Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page how to hide a file
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-18-2004, 04:41
jov
 
Posts: n/a
I think that for real hooking you will need to write ring0 driver. This ring3 hooking with dll injection is not enough releable technique.
Reply With Quote
  #2  
Old 08-18-2004, 12:06
thewhiz
 
Posts: n/a
Phrack to the rescue perhaps?
hxxp://www.phrack.org/show.php?p=62&a=6

Dig through that, it will give you some rather interesting ideas
at the very least.
Reply With Quote
  #3  
Old 08-19-2004, 13:16
drocon
 
Posts: n/a
Quote:
Originally Posted by jov
I think that for real hooking you will need to write ring0 driver. This ring3 hooking with dll injection is not enough releable technique.
it's reliable enough, and KMDs are NT-only (and if you combine some sort of VXD/KMD stuff in one app, it will look ugly :/ ). IAT-hooking is sufficient for the average job, but you need to watch out for some annoying pitfalls, like patching LoadLibrary()/GetProcAddress(), but even then an app could dynamically obtain API address by enumerating EATs, so that's where EAT-hooking comes in.

As for reliability, it's simply best to allocate a buffer of say, 20 bytes of nops, and a jmp , use a LDE, scan the first few instructions, until the length you have scanned exceeds 6 (push dword / retn, it must be direct, not relative, so it can be hooked again), copy those instructions into your empty buffer, patch the entrypoint, repair the empty jump in the buffer, and that shall act as a stub your hooking procedure calls to return to the original function. I, personally, think this is the most reliable way out there.

as for dll-injection, open a process, retreive its threads, use OpenThread() to convert dwThreadID to hThread, SuspendThread(), GetThreadContext(), alter eip, SetThreadContext(), and inject a CreateThread() call, then resume the thread.

OpenThread() is "officially" only avaliable on NT, but there are plenty of undocummented ways to achieve the same.

ok just my 2 cents.
Reply With Quote
  #4  
Old 08-20-2004, 10:09
homersux
 
Posts: n/a
It looks like toas is running a pre-NT windows OS. I don't see why the described method would work on NT4.0+.
Reply With Quote
  #5  
Old 08-20-2004, 14:33
taos's Avatar
taos taos is offline
The Art Of Silence
  
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 137 Times in 36 Posts
taos Reputation: 54
Quote:
Originally Posted by homersux
It looks like toas is running a pre-NT windows OS. I don't see why the described method would work on NT4.0+.

Quote from Validtec:
"APIHookxp.dll: Win32 API Hook DLL for WINNT/2000/XP
APIHook9x.dll: Win32 API Hook DLL for WIN9X/WINME"

It's valid for different OS. You only need to distribute the right dlll or both.
Reply With Quote
  #6  
Old 08-26-2004, 18:31
xixiaolou
 
Posts: n/a
For hide file on HardDisc, maybe you should learn some stealth techniq from phrack.

For hide pe file on running, you can coding to change own PEB; hook some api, and even inject own into other process
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can you hide/remove packer info from file? spokey General Discussion 10 01-08-2005 00:56
Hide SoftIce under XP Lindwurm General Discussion 4 04-26-2003 03:10


All times are GMT +8. The time now is 23:44.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )