Modern ways for Implementing Hook

New 64-Bit Windows Rootkit Already ‘In The Wild’ this is an article that has been issued of late and this case remind me with what Microsoft announced regarding windows Vista. security specialist stated at a previous time that there will be no rootkit may run on this operating system due to the security enhancement but after a while we are finding all kind of malwares may run on this system ( see Microsoft Vista Kernel Protection is Cracked and MS Watches as Vista Gets ‘0wn3d’ by Rootkit).

Now we will be explaining how it is possible to create rootkits , Hooking is a technique used to intercept function calls or messages or events passed between software components communication by adding a special function to the top of the hook chain, Installing hook can be used for legitimate purposes such as remote administration , system monitoring and non-legitimate like spyware, rootkits, key loggers and other malicious programs and aims to supervise user activities on the operating systems.

In the past malwares has been easily detected as they take executable forms but now things are getting more serious. Antimalware’s are detecting viruses’ by signatures matching scans on memory footprint and disk storage. Now the question is how we can hook new operating systems? Where we can place our hook for best results?

The best way to install your hook is by creating a proxy function , in another way you should define which function you are looking to intercept and then you get function address using GetProcAddress as follows:(GetProcAddress(GetModuleHandle(“ntdll.dll”), “CsrNewThread”);
Educated person knows that to intercept function is by using different DLL libraries such as (ntdll.dll, kernel32.dll or kernelbase.dll in windows7, advapi32.dll…).

So what we’re going to do is to create a DLL proxy function, load it into the target machine and when the application calls the original function, our function is going to get executed with the original one this way is just a piece of cake.

You start by your function followed with the original function as follows:
[php]Int NewFunction (void *param1,
Int param2, bool param3)
{
Return OriginalFunction (param1,
Param2, param3);
}[/php]
But here it is important to note that DLL proxying can be detected easily by memory scanning based software however there is techniques of hooking implementation, which will be undetectable by these methods which called STEALTH Hooking and we will be explaining this on next post.

make sure you subscribe to my RSS feed!

Share
Subscribe
Notify of
guest
11 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] This post was mentioned on Twitter by Mourad Ben Lakhoua and Mourad ben lakhoua, Mourad ben lakhoua. Mourad ben lakhoua said: Modern ways for Implementing Hook https://www.sectechno.com/2010/09/07/modern-ways-for-implementing-hook/ http://fb.me/GnMmeq3a […]

trackback

RT:@MBenLakhoua RT @sectechno: Modern ways for Implementing Hook http://bit.ly/9pV9mD #security #infosec

trackback

RT @sectechno: Modern ways for Implementing Hook http://bit.ly/9pV9mD #security #infosec

trackback

RT @MBenLakhoua: Modern ways for Implementing Hook: New 64-Bit Windows Rootkit Already ‘In The Wild’ this is an article that has be… http://bit.ly/cIKdhb

trackback

RT @MBenLakhoua: Modern ways 4 Implementing Hook: 64-Bit Windows Rootkit Now ‘In The Wild’ – http://bit.ly/cIKdhb < Happy Happy Joy Joy!

trackback

RT @MBenLakhoua: Modern ways for Implementing Hook: New 64-Bit Windows Rootkit Already ‘In The Wild’ this is an article that has be… http://bit.ly/cIKdhb

trackback

Modern ways for Implementing Hook: New 64-Bit Windows Rootkit Already ‘In The Wild’ this is an article that has be… http://bit.ly/cIKdhb

trackback

Modern ways for Implementing #Hook: [sectechno.com] New 64-Bit Windows Rootkit Already In The Wild this is an… http://dlvr.it/4v7FL

trackback

RT @sectechno: Modern ways for Implementing Hook https://www.sectechno.com/2010/09/07/modern-ways-for-implementing-hook/ #security

trackback

RT @sectechno: Modern ways for Implementing Hook http://bit.ly/9pV9mD #security

trackback

RT @MBenLakhoua: RT @sectechno: Modern ways for Implementing Hook http://bit.ly/9pV9mD #security