Submit Search
Upload
Inline Hooking in Windows
•
2 likes
•
1,566 views
High-Tech Bridge SA (HTBridge)
Follow
This document is the second of a series of five articles relating to the art of hooking.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 26
Download now
Download to read offline
Recommended
Jumps in Assembly Language.
Jumps in Assembly Language.
NA000000
Pc ie tl_layer (3)
Pc ie tl_layer (3)
Rakeshkumar Sachdev
Unit 3 basic processing unit
Unit 3 basic processing unit
chidabdu
8086 modes
8086 modes
PDFSHARE
Oracles
Oracles
Gene Leybzon
pipelining
pipelining
Sadaf Rasheed
Addressing modes of 8086
Addressing modes of 8086
saurav kumar
Interfacing rs232
Interfacing rs232
PRADEEP
Recommended
Jumps in Assembly Language.
Jumps in Assembly Language.
NA000000
Pc ie tl_layer (3)
Pc ie tl_layer (3)
Rakeshkumar Sachdev
Unit 3 basic processing unit
Unit 3 basic processing unit
chidabdu
8086 modes
8086 modes
PDFSHARE
Oracles
Oracles
Gene Leybzon
pipelining
pipelining
Sadaf Rasheed
Addressing modes of 8086
Addressing modes of 8086
saurav kumar
Interfacing rs232
Interfacing rs232
PRADEEP
Unit 3 – assembly language programming
Unit 3 – assembly language programming
Kartik Sharma
Computer architecture pipelining
Computer architecture pipelining
Mazin Alwaaly
8086-instruction-set-ppt
8086-instruction-set-ppt
jemimajerome
Pci express modi
Pci express modi
proma_goswami
All about Bitcoins!
All about Bitcoins!
Prajakta Nimje
Assembly language programming(unit 4)
Assembly language programming(unit 4)
Ashim Saha
Ch4 1 v1
Ch4 1 v1
bhagavanprasad
BOOLEAN ALGEBRA & LOGIC GATE
BOOLEAN ALGEBRA & LOGIC GATE
Ideal Eyes Business College
Blockchain Smart Contract v5
Blockchain Smart Contract v5
MD SAQUIB KHAN
Logical Instructions used in 8086 microprocessor
Logical Instructions used in 8086 microprocessor
Rabin BK
Instruction pipeline: Computer Architecture
Instruction pipeline: Computer Architecture
InteX Research Lab
Cache memory
Cache memory
Shailesh Tanwar
8086 Interrupts & With DOS and BIOS by vijay
8086 Interrupts & With DOS and BIOS by vijay
Vijay Kumar
Interfacing technique with 8085- ADC[0808]
Interfacing technique with 8085- ADC[0808]
Guhan k
Difference b/w 8085 & 8086
Difference b/w 8085 & 8086
j4jiet
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Bilal Amjad
Pipeline hazard
Pipeline hazard
AJAL A J
Binary to grey code conversion
Binary to grey code conversion
Sunny
Logical instructions (and, or, xor, not, test)
Logical instructions (and, or, xor, not, test)
Irfan Anjum
Data Communication & Computer Networks:Digital Signal Encoding
Data Communication & Computer Networks:Digital Signal Encoding
Dr Rajiv Srivastava
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacks
High-Tech Bridge SA (HTBridge)
Spying Internet Explorer 8.0
Spying Internet Explorer 8.0
High-Tech Bridge SA (HTBridge)
More Related Content
What's hot
Unit 3 – assembly language programming
Unit 3 – assembly language programming
Kartik Sharma
Computer architecture pipelining
Computer architecture pipelining
Mazin Alwaaly
8086-instruction-set-ppt
8086-instruction-set-ppt
jemimajerome
Pci express modi
Pci express modi
proma_goswami
All about Bitcoins!
All about Bitcoins!
Prajakta Nimje
Assembly language programming(unit 4)
Assembly language programming(unit 4)
Ashim Saha
Ch4 1 v1
Ch4 1 v1
bhagavanprasad
BOOLEAN ALGEBRA & LOGIC GATE
BOOLEAN ALGEBRA & LOGIC GATE
Ideal Eyes Business College
Blockchain Smart Contract v5
Blockchain Smart Contract v5
MD SAQUIB KHAN
Logical Instructions used in 8086 microprocessor
Logical Instructions used in 8086 microprocessor
Rabin BK
Instruction pipeline: Computer Architecture
Instruction pipeline: Computer Architecture
InteX Research Lab
Cache memory
Cache memory
Shailesh Tanwar
8086 Interrupts & With DOS and BIOS by vijay
8086 Interrupts & With DOS and BIOS by vijay
Vijay Kumar
Interfacing technique with 8085- ADC[0808]
Interfacing technique with 8085- ADC[0808]
Guhan k
Difference b/w 8085 & 8086
Difference b/w 8085 & 8086
j4jiet
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Bilal Amjad
Pipeline hazard
Pipeline hazard
AJAL A J
Binary to grey code conversion
Binary to grey code conversion
Sunny
Logical instructions (and, or, xor, not, test)
Logical instructions (and, or, xor, not, test)
Irfan Anjum
Data Communication & Computer Networks:Digital Signal Encoding
Data Communication & Computer Networks:Digital Signal Encoding
Dr Rajiv Srivastava
What's hot
(20)
Unit 3 – assembly language programming
Unit 3 – assembly language programming
Computer architecture pipelining
Computer architecture pipelining
8086-instruction-set-ppt
8086-instruction-set-ppt
Pci express modi
Pci express modi
All about Bitcoins!
All about Bitcoins!
Assembly language programming(unit 4)
Assembly language programming(unit 4)
Ch4 1 v1
Ch4 1 v1
BOOLEAN ALGEBRA & LOGIC GATE
BOOLEAN ALGEBRA & LOGIC GATE
Blockchain Smart Contract v5
Blockchain Smart Contract v5
Logical Instructions used in 8086 microprocessor
Logical Instructions used in 8086 microprocessor
Instruction pipeline: Computer Architecture
Instruction pipeline: Computer Architecture
Cache memory
Cache memory
8086 Interrupts & With DOS and BIOS by vijay
8086 Interrupts & With DOS and BIOS by vijay
Interfacing technique with 8085- ADC[0808]
Interfacing technique with 8085- ADC[0808]
Difference b/w 8085 & 8086
Difference b/w 8085 & 8086
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Pipeline hazard
Pipeline hazard
Binary to grey code conversion
Binary to grey code conversion
Logical instructions (and, or, xor, not, test)
Logical instructions (and, or, xor, not, test)
Data Communication & Computer Networks:Digital Signal Encoding
Data Communication & Computer Networks:Digital Signal Encoding
Viewers also liked
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacks
High-Tech Bridge SA (HTBridge)
Spying Internet Explorer 8.0
Spying Internet Explorer 8.0
High-Tech Bridge SA (HTBridge)
Userland Hooking in Windows
Userland Hooking in Windows
High-Tech Bridge SA (HTBridge)
Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & Profit
High-Tech Bridge SA (HTBridge)
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent Threat
High-Tech Bridge SA (HTBridge)
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley Framework
High-Tech Bridge SA (HTBridge)
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in Windows
High-Tech Bridge SA (HTBridge)
Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attack
High-Tech Bridge SA (HTBridge)
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacks
High-Tech Bridge SA (HTBridge)
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
Process injection - Malware style
Process injection - Malware style
Sander Demeester
DIDÁCTICA Y MAPA CONCEPTUAL
DIDÁCTICA Y MAPA CONCEPTUAL
Magdalena Guirau
PROJECTE DE TREBALL FET PELS XIQUETS
PROJECTE DE TREBALL FET PELS XIQUETS
laucs1975
Weird photos pics on floidbox.com
Weird photos pics on floidbox.com
Florin Levarda
startup-ecosystem-survey-slovakia-2016
startup-ecosystem-survey-slovakia-2016
George Delaney FCA
Rr100 b
Rr100 b
Toshiyuki Shimono
Integration for manufacturing The eScop Approach
Integration for manufacturing The eScop Approach
FAST-Lab. Factory Automation Systems and Technologies Laboratory, Tampere University of Technology
ツイートするだけクライアント
ツイートするだけクライアント
森理 麟
Informe general
Informe general
kode99
Baum2
Baum2
dmolina87
Viewers also liked
(20)
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacks
Spying Internet Explorer 8.0
Spying Internet Explorer 8.0
Userland Hooking in Windows
Userland Hooking in Windows
Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & Profit
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley Framework
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in Windows
Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attack
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacks
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
Process injection - Malware style
Process injection - Malware style
DIDÁCTICA Y MAPA CONCEPTUAL
DIDÁCTICA Y MAPA CONCEPTUAL
PROJECTE DE TREBALL FET PELS XIQUETS
PROJECTE DE TREBALL FET PELS XIQUETS
Weird photos pics on floidbox.com
Weird photos pics on floidbox.com
startup-ecosystem-survey-slovakia-2016
startup-ecosystem-survey-slovakia-2016
Rr100 b
Rr100 b
Integration for manufacturing The eScop Approach
Integration for manufacturing The eScop Approach
ツイートするだけクライアント
ツイートするだけクライアント
Informe general
Informe general
Baum2
Baum2
Similar to Inline Hooking in Windows
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
High-Tech Bridge SA (HTBridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
High-Tech Bridge SA (HTBridge)
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
High-Tech Bridge SA (HTBridge)
The Role of Standards in IoT Security
The Role of Standards in IoT Security
Hannes Tschofenig
20101109 (tech ed) how frameworks kill projects
20101109 (tech ed) how frameworks kill projects
Sander Hoogendoorn
Fixing security by fixing software development
Fixing security by fixing software development
Nick Galbreath
The State of Wicket
The State of Wicket
Martijn Dashorst
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OS
Cisco Russia
GeeCON Microservices 2015 scaling micro services at gilt
GeeCON Microservices 2015 scaling micro services at gilt
Adrian Trenaman
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
Jonathan Engelsma
voip_en
voip_en
Pierpaolo Palazzoli
Developer-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for Kubernetes
DevOps Indonesia
Docker cloud hybridation & orchestration
Docker cloud hybridation & orchestration
Adrien Blind
JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017
ElifTech
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
Henning Jacobs
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Jan Löffler
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the Cloud
Zalando Technology
Introduction to the Container Networking and Security
Introduction to the Container Networking and Security
Cloud 66
Similar to Inline Hooking in Windows
(20)
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
The Role of Standards in IoT Security
The Role of Standards in IoT Security
20101109 (tech ed) how frameworks kill projects
20101109 (tech ed) how frameworks kill projects
Fixing security by fixing software development
Fixing security by fixing software development
The State of Wicket
The State of Wicket
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OS
GeeCON Microservices 2015 scaling micro services at gilt
GeeCON Microservices 2015 scaling micro services at gilt
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
voip_en
voip_en
Developer-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for Kubernetes
Docker cloud hybridation & orchestration
Docker cloud hybridation & orchestration
JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the Cloud
Introduction to the Container Networking and Security
Introduction to the Container Networking and Security
Recently uploaded
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Recently uploaded
(20)
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Slack Application Development 101 Slides
Slack Application Development 101 Slides
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Inline Hooking in Windows
1.
Your texte here
…. Inline Hooking in Windows 6 September 2011 Brian MARIANI Senior Security Consultant ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
2.
SOME IMPORTANT POINTS
Your texte here …. This document is the second of a series of five articles relating to the art of hooking. As a test environment we will use an english Windows Seven SP1 operating system distribution. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
3.
WHAT IS AN
INLINE HOOK Your texte here …. When an inline hook is implemented it will overwrite the first bytes codes of a windows api in order to redirect code flow. This kind of technique can be used in ring 3 or ring 0 modes. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
4.
CHARACTERISTICS
Your texte here …. Inline hooking is more robust than import address table (IAT) hooks. They do not have problems related to dll binding at runtime. They can trap any function call, not just system calls. No device driver is required. They are widely used in many renowned professional applications and well-known rootkits. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
5.
SOME GOOD UTILITIES
Your the Defcon 17 Nick Harbour has presented a good tool At texte here …. named apithief. The tool launches a process in a suspended state. It then injects a DLL and hook Win32 API functions. The tool can then monitor the api behavior. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
6.
SOME BAD UTILITIES
Your texte here …. widespread malware take advantage of Well-known and this kind of technique to hook key api windows components in order to spy and steal sensitive information from the user. One of these famous malwares is Zeus, also known as Zbot, PRG, Wsnpoem or Gorhax. ws2_32! WSASend API hooked ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
7.
Implementing an inline
hook Your texte hereour dll into the process we want to hijack. We inject …. (Please see Userland Hooking in Windows) The first bytes of the target api are saved, these are the bytes that will be overwritten. We place a jump, call or push-ret instruction. The jump redirects the code flow to our function. The hook can later call the original api using the saved bytes of the hooked function. The original function will return control to our function and then data can be easily tampered. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
8.
WHAT ARE WE
GOING TO OVERWRITE Your texte here …. It is very important to determine what and where we are going to overwrite the bytes codes. Knowing exactly how much space we have at our disposal is really important, otherwise we can destroy the logic of the api, or write beyond his borders. An unconditional jump will require 5 bytes. We need to disassemble the beginning of the target api. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
9.
WHERE ARE WE
GOING TO OVERWRITE Your texte herea windows api function is usually the same. The start of …. After XP-SP2 Microsoft decided to change the windows api preamble: MOV EDI,EDI PUSH EBP MOV EBP,ESP This allow for hot-patching, inserting a new code without the need to reboot the box. We can use these five bytes to insert our own set of instructions. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
10.
WHERE ARE WE
GOING TO OVERWRITE Your texte here …. why we select the start of the function is Another reason because the more deeper into the function the hook is located, the more we must be careful with the code. If you hook deeper into the function, you can create unwanted issues. Things become more complex. Keep it simple and stupid. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
11.
AN UNSUCCESSFUL HOOK
Your we try to …. If texte here hook every function in the same way we can modify the logic of the function. In the picture below we have inserted an unconditional jump that destroy the logic of the function. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
12.
A SUCCESSFUL HOOK
Your this particular example the prolog of httpsendrequest In texte here …. API has been hooked with a jump to our function. We have used the first 5 bytes of the target function to place our jmp instruction. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
13.
INLINE HOOKING PRACTICAL
EXAMPLE (1) Yourthis practical example our target is a simple chat system In texte here …. using nc.exe, but every program using WS2_32.DLL!Send Api could be used. We want to hijack the sent messages from one of two users. To accomplish this task we inject our DLL into nc.exe process and we hook the aforementioned api. Then we jump into our function and we change the stack parameters, then we adjust our stack to avoid incovenients and finally we jump again to WS2_32.DLL!Send api. This hook example can be used to create more complex scenarios. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
14.
INLINE HOOKING PRACTICAL
EXAMPLE (2) Your textehooking the WS2_32.dll!send API we attach with Before here …. our debugger to the nc.exe process which is already listening on port 9999. We can see the unhook prolog. WS2_32!Send ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
15.
INLINE HOOKING PRACTICAL
EXAMPLE (3) Your texte here …. for inbound connections (upper image) and the client Server is listening connects (lower image). All is working normally and users are discussing without any issues. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
16.
INLINE HOOKING PRACTICAL
EXAMPLE (4) Yourthis time we inject our DLL into the nc.exe process. At texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
17.
INLINE HOOKING PRACTICAL
EXAMPLE (5) Your texte here …. Let’s check using the our debugger how’s things have changed. The API preamble has been modified. It has been replaced with a jump to our evil function. WS2_32!Send ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
18.
INLINE HOOKING PRACTICAL
EXAMPLE (6) Your texte here our function at address 0x6FAC11D0. Let’s check …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
19.
INLINE HOOKING PRACTICAL
EXAMPLE (7) Your texte here …. the chat has changed too :] The behavior of ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
20.
DETECTING INLINE HOOKING
(1) Your texte here …. Detecting inline hooks is pretty simple. Rootkits detectors like gmer, or BlackLight from Fsecure do a good job. Let’s do an injection test into Internet Explorer 8.0 in Windows 7 and hook wininet!HttpSendRequestW Api. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
21.
DETECTING INLINE HOOKING
(2) Your texte here …. place :] The hook is in ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
22.
DETECTING INLINE HOOKING
(3) Your texte has …. But it here been successfully detected by gmer anti- rootkit. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
23.
CONCLUSION
Inline hooks can be very useful when trying to reverse Your texte here …. malware. Paradoxically nowadays malcode use this technique to change the behavior of the operating system in order to steal personal information. By understanding and identifying hooks, thought, you will be able to detect most public rootkits and malwares. We hope this document help you understand and master inline hooks. Demo video: Inline Hooking in Windows ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
24.
TO BE CONTINUED
Your texte here …. In future documents we will introduce Kernel Hooking. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
25.
REFERENCES
Your texte here …. Subverting the Windows Kernel (Greg Hoglund & James Butler) Professional Rootkits (Ric Vieler) Programming application for Microsoft Windows fourth edition (Jeffrey Ritchter) http://msdn.microsoft.com/en-us/magazine/cc301805.aspx Programming Windows Security (Keith Brown) http://support.microsoft.com/kb/197571 http://www.youtube.com/watch?v=2RJyR9igsdI http://community.websense.com/blogs/securitylabs/archive/tags/ Zeus/default.aspx http://www.ibm.com/developerworks/linux/library/l-ia/index.html http://www.gmer.net/ ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
26.
Thank-you for reading
Your texte here …. Thank you for reading Your questions are always welcome! Brian.mariani@htbridge.ch ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
Download now