Lostin Posted January 7, 2014 Posted January 7, 2014 (edited) Hello, I have tested a piece of malware today and after that i was surprised that each exe i load with ollydbg it hooks it's entrypoint with PUSH <address>ret the address contains also mov [entrypoint],originalbytes etc. So how is this done? is there any explanation about this?. Even if i set ollydbg to stop at system EP the hook is still there at entrypoint. Is this a usermode or kernelmode hook? Edited January 7, 2014 by Lostin
Aguila Posted January 8, 2014 Posted January 8, 2014 Hooking process creation APIs in ring3 or ring0 like NtResumeThread is also a common method.
deepzero Posted January 8, 2014 Posted January 8, 2014 it may also have registered a dll that is injected in every process.
Lostin Posted January 8, 2014 Author Posted January 8, 2014 (edited) tls callback maytbe?I already set olly to stop at tls callbacks but not this. Hooking process creation APIs in ring3 or ring0 like NtResumeThread is also a common method. Will ring 3 hook make the modification hidden on new process? like modify the process Entry point of each newly started process. How i can stop at the modification process of the entry point? What you think of read entrypoint of process created with suspended flag? maybe see if it's modified yet or no. Because i see it modifies the entrytpoint without you see anything to PUSH address where address is some allocated mem and there is some injected codes that runs a new thread of its own and restore the original bytes then get back to EP again. it may also have registered a dll that is injected in every process. I checked executable module list but didn't find any dlls other than the normal system dlls. Edited January 8, 2014 by Lostin
Aguila Posted January 8, 2014 Posted January 8, 2014 Will ring 3 hook make the modification hidden on new process? like modify the process Entry point of each newly started process. How i can stop at the modification process of the entry point? What you think of read entrypoint of process created with suspended flag? maybe see if it's modified yet or no. Because i see it modifies the entrytpoint without you see anything to PUSH address where address is some allocated mem and there is some injected codes that runs a new thread of its own and restore the original bytes then get back to EP again. Some malware like Spyeye is hooking every process with ring3. Spyeye hooks NtResumeThread to do this. To stop this simply unhook explorer.exe and ollydbg.exe with e.g. http://www.gmer.net/ Just scan processes for hooks and you will detect it. 2
Lostin Posted January 9, 2014 Author Posted January 9, 2014 Some malware like Spyeye is hooking every process with ring3. Spyeye hooks NtResumeThread to do this. To stop this simply unhook explorer.exe and ollydbg.exe with e.g. http://www.gmer.net/ Just scan processes for hooks and you will detect it. Very nice info mate. I found it hooks the explorer.exe indeed with "KiFastSystemCall" then on each start of new process this api gets called. Any idea what does this api do? because no msdn explanation. Also how to get the EP address of the newly started process? Startup info structure or something alike?
cypher Posted January 10, 2014 Posted January 10, 2014 KiFastSystemCall is part of Windows entering the Kernel from Userland. Read about it here http://codeempire.blogspot.de/2013/10/kernel-driver-sysenter-hook.html 1
Lostin Posted January 10, 2014 Author Posted January 10, 2014 Thanks all. This is resolved now I found it hooks more and more Nt/Zw CreateSection for example and ZwCreateProcessEx and many more
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now