Hello,

 

I have tested a piece of malware today and after that i was surprised that each exe i load with ollydbg it hooks it's entrypoint with PUSH <address>

ret

 

the address contains also mov [entrypoint],originalbytes

 

etc.

 

So how is this done? is there any explanation about this?. Even if i set ollydbg to stop at system EP the hook is still there at entrypoint. Is this a usermode or kernelmode hook?

Edited January 7, 201411 yr by Lostin

tls callback maytbe?

Hooking process creation APIs in ring3 or ring0 like NtResumeThread is also a common method.

it may also have registered a dll that is injected in every process.

tls callback maytbe?

I already set olly to stop at tls callbacks but not this.

 

Hooking process creation APIs in ring3 or ring0 like NtResumeThread is also a common method.

 

Will ring 3 hook make the modification hidden on new process? like modify the process Entry point of each newly started process. How i can stop at the modification process of the entry point? What you think of read entrypoint of process created with suspended flag? maybe see if it's modified yet or no. Because i see it modifies the entrytpoint without you see anything to PUSH address where address is some allocated mem and there is some injected codes that runs a new thread of its own and restore the original bytes then get back to EP again.

 

it may also have registered a dll that is injected in every process.

 

I checked executable module list but didn't find any dlls other than the normal system dlls.

 

Edited January 8, 201411 yr by Lostin

 

Will ring 3 hook make the modification hidden on new process? like modify the process Entry point of each newly started process. How i can stop at the modification process of the entry point? What you think of read entrypoint of process created with suspended flag? maybe see if it's modified yet or no. Because i see it modifies the entrytpoint without you see anything to PUSH address where address is some allocated mem and there is some injected codes that runs a new thread of its own and restore the original bytes then get back to EP again.

 

Some malware like Spyeye is hooking every process with ring3. Spyeye hooks NtResumeThread to do this. To stop this simply unhook explorer.exe and ollydbg.exe with e.g. http://www.gmer.net/

Just scan processes for hooks and you will detect it.

Some malware like Spyeye is hooking every process with ring3. Spyeye hooks NtResumeThread to do this. To stop this simply unhook explorer.exe and ollydbg.exe with e.g. http://www.gmer.net/

Just scan processes for hooks and you will detect it.

Very nice info mate. I found it hooks the explorer.exe indeed with "KiFastSystemCall"

then on each start of new process this api gets called. Any idea what does this api do? because no msdn explanation. Also how to get the EP address of the newly started process? Startup info structure or something alike?

KiFastSystemCall is part of Windows entering the Kernel from Userland. Read about it here

 

http://codeempire.blogspot.de/2013/10/kernel-driver-sysenter-hook.html

Thanks all. This is resolved now I found it hooks more and more Nt/Zw CreateSection for example and ZwCreateProcessEx and many more