A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #21906  by TheExecuter
 Thu Jan 09, 2014 1:37 pm
was watching betabot hooks in xp sp3.
1. just before sysenter a 2 byte patch for small jump.
2. small jump to push 0xhhhhhhhh\nret
Image
to prevent this hook from removal, programmer has vprotect'd ntdll .text section (containing this stub) with R instead of Rwe as usual.

question: since to remove this hook first we need to vprotect that .text section to RWE then replace small jump with mov edx,esp.
BUT vprotect will finally jmp back to kifastsystemcall which is hooked. it will be denied access by a good ring3 rootkit.

until now, i parsed the hook procedure in betabot 1.6 version
Image
at hooked offset + 0x26 patching 0x74 with 0xeb keeps me away from hook routine and returns peacefully. This way all hooks are useless.
But this is OS and version specific approach.
i need a generic method to not do this manually all the time with new versions (if he keeps on doing this again in some other manner), like reading his procedures to find a bypass for each and every method.
is there a way? instead of doing some sweet kernel shit, i want to be able to remove this hook in ring3 using ring3 api's.
may be i am missing a point.
 #21907  by EP_X0FF
 Thu Jan 09, 2014 2:15 pm
Do direct syscall.