I’ve coded this tool-set last year and only now I decided to share it with small modifications. Pack includes binaries and source code and short description how it works. Except anti-anti-debugging it shows how we can silently hook SSDT functions on Windows 7 x64. Basically it only hides from IsDebuggerPresent and CheckRemoteDebuggerPresent sometimes it’s enough to bypass anti-debugging checks especially when advanced plugins for OllyDbg are not working because they are using drivers.http://int0h.wordpress.com/2011/02/22/a ... via-wow64/
A forum for reverse engineering, OS internals and malware analysis
How does Native API hooking in user mode related to SSDT kernel mode patch?
Or I miss something?
Or I miss something?
Ring0 - the source of inspiration
Interception of code area at fs:[0xc0] ... this leads to a far jmp into wow64cpu.dll .. yes?
Not widely known, is best this way.
-Fyyre
Not widely known, is best this way.
-Fyyre
EP_X0FF wrote:How does Native API hooking in user mode related to SSDT kernel mode patch?
Or I miss something?
Interception of code area at fs:[0xc0] ... this leads to a far jmp into wow64cpu.dll .. yes?Maybe it is the simplest way, don't know :)
This project shows how you can use advantages of Wow64 system in case of antidebugging.
First of all you might know that all Wow64 processes (32 bit) runs in user mode emulation.
It's provided by three dll's:
Wow64.dll provides the core emulation infrastructure and the thunks for the Ntoskrnl.exe entry-point functions.
Wow64Win.dll provides thunks for the Win32k.sys entry-point functions.
Wow64Cpu.dll is an interface library that abstracts characteristics of the host processor.
Wow64 also can use special custom wow64 logger - wow64log.dll
This project uses custom wow64log.dll implementation to get in target process context. Fake logger dll loads your payload dll at DllMain.
Payload dll clears PEB->BeingDebugged flag, hooks NtQueryInformationProcess (for faking ProcessDebugPort information) and starts Native watchdog thread, which main purpose - constantly zero PEB->BeingDebugged flag by switching mode from 64 bit to 32 bit, jumping back and so on.
Hook itself is trivial jmp (see source).
Under "SSDT functions" author means trivial user mode Native API. So this is not PageGuard bypass or something extra-ordinal.
Ring0 - the source of inspiration
Yes, I meant SSDT hooking for WOW64 processes in user-mode.
