Mr.Bojangles wrote:it seems to hide good, I'll try some other methods one day when I have time. This would be good in a new release.I think so too.
Thanks for checking!
Thanks for checking!
A forum for reverse engineering, OS internals and malware analysis
Thanks for checking!
i think i can detect your dll by a simple backtrace
Buster_BSA wrote:http://hotfile.com/dl/119691661/3865921 ... I.RAR.html@Buster_BSA
Note: Injected filename must be "LOG_API.DLL".
i coded small detector but cannot test because you deleted this log_api.dll and current bsa install seems not hide itself.
detector user generic approach (i believe) for all kind of splicing activity you perform and cannot be bypassed without coding driver imho.
maybe i'm wrong but i cannot test, your attach is removed.
@kmd
Handle trace?
Handle trace?
Ring0 - the source of inspiration
@EP_X0FF
yeah OpenProcess backtrace
yeah OpenProcess backtrace
how does code splicing and openprocess stack or data tracing help detect it?
more likely methods are pointer references, self debugging(through virtual thread), and looking for structs or code in own maps..without a driver
code splicing and trying to find data pushed to openprocess or something just creates more work..
more likely methods are pointer references, self debugging(through virtual thread), and looking for structs or code in own maps..without a driver
code splicing and trying to find data pushed to openprocess or something just creates more work..
Mr.Bojangles wrote:how does code splicing and openprocess stack or data tracing help detect it?call OpenProcess (program address range) ---> LOG_API.dll!FakeOpenProcess (injected dll address range) ----> trueOpenProcess (kernel32.dll address range)
2kb of (non optimized) code.
no matter of other hooks i can simple use int 0x2e.
looking for structs or code in own maps..this is too specific and unlikely will be implemented in any malware
kmd wrote:call OpenProcess (program address range) ---> LOG_API.dll!FakeOpenProcess (injected dll address range) ----> trueOpenProcess (kernel32.dll address range)Does it identify LOG_API.DLL uniquely or is a generic method to detect OpenProcess API has been hooked?
The generic way to detect some api hooking - not all, but some of patches. Of course for better sure we need to analyze code and build code execution graph but this is too difficult for such trivial task as to detect dll that uses patches.
So can i get this log_api.dll version for test? Maybe it is not working :D
p.s.
yeah patches must die :)
So can i get this log_api.dll version for test? Maybe it is not working :D
p.s.
yeah patches must die :)
You can get it from: http://hotfile.com/dl/119929569/86e5b8a ... I.RAR.html