OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Sunday, December 14 2008 18:52.37 CST

Printer Friendly ...

Bypassing windows hook engines which if the LoaderLock is held not executes the

Author: Dreg

# Views: 3079

This project bypass windows hook engines which if the LoaderLock is held not executes the hook handler.

This project include the bypass of the easy-hook FILEMON.

This POC try creates with CreateFileW two files:
- no_bypass_hook.txt: which is logged by the FILEMON of the easy-hook
- bypass_hook.txt: which bypass the FILEMON of the easy-hook
-
- The bypass method is held the LoaderLock:
-. RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
-. CreateFile( ByPassFile.txt );
-. RtlLeaveCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
- This works, because TDB of easy-hook uses the Auxiliary Windows Library
before call the hook handler, if AuxUlibIsDLLSynchronizationHeld
return TRUE, easy-hook not execute hook handler
- Helding the LoaderLock AuxUlibIsDLLSynchronizationHeld returns always TRUE

The code to bypass the easy-hook FILEMON hook handler is very simple:



RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );

CreateFileW

(

	FILE_BYPASS_HOOK,

	0,

	0,

	NULL,

	OPEN_EXISTING,

	FILE_ATTRIBUTE_NORMAL,

	NULL

);

RtlLeaveCriticalSection( NtCurrentTeb()->Peb->LoaderLock );

Then the FILE_BYPASS_HOOK never showed in easy-hook FILEMON Log.

Test the code is very simple, only runs bypass_easyhook.exe which creates two files each two seconds:



0-

 CreateFileW(bypass_hook.txt) <- This CALL BYPASS easy-hook



 CreateFileW(no_bypass_hook.txt) <- This CALL NOT BYPASS easy-hook

...

Next, run the FILEMON with the PID of bypass_easyhook.exe.

(Run the filemon from the path of FILEMON):

C:\bypass_easyhook\Release>FileMon.exe 2628
...

Number of assemblies processed = 3
Number of assemblies installed = 3
Number of failures = 0

FileMon has been installed in target 2628.

[2628:2772]: "no_bypass_hook.txt"
[2628:2772]: "no_bypass_hook.txt"

Only logged no_bypass_hook.txt, and the FILEMON never logged the CreateFileW of bypass_hook.txt :-).

Bypass windows hook engines which if the LoaderLock is held not executes the hook handler, is very simple with this trick.

But you want code a serious malware or program, held the LoaderLock only in safe situations. It is very important to avoid deadlocks.

The project: http://www.fr33project.org/projects/bypass_easyhook.rar

Active in Last 5 Minutes
	Wannabe

There are 15,865 total registered users.

Recently Created Topics
Career: Technical Pr...	Feb/04
Help needed with: ge...	Feb/04
A question regarding...	Feb/01
Compiler infector an...	Jan/29
Yahoo autoupdater vi...	Jan/27
Solidshield VM Analyse	Jan/27
Tuto about unpacking...	Jan/25
IDA Pro plugins don'...	Jan/20
Bug -- proc_peek_rec...	Jan/17
SYSTEM_INFORMATION_C...	Jan/16

Recent Forum Posts
IDA Pro plugins don'...	Cluster
RECON	hugo
A question regarding...	ronnie2...
A question regarding...	lallous
A question regarding...	detlef
RECON	hugo
Tuto about unpacking...	jumpzero
Yahoo autoupdater vi...	invisghost
Kindle for PC DRM	clarknova
Stack tracing with I...	Hanumaan

Recent Blog Entries
	mjobin	Feb/08
Malware Research Analyst Op...
	lin0xx	Feb/04
User-supplied Array Index E...
	cyphunk	Feb/03
JTAG Enumeration (tool)
	dragula	Jan/29
Reversing compiler infector...
	GynvaelColdwind	Jan/26
The tale of Syndicate Wars ...
More ...

Recent Blog Comments
	cyphunk on:	Feb/03
JTAG Enumeration (tool)
	GynvaelColdwind on:	Feb/03
JTAG Enumeration (tool)
	suirp on:	Feb/02
Administrator account VS. S...
	DelightedZuk on:	Jan/31
GDT / LDT Windows Kernel Ex...
	DelightedZuk on:	Jan/31
Administrator account VS. S...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit