OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Sunday, December 14 2008 18:52.37 CST

Printer Friendly ...

Bypassing windows hook engines which if the LoaderLock is held not executes the

Author: Dreg

# Views: 6361

This project bypass windows hook engines which if the LoaderLock is held not executes the hook handler.

This project include the bypass of the easy-hook FILEMON.

This POC try creates with CreateFileW two files:
- no_bypass_hook.txt: which is logged by the FILEMON of the easy-hook
- bypass_hook.txt: which bypass the FILEMON of the easy-hook
-
- The bypass method is held the LoaderLock:
-. RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
-. CreateFile( ByPassFile.txt );
-. RtlLeaveCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
- This works, because TDB of easy-hook uses the Auxiliary Windows Library
before call the hook handler, if AuxUlibIsDLLSynchronizationHeld
return TRUE, easy-hook not execute hook handler
- Helding the LoaderLock AuxUlibIsDLLSynchronizationHeld returns always TRUE

The code to bypass the easy-hook FILEMON hook handler is very simple:



RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );

CreateFileW

(

	FILE_BYPASS_HOOK,

	0,

	0,

	NULL,

	OPEN_EXISTING,

	FILE_ATTRIBUTE_NORMAL,

	NULL

);

RtlLeaveCriticalSection( NtCurrentTeb()->Peb->LoaderLock );

Then the FILE_BYPASS_HOOK never showed in easy-hook FILEMON Log.

Test the code is very simple, only runs bypass_easyhook.exe which creates two files each two seconds:



0-

 CreateFileW(bypass_hook.txt) <- This CALL BYPASS easy-hook



 CreateFileW(no_bypass_hook.txt) <- This CALL NOT BYPASS easy-hook

...

Next, run the FILEMON with the PID of bypass_easyhook.exe.

(Run the filemon from the path of FILEMON):

C:\bypass_easyhook\Release>FileMon.exe 2628
...

Number of assemblies processed = 3
Number of assemblies installed = 3
Number of failures = 0

FileMon has been installed in target 2628.

[2628:2772]: "no_bypass_hook.txt"
[2628:2772]: "no_bypass_hook.txt"

Only logged no_bypass_hook.txt, and the FILEMON never logged the CreateFileW of bypass_hook.txt :-).

Bypass windows hook engines which if the LoaderLock is held not executes the hook handler, is very simple with this trick.

But you want code a serious malware or program, held the LoaderLock only in safe situations. It is very important to avoid deadlocks.

The project: http://www.fr33project.org/projects/bypass_easyhook.rar

There are 29,883 total registered users.

Recently Created Topics
Incorrect bitness wh...	May/20
PaiMei stalker modul...	May/19
Attach to program us...	May/13
IDA PRO how to make ...	May/12
FACT: OpenRCE is dead.	May/08
Int 3 anti debug?	May/05
help needed - Beginn...	May/03
Attaching IDA Pro to...	Apr/27
File type	Apr/21
Debugging iphone app...	Apr/15

Recent Forum Posts
Ollydbg 2.0 - Plugin...	openrce...
IDA PRO how to make ...	codeinject
FACT: OpenRCE is dead.	codeinject
IDA Resource Viewer ...	r2x64
FACT: OpenRCE is dead.	djnemo
FACT: OpenRCE is dead.	codeinject
FACT: OpenRCE is dead.	pedram
help needed - Beginn...	araujo
Attaching IDA Pro to...	codeinject
Int 3 anti debug?	codeinject

Recent Blog Entries
	sweetyss	May/18
Adam Wainwright continues t...
	lowpriority	Apr/13
OllyMigrate Plugin for Olly...
	everdox	Mar/08
2 anti-trace mechanisms spe...
	everdox	Mar/07
Advanced debugging techniques
	everdox	Mar/06
Branch tracing and LBR acce...
More ...

Recent Blog Comments
	clarisonic on:	Apr/03
New version of Ollydbg!
	clarisonic on:	Apr/03
New version of Ollydbg!
	trackerx90 on:	Mar/04
SuppressDebugMsg As Anti-De...
	coachfactory on:	Feb/25
Portable Executable Format ...
	coachfactory on:	Feb/25
A new Anti-Olly trick.
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit