I know this is not strictly to do with games but it is related.

I've been experimenting with a Sandbox system, it works great by hooking the windows API and intercepting NtWriteFile requests for the Sandboxed app.

Now I would like to implement this as a function of igLoader but I'm also aware that API hooking widely used by spyware type apps. So you think this would bring a tonne of crap and should I just forget this idea alltogether?

THanks

Tim.

Will your code affect other programs?

Ie, are you modifying system libraries? If you are modifying them, I wouldn't because it'd be hard to make sure your changes work, and then keep working each time the system libraries need to be updated.

Will your code affect other programs?

Ie, are you modifying system libraries? If you are modifying them, I wouldn't because it'd be hard to make sure your changes work, and then keep working each time the system libraries need to be updated.
What happens is a small library is injected into the process I wish to monitor, it will not affect the operation of any other applications running or installed. The system Libs are not changed the functions are simply intercepted. The only process I will be monitoring is the one launched by igLoader. I will be denying access to the WriteFile, DeleteFile, CreateFile, CreateProcess and registry writing functions.

I think what you are trying to do is admirable. You are creating a sandbox for the game or other program that is launched, thus protecting the user's system if igLoader was used to launch a trojan or other spyware app. I think that's a good idea because if igLoader was used to launch something malicious (even though you had nothing to do with it) it would taint your reputation. Worse, it could taint other's using igLoader as well, and could eventually lead to "igLoader" (and anything using it) being branded as spyware. So I think that's something that is definately needed.

On the flip side, I'm not sure if anti-spyware programs can detect if a program is using API-hooking? If so, then they might detect igLoader as spyware (when in fact, it's trying to do just the exact opposite). If that's the case then you might be in a "catch-22". However I still think it would be safer to try and do the right thing by creating a safe sandbox for the launched app to run in. That would be in everyone's best interest in my mind.

The feedback I'm getting from several sources suggests I should go down the sandbox route. I'm quite sure as long as I document the reason for implementing the sandbox technology I should avoid any future issues.

For those who have already licensed igLoader and need filesys write functionality we will have a white listing process. A white listed app will have full system access.

You better intercept GetProcAddr or else people can just sidestep you.