Jump to content
Tuts 4 You

Automatic injection into newly created processes


Lostin

Recommended Posts

Posted (edited)

Hello,


 


I have tested a piece of malware today and after that i was surprised that each exe i load with ollydbg it hooks it's entrypoint with PUSH <address>


ret


 


the address contains also mov [entrypoint],originalbytes


 


etc.


 


So how is this done? is there any explanation about this?. Even if i set ollydbg to stop at system EP the hook is still there at entrypoint. Is this a usermode or kernelmode hook?


Edited by Lostin
Posted

tls callback maytbe?

Posted

Hooking process creation APIs in ring3 or ring0 like NtResumeThread is also a common method.


Posted

it may also have registered a dll that is injected in every process.


Posted (edited)

tls callback maytbe?

I already set olly to stop at tls callbacks but not this.

 

Hooking process creation APIs in ring3 or ring0 like NtResumeThread is also a common method.

 

Will ring 3 hook make the modification hidden on new process? like modify the process Entry point of each newly started process. How i can stop at the modification process of the entry point? What you think of read entrypoint of process created with suspended flag? maybe see if it's modified yet or no. Because i see it modifies the entrytpoint without you see anything to PUSH address where address is some allocated mem and there is some injected codes that runs a new thread of its own and restore the original bytes then get back to EP again.

 

it may also have registered a dll that is injected in every process.

 

I checked executable module list but didn't find any dlls other than the normal system dlls.

 

Edited by Lostin
Posted

 

Will ring 3 hook make the modification hidden on new process? like modify the process Entry point of each newly started process. How i can stop at the modification process of the entry point? What you think of read entrypoint of process created with suspended flag? maybe see if it's modified yet or no. Because i see it modifies the entrytpoint without you see anything to PUSH address where address is some allocated mem and there is some injected codes that runs a new thread of its own and restore the original bytes then get back to EP again.

 

Some malware like Spyeye is hooking every process with ring3. Spyeye hooks NtResumeThread to do this. To stop this simply unhook explorer.exe and ollydbg.exe with e.g. http://www.gmer.net/

Just scan processes for hooks and you will detect it.

  • Like 2
Posted

Some malware like Spyeye is hooking every process with ring3. Spyeye hooks NtResumeThread to do this. To stop this simply unhook explorer.exe and ollydbg.exe with e.g. http://www.gmer.net/

Just scan processes for hooks and you will detect it.

Very nice info mate. I found it hooks the explorer.exe indeed with "KiFastSystemCall" :)

then on each start of new process this api gets called. Any idea what does this api do? because no msdn explanation. Also how to get the EP address of the newly started process? Startup info structure or something alike?

Posted

Thanks all. This is resolved now I found it hooks more and more Nt/Zw CreateSection for example and ZwCreateProcessEx and many more :)


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...