Joined
Mar 23, 2018
Messages
22
#21
Excellent post, I am really impressed. Regarding detection of API hooks, what about inline hooks made by some process ?

For example I have:

Hooked Object

Hooked Address and Location

Type

Current Value

Original Value

len(5) ntdll.dll->DbgUiRemoteBreakin

0x000000007781A640->_

inline

E9 EB D1 F8 FF

6A 08 68 C8 FE

len(6) ntdll.dll->LdrLoadDll

0x00000000777BE860->_

inline

68 7C 15 5B 00 C3

8B FF 55 8B EC 83



I have been trying to detect such behaviour quite a lot, until now no success. These hooks are made by a malware I`m fighting.

I spinned up a quick console project and tried the following code ( copied from another project and modified ):

C++:
#define CHECK_API_REDIRECT(x) (((x)==0)?0:((*(BYTE*)((x))==0xE9)?0:(x)))

DWORD API_Address_Count = 0;
DWORD API_Address_Table[64] = { 0 };

bool API_SCAN()
{
    for (DWORD n = 0; n < API_Address_Count; n++)
    {
        if (API_Address_Table[n] == 0)
        {
            continue;
        }

        BYTE opcode = *(BYTE*)(API_Address_Table[n]);

        std::wcout << opcode << std::endl;

        switch (opcode)
        {
        case 0x68:
        case 0xC2:
        case 0xC3:
        case 0xE8:
        case 0xE9:
        case 0xFF:
            return 0;
        }
    }

    return 1;
}

bool API_INIT()
{
    API_Address_Table[API_Address_Count++] = CHECK_API_REDIRECT((DWORD)GetProcAddress(GetModuleHandleW(L"Ntdll.dll"), "DbgUiRemoteBreakin"));

    API_Address_Table[API_Address_Count++] = CHECK_API_REDIRECT((DWORD)GetProcAddress(GetModuleHandleW(L"Ntdll.dll"), "LdrLoadDll"));

    return API_SCAN();
}
However result is not as expected. Any advice ? An example would be awesome :)
 
Likes: harlan4096
D

Deleted member 65228

Guest
#22
Since OP seems "invisible". I'll jump in.

1. Map NTDLL into memory (On x64 use the SysWOW64 version for WOW64 process)
2. Check function prologue of target routine by parsing EAT of mapped duplicate
3. Compare with the version in the main NTDLL.DLL being used
4. Repair the one in your own virtual address space if it has been patched through copying memory (make sure to handle addresses if any are referenced in the memory you're copying, specifically regarding Ldr* and Rtl*)

Watch out for KiFastSystemCall hooks on earlier versions of Windows, and if you're focusing on x86 process, then WOW64 hooks on x64 environment. As well as hooks on routines you're using for the operation (like NtCreateFile/NtOpenFile, NtQueryInformationFile, NtReadFile, NtAllocateVirtualMemory, etc.).
 
Joined
Mar 23, 2018
Messages
22
#23
Since OP seems "invisible". I'll jump in.

1. Map NTDLL into memory (On x64 use the SysWOW64 version for WOW64 process)
2. Check function prologue of target routine by parsing EAT of mapped duplicate
3. Compare with the version in the main NTDLL.DLL being used
4. Repair the one in your own virtual address space if it has been patched through copying memory (make sure to handle addresses if any are referenced in the memory you're copying, specifically regarding Ldr* and Rtl*)

Watch out for KiFastSystemCall hooks on earlier versions of Windows, and if you're focusing on x86 process, then WOW64 hooks on x64 environment. As well as hooks on routines you're using for the operation (like NtCreateFile/NtOpenFile, NtQueryInformationFile, NtReadFile, NtAllocateVirtualMemory, etc.).
Thank you, however I'm lost. Without seeing code... I cannot imagine how to do this. Not much information/documentation or examples for such stuff.

1. Map NTDLL into memory (On x64 use the SysWOW64 version for WOW64 process)

This I can do, I have a class written that does this exactly, but the rest...