.
  • Some (security) users mentioned that such a more flexible signature match might not always be 100% secure, because the matching might actually find matching Microsoft signatures instead of your private signatures. As a result, I've added an option to the "madConfigDrv" tool which allows you to bind the driver to your specific certificate. This way the driver will only accept hook DLLs as trustworthy which are really signed with your specific certificate.

Please note that some of these changes are going rather deep, so although in my tests everything worked nicely, please consider the new features somewhat "experimental". Which means I'd recommend that you test them throuroughly yourself before using them in production software. I'm optimistic about that they work well, though.

 2018-05-31 

Today madCodeHook v4 introducess a relatively "big" new feature: You can now register a user mode callback, which the driver will call for all newly created processes which match your injection criteria. Your user mode callback then has the option to approve or reject DLL injection for each newly created process. Please note that this kind of callback from a driver to user land, which delays the start of new processes, is not recommended by Microsoft. So use this new feature at your own risk! It seems to work pretty well, though. If you do use this feature, please make sure your callback executes as quickly as possible, to avoid any unnecessary delays for newly started processes.

Furthermore, both the new madCodeHook v3 and v4 build now disable the "parallel DLL loading" feature of the Windows 10 OS loader, for any processes we inject our hook DLL into. "Parallel loading" basically tries to initialize newly created processes in a multi-threaded way. This OS loader feature can make problems if DLL injection and API hooking is used. Consequently the OS already disables it itself in certain situations. Now madCodeHook does that automatically, which should help Windows 10 stability.

Please note that madCodeHook 3.0.18 is probably going to be the last v3 build! I will concentrate on madCodeHook v4 development and support now. Which means if you haven't upgraded to v4 yet, now might be a good time. To make your decision a bit easier, I'm reducing upgrade pricing from 60% (of the price of a new license) down to 50% for the next 2 weeks. This price includes one full year of subscription. After that year has passed, you can optionally renew the subscription for a yearly payment of 30% of the price of a new license. If you'd like to upgrade from v3 to v4, please contact me via email, thank you!

Now here comes the usual detailed list of changes:

madCodeHook 4.0.5 comes with the following changes:

· added support for driver DLL inject approval callback
· added "callback" parameters to InjectLibraryA/W
· avoid crash when uninstalling API hooks in Edge
· improved LoadLibrary hook thread safety
· avoid deadlock while checking for new/removed DLLs
· improved ProcessIdToFileName for wow64 processes
· added DISABLE_LDR_LOAD_DLL_SPECIAL_HOOK option
· added DISABLE_PARALLEL_DLL_LOADING option
· [driver] added support for driver DLL inject approval callback
· [driver] disable injection for "dynamic code" policy processes
· [driver] added support for disabling parallel DLL loading
· [driver] fixed: permanent 64bit injection failed in newer OSs
· [driver] fixed: collision between multiple madCodeHook drivers
· [driver] injection is now only performed in main thread

madExcept 4.0.20 comes with the following changes:

· some small leak reporting bugfixes
· improved SW_HIDE compatability
· optimized madExceptViewer tool default window size
· madIWSupport: added support for official IW exception callback

madCodeHook 3.1.18 comes with the following changes:

· avoid crash when uninstalling API hooks in Edge
· improved LoadLibrary hook thread safety
· avoid deadlock while checking for new/removed DLLs
· [driver] disable injection for "dynamic code" policy processes
· [driver] added support for disabling parallel DLL loading
· [driver] fixed: collision between multiple madCodeHook drivers
· [driver] injection is now only performed in main thread

 2017-12-22 

madExcept 4.0.19 comes with the following changes:

· added support for %localappdata%
· fixed: editing settings could corrupt passwords
· fixed: fetching bugtracker data could modify settings

madCodeHook 4.0.4 comes with the following changes:

· fixed: sending 32bit IPC from system to user failed
· fixed: sending IPC from RuntimeBroker.exe could fail
· fixed: ProcessIdToFileName sometimes missed full path
· fixed: memory leak in ProcessIdToFileName
· [driver] fixed: potential stack overflow
· [driver] fixed: authenticode check sometimes incorrectly failed
· [driver] fixed: couldn't verify drv certificate in system32 folder
· [driver] some tweaks to make Microsoft HLK happy

madCodeHook 3.1.17 comes with the following changes:

· fixed a small AllocMemEx bug
· [driver] fixed: potential stack overflow
· [driver] allocation now defaults to PAGE_READWRITE, no EXEC
· [driver] some tweaks to make Microsoft HLK happy

 2017-07-14 

madExcept 4.0.18 gets a couple small bugfixes.

madCodeHook 4.0.3 comes with the following changes:

· improved DestroyIpcQueue to avoid leaks and freezes
· improved Chrome sandbox uninjection
· improved "FOLLOW_JMP" to work with Bitdefender x64
· CreateIpcQueue supports a custom security descriptor
· [delphi] fixed: initialization could eventually (rarely) crash
· [driver] fixed: another potential Windows 10 crash (32+64bit)
· [driver] fixed: wow64 injection freeze in XP/2003 (x64 only)
· [driver] fixed: VirtualBox x64 injection freeze in Windows 7

madCodeHook 3.1.16 comes with the following changes:

· improved DestroyIpcQueue to avoid leaks and freezes
· improved Chrome sandbox uninjection
· improved "FOLLOW_JMP" to work with Bitdefender x64
· [delphi] fixed: initialization could eventually (rarely) crash
· [driver] fixed: another potential Windows 10 crash (32+64bit)

 2017-03-30 

madExcept 4.0.17 gets a rerelease with added BDS 10.2 Tokyo support.

madCodeHook 3.1.15 and madCodeHook 4.0.2 come with the following changes:

· added "HOOK_LOAD_LIBRARY" option
· [driver] fixed: potential Windows 10 Redstone 2 crash (32bit)
· [driver] some minor changes to make Windows 10 HLK happy

 2017-03-21 

madExcept 4.0.17 comes with the following changes:

· dialogs are now somewhat high dpi friendly in win10
· small performance tweak for x64 stack tracing
· added warning if saving settings failed
· added workaround for Wine 64bit bug
· added undocumented "HandleMessagesInMainThread" option

madCodeHook 4.0.1 comes with the following changes:

· fixed: bug handling "JMP/CALL +0" instructions
· fixed: crash with Windows XP Black editions
· fixed: uninject callback failed if no API was hooked
· fixed: injecting dlls from within rundll failed
· fixed: IPC answer didn't always arrive
· fixed: dll injection handle leak
· improved chrome sandbox uninjection
· improved GetCallingModule reliability
· performance improvement when checking newly loaded dlls
· added new "LIMITED_IPC_PORT" option
· [driver] reverted back to old injection method (due to Kaspersky)
· [driver] fixed: StormShield fix didn't work, anymore
· [driver] allocation now defaults to PAGE_READWRITE, no EXEC

madCodeHook 3.1.14 comes with the following changes:

· fixed: bug handling "JMP/CALL +0" instructions
· fixed: crash with Windows XP Black editions
· improved GetCallingModule reliability
· performance improvement when checking newly loaded dlls
· added new "LIMITED_IPC_PORT" option
· [driver] fixed: StormShield fix didn't work, anymore

 2016-08-26 

I'm happy to announce the brand new madCodeHook 4.0 with the following key improvements:

· new "permanent" dll injection option survives reboots
· verification of hook dll's code signing signatures
· API hooks can now optionally record the caller's "thread state"
· stable cleanup of your hook dll resources
· rewritten dll injection technique (for newly created processes)
· improved compatability with other hooking libraries

A more detailed description about the various improvements is available here.

I've decided to move to a subscription based licensing model. Please don't worry about it, I think the terms and conditions are more than fair. My pricing math works out like this: If I release a major new upgrade (madCodeHook 4.0, 5.0, 6.0 etc) every 2 years, and ask for a 60% upgrade price every time, this sums up to the same 30% yearly subscription rate I'm asking for now. And you can just let the subscription run out at any time and you're still allowed to keep using the version you're on forever.

There are a couple different reasons why I'm switching to a subscription model: For one, it gives me a more predictable income. Furthermore, I don't have to save major functionality improvements for the next major upgrade, anymore. Instead I can now constantly and regularly work on improving madCodeHook, which should be a benefit for everyone. Finally, I hope that including a reasonable yearly payment into your budget might be easier than fitting in a much larger upgrade price every other year.

The exact terms of the subscription model, with full upgrade pricing etc is explained on the shop page. If you have a need to discuss this payment model change, or the upgrade pricing, please feel free to contact me email. I'm open for discussion and reasonable arguments.

 2016-05-17 

madExcept 4.0.15 comes with the following changes:

· added support for RAD Studio 10.1 Berlin
· patching doesn't change EXE/DLL file time, anymore

madCodeHook 3.1.12 comes with the following changes:

· fixed: some chrome shutdown crashes (when debugging)
· fixed: hook uninstall could crash (when debugging)
· fixed: SAFE_HOOKING could crash after uninjection
· fixed: IPC reply sometimes didn't arrive (missing PID)
· fixed: hook stub was allocated at wrong address (x64)
· fixed: preferred allocation address was sometimes ignored
· [C++] fixed: couple of leaks in HookAPI()
· [driver] fixed: leaked thread handle

 2016-03-23 

madExcept 4.0.14 comes with the following changes:

· exception box is now auto sized to show full header
· exceptbox size now supports weird window frame sizes
· added "HideLeak(someCallstack)" API
· fixed: IDE crashes were reported as "Unknown" class
· fixed: weird chars stopped Mantis/BugZilla upload
· fixed: HTTP uploading created incompatible MailFrom field
· fixed: 64bit madTraceProcess sometimes failed to find a process

madCodeHook 3.1.11 comes with the following changes:

· fixed some PAGE_EXECUTE_READWRITE security issues
· fixed: x64 jmp/call relocation miscalculation
· added hook to detect delay loaded dlls
· new process dll inject now always done in main thread
· dll injection loader lock improvement
· small performance improvements
· fixed rare crash when calling HookAPI
· [C++] fixed: some undocumented APIs had incorrect types
· [C++] fixed: ipc resource handling bug in case of failure
· [driver] fixed some PAGE_EXECUTE_READWRITE security issues
· [driver] worked around Microsoft EMET EAF complaint
· [driver] dll inject is now always done in main thread (win10)
· [driver] ntdll APIs are now located by parsing ntdll.dll file
· [driver] fixed conflict where alloc collided with kernel32.dll
· [driver] fixed: DriverVerifier made driver not load (win8 x64)
· [driver] fixed: some undocumented APIs had incorrect types

 2015-09-10 

madExcept 4.0.13 comes with the following changes:

· added support for RAD Studio 10 Seattle
· speeded up handling of "handled"/hidden exceptions

madCodeHook 3.1.10 comes with the following changes:

· fixed: threading issue when to-be-hooked dll is loaded
· fixed: some conflicts with other hook libraries (x64)
· improved thread protection for multiple injections

 2015-04-21 

madExcept 4.0.12 comes with the following changes:

· added support for RAD Studio XE8
· added detection for Windows 8.1, Windows 10 etc
· a couple of small bug fixes

madCodeHook 3.1.9 comes with the following changes:

· fixed: rare injection/hook instability bug
· fixed: rare IPC stability bug
· memory allocation performance improvement

 2014-10-26 

madExcept 4.0.11 comes with the following changes:

· added support for RAD Studio XE7
· fixed: plugins didn't work in XE6
· fixed: rare FPU exception crash when checking for leaks
· fixed: sometimes VirtualAlloc resources were reported as leaks
· fixed: "send bug report in background" dialog option didn't stick
· fixed: madExceptWizard sometimes produced superfluous QC warnings
· fixed a couple more small/rare bugs
· madExceptPatch.exe: speedup when parsing large map files
· madExceptPatch.exe: improved support for relative paths
· madExceptPatch.exe: added new switch "/restoreFileTime"
· madExceptWizard: map file isn't loaded in the IDE at all, anymore

madCodeHook 3.1.8 comes with the following changes:

· fixed: RestoreCode sometimes produced incorrect code
· fixed: hooking ntdll in non-large-address-aware x64 processes crashed
· FOLLOW_JMP now follows up to 10 JMPs in a row
· [driver] fixed denial of service vulnerability (found by Parvez Anwar)
· [C++] fixed: CreateProcessEx for x64 processes sometimes failed
· [C++] fixed: x64 hook installation sometimes (rarely) crashed
· [Delphi] fixed: XP/2003 x64: injection into 32bit processes failed
· [Delphi] added RAD Studio XE7 support

 2014-05-11 

madExcept 4.0.10 comes with the following changes:

· added support for XE6
· email "reply to" address is now automatically set
· added "replyTo" parameter to SendSmtpMail
· added undocumented SmtpReplyTo/SmtpPort options
· added support for Mantis sub projects
· limited Mantis OS string len to what Mantis supports
· added "HideInitializionLeaks" API
· "ExceptClass" for freezes is now reported as EFrozen
· added security to internal memory map sections

madCodeHook 3.1.7 comes with the following changes:

· [C++] fixed: 32bit injection problems when compiled as 32bit
· [driver] fixed: injection sometimes failed (win8.1)

madSecurity 1.2 comes with the following changes:

· added 64bit support
· added full Unicode support

 2013-12-03 

madExcept 4.0.9 comes with the following changes:

· fixed: PNG screenshots created by x64 code were corrupted
· fixed: protection failed for "TWeird.ThreadName"
· fixed: HTTP upload feedback didn't work, anymore
· fixed: BCB callstacks weren't always optimal
· BCB5 bug workaround to make madExcept work for dlls
· added new "HideLeak(TSomeObject, count)" API
· renamed "ThisIsNoLeak" API to "HideLeak"
· madCompileBugReport: fixed column alignment problems

madCodeHook 3.1.6 comes with the following changes:

· fixed: CreateProcessEx failed for .Net processes
· fixed a couple of rare crashes
· [C++] added separate "madCHook64md" and "madCHook64mt" static libs
· [driver] fixed: injection in Vista x64 sometimes failed

 2013-10-07 

madExcept 4.0.8.1 comes with the following bug fixes:

· fixed bug in TThread handling (introduced in 4.0.8)
· fixed BCB callstack bug in try..catch blocks
 2013-10-01 

madExcept 4.0.8 comes with the following changes:

· added support for XE5
· added madTraceProcess64
· added "largest free block" header info
· fixed a couple of weird bugs
· madExceptWizard: patching is now always moved to madExceptPatch tool
· madExceptViewer: newest bug report is now listed on top

madCodeHook 3.1.5 comes with the following changes:

· added support for XE5
· added support for Windows 8.1
· improved FOLLOW_JMP implementation
· [driver] revert aligned UNICODE_STRING (compatability problems)
· [driver] fixed injection problem caused by StormShield fix

 2013-05-13 

madExcept 4.0.7 comes with the following changes:

· added support for XE4
· fixed: empty bug reports were saved/sent
· fixed: class type exceptions were not handled correctly
· fixed: leak reporting changed FPU control word

madCodeHook 3.1.4 comes with the following changes:

· added support for XE4
· fixed: IPC in Metro apps only worked without replies
· fixed: win9x hooking eventually crashed
· fixed: FOLLOW_JMP eventually modified export tables
· fixed: UNICODE_STRING in internal structure was not aligned properly
· "driver only" injection now works without admin rights (if driver is already installed and running)

 2013-03-13 

madExcept 4.0.6 comes with the following changes:

· IMEException.ThreadIds/.Callstacks properties added
· IMEException.ExceptionRecord property added
· added SetDebugMmAlignment API
· fixed Mantis automation for latest Mantis version
· fixed Armadillo x64 incompatability
· improved callback parsing for exception box
· fixed: custom RaiseExceptionProc callbacks didn't work
· undocumented option "ShowOuterExceptDetails" added
· fixed freeze when asking BugReport in epCompleteReport

madCodeHook 3.1.3 comes with the following changes:

· fixed: injecting multiple 32bit dlls in x64 OS crashed
· fixed: uninjecting DLL twice at the same time crashed
· fixed: IPC messages sometimes contained wrong session id
· fixed: incompatability with MSVC++ 2012 on Windows 8
· added support for csrss injection in Windows 8
· added new FOLLOW_JMP flag for HookAPI/Code
· fixed crash when hooking system APIs in x64 MSSQL
· [delphi] fixed: 64bit injection crash when using Delphi XE2/3
· [driver] fixed: Verifier blue screens when using ex/include lists
· [driver] fixed: closing processes in x64 OSs sometimes froze
· [driver] fixed: injection failure with MSVC++ 2012 hook dlls

 2012-09-05 

madExcept 4.0.5 comes with the following changes:

· added support for XE3
· a couple of bugfixes and minor improvements

madCodeHook 3.1.2 comes with the following changes:

· added support for XE3
· added support for Metro (AppContainer integrity) apps
· fixed: crash in CreateProcessEx (32bit)
· fixed: uninjection crash in w2k3 error reporting service

 2012-08-03 

madExcept 4.0.3 comes with the following changes:

· improved leak reporting performance and reliability
· added patch to fix BCB XE/XE2 RTL bug
· many bugfixes and small improvements

madCodeHook 3.1.0 comes with the following changes:

· added support for Delphi XE2 x64
· a couple small bugfixes

 2012-06-14 

The new madCollection 2.7.1.0 contains the following madExcept 4 changes:

· added FireMonkey support (Windows only)
· significantly improved leak reporting performance and memory consumption
· significantly improved "instantly crash on buffer over/underrun" feature
· a bunch of important bug fixes

 2012-05-23 

I'm happy to announce the brand new madExcept 4.0 with the following key improvements:

· full support for XE2 x64 compiler
· full unicode support
· FogBugz, BugZilla and Mantis reporting  (screenshot)
· SSL and TLS SMTP client mailing  (screenshot)
· SSL HTTP uploading
· memory and resource leak reporting  (screenshot)
· debug memory manager
· new madExceptViewer tool
· support for nested exceptions
· Windows Logo compliance

A more detailed description about the various improvements is available here.

Upgrade links are available on the shop page.