How to hook the kernel?

junkew · June 7, 2015

To hook the kernel use libraries like

http://www.nektra.com/

https://easyhook.codeplex.com/

for starters this is a nice explanation

http://www.adlice.com/tag/rootkit/

And as suggested by the other answers if you think you are having malware you should start from a clean (read only) disk with specialized software

topten · June 7, 2015

are you unable to access the registry??? because of this malicious app?

Yes, this mal.ap is controlling registry keys. It allows you to make changes, but when you are trying to change certain registry keys- it just breaks it. Evidently the mal.ap. is using hook to control all the actions of user

To hook the kernel use libraries like
http://www.nektra.com/
https://easyhook.codeplex.com/
for starters this is a nice explanation
http://www.adlice.com/tag/rootkit/
And as suggested by the other answers if you think you are having malware you should start from a clean (read only) disk with specialized software

Great thanx, will check it out!

topten · June 7, 2015

@JohnOne, "McAfee real will continue to ask you for money because it is not free."- I know that, and I distinguish the difference between the "real macafee" and its clone!

jchd · June 7, 2015

In general, trying to have a severely owned machine clean itself is like expecting success to a brain surgeon practicing live brain surgery on himself.

The very first step on infection is to render the boot and system volume(s) passive slaves by booting on a distinct, certified clean device, preferably read-only, preferably based on a distinct OS. Some sophisticated hard-to-kill malware infect from BIOS space.

topten · June 7, 2015

Sounds evil I just wonder- if the application could do all this , Can I do anything about it?

topten · June 7, 2015

Btw- Autoit can hook kernel. I just have found in the neighbouring brunch on the forum such example.

Dear Gurus, is it what we are all talking about? Or I am thinking in a wrong direction?

#include <WinAPI.au3>

; Get handle of the loaded module
Local $hModule = _WinAPI_GetModuleHandle("kernel32.dll")

If $hModule Then
    Local $pFunction = _WinAPI_GetProcAddress($hModule, "CreateFiber")
    ConsoleWrite("The address of the function is " & $pFunction & @CRLF)

    ; Do whatever here

EndIf

Jos · June 7, 2015

Or I am thinking in a wrong direction?

Stick to what you understand when dealing with a virus. It is really simple:

Don't panic
Get the machine offline asap.
ensure you either boot in safemode or with a thumbdrive to make sure the virus can't be active.

Get a REAL tool to get rid of it and stop mikeymousing around.

Jos

Edited June 7, 2015 by Jos

dmob · June 7, 2015

I use Hirens Boot CD with great success on infected systems, contains all necessary tools.

iamtheky · June 7, 2015

If you care anything for data integrity on the system, you will write that entire to drive to 0s and reload it from your most current offline image, which is most likely the OEM disc. And hijackthis is excellent for dumping data from the usual places of residence, but that is just good reading while the box is reimaging, if you are good and owned 'FIx Selected' aint fixing a thing.

junkew · June 7, 2015

We are getting offtopic ;-)

An example for starters with Deviare COM (I leave it to others to do the actual hooking but there are plenty of examples for deviare)

For starters I recommend to start the csharpconsole

;'Late binding AutoIt example
; Download deviare com stuff from 
; https://github.com/nektra/deviare2

example()

func example()
    $mySpy = objcreate("DeviareCOM.NktSpyMgr")
    $mySpy.Initialize()                ;Initialize

    consolewrite("Deviare ID: " & $mySpy.DeviareId & @CRLF)
    ; Run Notepad with the window maximized.
    Local $iPID = Run("notepad.exe", "")
    sleep(2000)

    $myEnumProcesses = $mySpy.Processes
    consolewrite("Process count: " & $myEnumProcesses.count & @CRLF)

    $myProcess = $myEnumProcesses.First()

    consolewrite($myProcess.name & @CRLF )

    While isobj($myProcess)=1
;~      consolewrite($myProcess.name & @CRLF )
        If StringLower($myProcess.Name) = "notepad.exe" Then
            exitloop
        EndIf
        $myProcess = $myEnumProcesses.Next
    WEnd

    consolewrite($myProcess.Name &@CRLF)      ;To see we have the object and get the name

    $myEnummodules = $myProcess.Modules ;Just get all the modules

    consolewrite("Module count: " & $myEnummodules.Count &@CRLF)
EndFunc

Edited June 7, 2015 by junkew

junkew · June 7, 2015

And just to get further started (somebody having an IDL to AutoIT converter?)

Download deviare com stuff from https://github.com/nektra/deviare2

Its not working as the hook is a pointer to an com object and IDL tag definitions needs to be created (see objCreateInterface documentation and AutoITObject)

;'Late binding AutoIt example
; Download deviare com stuff from
; https://github.com/nektra/deviare2

;TODO: DeviareCOM.idl
;http://www.nektra.com/products/deviare-api-hook-windows/doc-v2/_deviare_c_o_m_8idl_source.html

Global const $MY_VARIANT_TRUE=-1   ;0xffff
Global const $MY_VARIANT_FALSE=0   ;0xffff

;~   163 typedef [v1_enum] enum eNktHookFlags {
Global const $flgAutoHookChildProcess=0x0001
Global const $flgRestrictAutoHookToSameExecutable=0x0002
Global const $flgAutoHookActive=0x0004
Global const $flgAsyncCallbacks=0x0008
Global const $flgOnlyPreCall=0x0010
Global const $flgOnlyPostCall=0x0020
Global const $flgDontCheckAddress=0x0040
Global const $flgDontCallIfLoaderLocked=0x0080
Global const $flgDontCallCustomHandlersOnLdrLock=0x0100
Global const $flgOnly32Bits=0x0200
Global const $flgOnly64Bits=0x0400
Global const $flgAddressIsOffset=0x0800
Global const $flgInvalidateCache=0x1000
Global const $flgDontSkipJumps=0x2000
Global const $flgDisableStackWalk=0x4000
;~   225 } eNktHookFlags;

;Using Deviare hooking 2 see http://www.nektra.com/
;set mysp=wscript.createobject("DeviareCOM.NktSpyMgr","Deviare2_")

HotKeySet("{ESC}", "Terminate")
$oMySp=ObjCreate("DeviareCOM.NktSpyMgr")   ; Create an NktSpyMgr Object
$oMySp.Initialize

$EventObject=ObjEvent($oMySp,"Deviare2_","DNktSpyMgrEvents")  ; Start receiving Events.
Local $file = FileOpen("Deviare.txt", 2)

; Check if file opened for writing OK
If $file = -1 Then
    MsgBox(0, "Error", "Unable to open file.")
    Exit
EndIf

FileWriteLine($file, "The deviare stuff starts")

;Will only work when notepad is started
$myProcess = getProcess("notepad.exe")
if isobj($myProcess) Then
   FileWriteLine($file, "Notepad should be started upfront")
Else
   FileWriteLine($file, "Notepad process found, proving that deviare object manager is there")
EndIf

;And some stuff to capture certain functions
;$Hook = $mySp.CreateHook("gdi32.dll!TextOutA", eNktHookFlags.flgRestrictAutoHookToSameExecutable And eNktHookFlags.flgOnlyPreCall)
;$Hook = $oMySp.CreateHook("gdi32.dll!TextOutA", 0)
;    Set Hook = mySp.CreateHook("user32.dll!ShowWindow", eNktHookFlags.flgRestrictAutoHookToSameExecutable And eNktHookFlags.flgOnlyPreCall)
;This stuff seems to break / not working as expected
;$Hook = $omySp.CreateHook("user32.dll!ShowWindow", 0)
dim $hook
$hresult = $omySp.CreateHook("kernel32.dll!CreateFileW", $flgAutoHookActive, $hook)
consolewrite("HResult: " & $hResult & @CRLF)

;Hook.hook(True)
$hResult=$Hook.Hook($my_variant_True)
;!!!!!!!!!!!!!!!!!!!! HERE IT BREAKS !!!!!!!!!!!!!!!!!!!!!!!!!

;~ $hResult=$Hook.Attach($myProcess,$my_variant_True)
consolewrite("HResult: " & $hResult & @CRLF)
;!!!!!!!!!!!!!!!!!!!! HERE IT BREAKS !!!!!!!!!!!!!!!!!!!!!!!!!

;Keep running until escape pressed
While 1
    Sleep(100)
WEnd

Exit  ; End of main script

;Sub Deviare2_OnProcessStarted(ByVal proc As Deviare2.INktProcess)
Func Deviare2_OnProcessStarted($proc)
   FileWriteLine($file, "OnCreateProcessStarted " & $proc.name)
EndFunc

;Sub Deviare2_OnCreateProcessCall(ByVal proc As Deviare2.INktProcess, ByVal pid As Long, ByVal mainThreadId As Long, ByVal is64BitProcess As Boolean, ByVal canHookNow As Boolean)
Func Deviare2_OnCreateProcessCall($proc, $pid, $mainThreadId, $is64BitProcess, $canHookNow)
   FileWriteLine($file, "OnCreateProcessCall")
EndFunc

;Sub Deviare2_OnFunctionCalled(ByVal Hook As Deviare2.INktHook, ByVal proc As Deviare2.INktProcess, ByVal callInfo As Deviare2.INktHookCallInfo)
Func Deviare2_OnFunctionCalled($Hook, $proc, $callInfo)
   FileWriteLine($file, "OnFunctionCalled from " & $proc.name )
EndFunc


Func Terminate()
    $EventObject.stop            ; Tell NktSpyMgr want to stop receiving Events
    $EventObject=0               ; Kill the Event Object
    $oMySp=0                     ; Remove oMySp from memory (not really necessary)

   FileClose($file)

    Exit 0
EndFunc   ;==>Terminate

 ;'The main function to iterate/find a process object
Func getProcess($strP)
    Dim $p ;'As Deviare2.NktProcess
    Dim $enumproces ;'As Deviare2.NktProcessesEnum

    $enumproces = $oMySp.Processes

    $p = $enumproces.First

    While IsObj($p)
        If $p.Name = $strP Then
            $getProcess = $p
        EndIf
        $p = $enumproces.Next
    Wend
EndFunc

Edited June 7, 2015 by junkew

How to hook the kernel?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members