Hi,
It's been a while since I posted anything, anyway now that I am here I am going to be giving a detour for: X86SwitchTo64BitMode.
X86SwthTo64BitMode is the deepest call before everything switches into 64 bit mode and other inaccessible DLL files. Additionally X86SwitchTo64BitMode can be detoured fairly easily unlike KiFastSystemCall, a usual JMP would do the job especially because we don't care if we overwrite instructions because we are not jumping back to the original instruction.
The Code is more or less pretty straightforward for any Windows savvy users.
Link: X86SwitchTo64BitMode.cpp
As said before, this code can be easily incorporated into a Global detour, additionally you may find this suitable to incorporate into your projects with credits to - Code Empire.
Regards,
Saturday 30 November 2013
Wednesday 13 November 2013
Security: Process Injection & detouring
Hi,
I will be posting on how to inject into foreign processes then place a detour on specific API's, our example being MessageBoxA however this technique can be adapted to any API detour with slight change. Some useful API calls to detour would be:
- NtOpenProcess
- NtTerminateProcess
- NtQueryDirectoryFile
- NtQuerySystemInformation
more exotic API's include:
- TurboDispatchJumpAddressStart
- KiFastSystemCall
- X86SwitchTo64BitMode
- Wow64SystemServiceEx
- CpuSimulate
As you may guess, there is again both malicious and positive purposes. It is always beneficial to understand these things, especially in case these task raise up.
The injection is modified slightly from the Mozilla Firefox post which was posted last month. I could have placed a detour directly on the API address using few easy workarounds however I simply created a entire thread which places the detour, just to show it as a Proof-Of-Concept code to newbie security analysts & security developers.
The code follows:
I will be posting on how to inject into foreign processes then place a detour on specific API's, our example being MessageBoxA however this technique can be adapted to any API detour with slight change. Some useful API calls to detour would be:
- NtOpenProcess
- NtTerminateProcess
- NtQueryDirectoryFile
- NtQuerySystemInformation
more exotic API's include:
- TurboDispatchJumpAddressStart
- KiFastSystemCall
- X86SwitchTo64BitMode
- Wow64SystemServiceEx
- CpuSimulate
As you may guess, there is again both malicious and positive purposes. It is always beneficial to understand these things, especially in case these task raise up.
The injection is modified slightly from the Mozilla Firefox post which was posted last month. I could have placed a detour directly on the API address using few easy workarounds however I simply created a entire thread which places the detour, just to show it as a Proof-Of-Concept code to newbie security analysts & security developers.
The code follows:
- Open the process with flag set to PROCESS_ALL_ACCESS however this can be reduced to bare minimum
- Create and fill a _CODE structure ready to be added as a parameter to our injected thread
- Then allocate all the space needed for the processes which include - Thread, Parameter
- Create the remote thread
The explanation above shows the procedure to inject code into foreign process but the thread performs something more or less the most important part of the program:
- Use the _CODE structure then store the appropriate members in specific typedefs to be called
- Calls MessageBoxA with parameters being set to those given from the _CODE structure
- Finally patches MessageBoxA to redirect the control to a callback
- Additionally the thread also patches the callback to ensure the callback returns the control back to original
Now I will elaborate on the job of the callback:
- The callback reinstates the lost bytes of the original instructions
- Jumps back to original MessageBoxA
- Returns
You would get a good idea on how it works, however for those who still have no clue here is the download:
Until Next Time,
Subscribe to:
Posts (Atom)