分享
 
 
 

AntiHookExec Version 1.0 (Anti API Hooking Proof-Of-Concept)

王朝other·作者佚名  2006-04-12
窄屏简体版  字體: |||超大  

by Tan Chew Keong

15 April 2004

Download

Introduction

API hooking is a useful technique that can be used to monitor API calls used by Win32 programs. This allows understanding of the programs' functionalities based on the APIs that are called and their input parameters. However, API hooking is also used by rootkits and other malicious code to modify the behaviour of certain APIs to hide files, network ports, processes or services.

This proof-of-concept code demonstrates how to overcome some of the API hooking techniques to execute a specified EXE that is free from API hooks. This program has been tested to work against HackDefender Version 1.0 rootkit for Windows.

API Hooking Techniques

The idea behind API hooking is to allow an API call to be redirected to a replacement function. This replacement function will usually perform some manipulation of the input parameters before transferring control back to the called API. The replacement function could also manipulate the API's return results before passing them back to the caller. This simple idea has been used by rootkits and trojans to hide files, processes and network ports. For example, by hooking FindFirstFileA and FindNextFileA, it is possible to manipulate the list of filenames returned, thus allowing certain files to be hidden from the directory listing.

This proof-of-concept code demonstrates how a program can rid itself of system-wide API hooks that are implemented based on the following techniques.

Import/Export Table Modification

Overwriting the start of the hooked API with a JMP instruction

Import/Export Table Modification

This technique allows APIs to be hooked by making direct modifications to the Import/Export Tables of the targeted process and all its modules (DLLs). Each process and module(DLL) have their own Import Address Table (IAT) that contains the entry-point addresses of the APIs that are used. These addreseses will be used whenever the process makes a call to the repective APIs. Therefore, by replacing the entry-point address of an API (in the IAT) with that of a replacement function, it is possible to redirect any calls to the API to the replacement function.

However, modifying the IAT alone is insufficient since the targeted process might use the GetProcAddress API to obtain the real entry point address of an API. This problem could be solved by hooking the GetProcAddress API so that the address of the replacement function is returned instead. Alternatively, it is possible to directly modify the Export Address Table of the DLL that exports that particular API. Every DLL has an Export Address Table (EAT) that contains the entry-point addresses of the APIs that are implemented within the DLL. Hence, by replacing the entry-point of an API within the EAT with the relative address of the replacement function, we can cause GetProcAddress to return the address of the replacement function instead.

Overwriting the start of the hooked API with a JMP instruction

Another technique that can be used to implement API hooking involves overwriting the start of the hooked API with a JMP instruction that cause execution to be transferred to the replacement function. This technique requires less modifications within the memory space of the hooked process as compared to the previous technique.

AntiHookExec Algorithm

This proof-of-concept code works as follows:

Manually read ntdll.dll and kernel32.dll into memory using CreateFile, ReadFile APIs. Make sure they are properly aligned to the specified memory alignment. Henceforth, these two manually loaded images shall be called the file images. The memory images of ntdll.dll and kernel32.dll as mapped in by the OS shall be called the memory images.

Iterate through all the APIs exported by ntdll.dll and kernel32.dll using the Export Table of the file images. For each API exported, perform Instruction Length Disassembly to get a rough estimate of the function length (N). Compare the first N bytes of each API using the file images and the memory images. Any discrepancies between them would indicate that the particular API have been hooked using the second technique described above.

Restore each hooked API by copying the relevant bytes from the file images to the memory images.

Iterate through the Import Address Table (IAT) of kernel32.dll. For each imported API address from ntdll.dll, check that it has not been modified. Any modified IAT entries of kernel32.dll will be restored using the disk images.

Obtain the API address of CreateProcessA using the disk image of kernel32.dll. This ensures that any modifications to our IAT won't affect us.

Execute the specified EXE using CreateProcessA.

Usage

AntiHookExec.exe <exe filename>

This program will attempt to rid itself of userspace API hooks and execute <exe filename>

The following steps will be taken.

API Restoration. This program will attempt to detect any changes to the memory image of ntdll.dll by comparing it against the disk image. If there are any changes, the memory image will be patch by referencing the disk image.

Import Table Restoration. This program will attempt to restore the import tables in the memory image of kernel32.dll by comparing it against the disk image.

Obtain the memory address of CreateProcessA using the disk image of kernel32.dll, and use this address to execute <exe filename>

Limitations

The following are some limitations of this proof-of-concept code.

The system-wide API hooking program has not hooked ReadFile API, and cause it to return a falsified disk image of kernel32.dll and ntdll.dll.

The system-wide API hook has not disabled VirtualQuery and VirtualProtect APIs.

This program will not work against kernel-space rootkits.

This program will also not work against API hooks that are installed using SetWindowsHookEx.

Contacts

For further enquries or to submit malicious code for our analysis, email them to the following.

Overall-in-charge: Tan Chew Keong

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有