A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #8516  by lorddoskias
 Sat Sep 10, 2011 11:40 pm
Hello,

I'm looking for a tutorial on inline function patching. I understand the main idea rewrite bytes ate the beginning of the function with some sort of JMP which would jump to an arbitrary address which contains some rootkit code and then executes the function which have been overwritten and jumps back to the original original function right after the memory overwrite. What I can't understand is actually is how to use the opcodes. So you have different types of jumps which take different amount of memory depending on whether they are far/near but is there a paper which documents the width of those instruction in regard to inline function patching - I'm guessing this is more related to shellcode, but still...


One more question - most system services start with mov edi, edi which is a 2-byte nop which can be used to place a near jmp which can jump 5 bytes before function start which gives you plenty of space to do a far jmp. This is easily detectable - having a jmp at the beginning of a function is a tell-tale sign but then why most malware actually overwrite the first 5-10 bytes of a function, having to care about what has been overwritten and whether they have split an instruction into 2 and run the risk of being detected when they can still run the risk of being detected but then dramatically reducing the chances of crashing the system?
 #8517  by EP_X0FF
 Sun Sep 11, 2011 12:12 am
lorddoskias wrote:One more question - most system services start with mov edi, edi which is a 2-byte nop which can be used to place a near jmp which can jump 5 bytes before function start which gives you plenty of space to do a far jmp. This is easily detectable - having a jmp at the beginning of a function is a tell-tale sign but then why most malware actually overwrite the first 5-10 bytes of a function, having to care about what has been overwritten and whether they have split an instruction into 2 and run the risk of being detected when they can still run the risk of being detected but then dramatically reducing the chances of crashing the system?
This is already used in malware, maybe since 2007 starting from rootkit Srisbi AFAIR.
SpyEye 1.3x uses this (short jmp forward on long jump, sort of hooking obfuscation). All hooking are easily detectable including this short to long jumps.
Initially this 2 byte nop was designed for hot-patching support.
 #8520  by lorddoskias
 Sun Sep 11, 2011 2:12 am
EP_X0FF wrote:
lorddoskias wrote:One more question - most system services start with mov edi, edi which is a 2-byte nop which can be used to place a near jmp which can jump 5 bytes before function start which gives you plenty of space to do a far jmp. This is easily detectable - having a jmp at the beginning of a function is a tell-tale sign but then why most malware actually overwrite the first 5-10 bytes of a function, having to care about what has been overwritten and whether they have split an instruction into 2 and run the risk of being detected when they can still run the risk of being detected but then dramatically reducing the chances of crashing the system?
This is already used in malware, maybe since 2007 starting from rootkit Srisbi AFAIR.
SpyEye 1.3x uses this (short jmp forward on long jump, sort of hooking obfuscation). All hooking are easily detectable including this short to long jumps.
Initially this 2 byte nop was designed for hot-patching support.

My point was that most rootkit make a short forward jump to a long jump but this inolves overwriting arbitrary memory content so you have to take care what you do. Whereas you can jump backwards because there is a 5 byte nop-sled before/after every function and you can comfortably place your code there.