Jump to content
Tuts 4 You
Sign in to follow this  
Lostin

Automatic injection into newly created processes

Recommended Posts

Lostin

Hello,


 


I have tested a piece of malware today and after that i was surprised that each exe i load with ollydbg it hooks it's entrypoint with PUSH <address>


ret


 


the address contains also mov [entrypoint],originalbytes


 


etc.


 


So how is this done? is there any explanation about this?. Even if i set ollydbg to stop at system EP the hook is still there at entrypoint. Is this a usermode or kernelmode hook?


Edited by Lostin (see edit history)

Share this post


Link to post
evlncrn8

tls callback maytbe?

Share this post


Link to post
Aguila

Hooking process creation APIs in ring3 or ring0 like NtResumeThread is also a common method.


Share this post


Link to post
deepzero

it may also have registered a dll that is injected in every process.


Share this post


Link to post
Lostin

tls callback maytbe?

I already set olly to stop at tls callbacks but not this.

 

Hooking process creation APIs in ring3 or ring0 like NtResumeThread is also a common method.

 

Will ring 3 hook make the modification hidden on new process? like modify the process Entry point of each newly started process. How i can stop at the modification process of the entry point? What you think of read entrypoint of process created with suspended flag? maybe see if it's modified yet or no. Because i see it modifies the entrytpoint without you see anything to PUSH address where address is some allocated mem and there is some injected codes that runs a new thread of its own and restore the original bytes then get back to EP again.

 

it may also have registered a dll that is injected in every process.

 

I checked executable module list but didn't find any dlls other than the normal system dlls.

 

Edited by Lostin (see edit history)

Share this post


Link to post
Aguila

 

Will ring 3 hook make the modification hidden on new process? like modify the process Entry point of each newly started process. How i can stop at the modification process of the entry point? What you think of read entrypoint of process created with suspended flag? maybe see if it's modified yet or no. Because i see it modifies the entrytpoint without you see anything to PUSH address where address is some allocated mem and there is some injected codes that runs a new thread of its own and restore the original bytes then get back to EP again.

 

Some malware like Spyeye is hooking every process with ring3. Spyeye hooks NtResumeThread to do this. To stop this simply unhook explorer.exe and ollydbg.exe with e.g. http://www.gmer.net/

Just scan processes for hooks and you will detect it.

  • Like 2

Share this post


Link to post
Lostin

Some malware like Spyeye is hooking every process with ring3. Spyeye hooks NtResumeThread to do this. To stop this simply unhook explorer.exe and ollydbg.exe with e.g. http://www.gmer.net/

Just scan processes for hooks and you will detect it.

Very nice info mate. I found it hooks the explorer.exe indeed with "KiFastSystemCall" :)

then on each start of new process this api gets called. Any idea what does this api do? because no msdn explanation. Also how to get the EP address of the newly started process? Startup info structure or something alike?

Share this post


Link to post
Lostin

Thanks all. This is resolved now I found it hooks more and more Nt/Zw CreateSection for example and ZwCreateProcessEx and many more :)


Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...