You are not logged in. Please login or register.
Yo!
I got some working code that basicly hooks CreateProcessW in each process where my DLL is injected l (and DLL is self-injectable so its progressive). So its like super persistance but injecting and hooking in almost all processes can be unstable and hard not-to-notice. So, do you guys have other ways of doing global hooks when for example you want to monitor registry access?
10x
I don't know if I properly understood what you want.
This is just a thought and have not tried it myself but, if you could confirm that Regedit calls User32.DLL, you could simply put your DLL path in Appinit_DLLs in Regsitry and hook the functions to hide registry-key / value from User View.
But, Appinit_DLLs only gets injected in those processes that call User32.DLL.
If you just want to be notified when a Registry is changed, you could use RegNotifyChangeKeyValue().
I'm sure you must have used CreateRemoteThread() for every process. Maybe you could use SetWindowsHookEx() for global Hooking ?
There're tons of ways to globally hook processes and newly created process. Which mode do ur process prefer to run? Kernelmode or usermode?
From kernelmode, one could use process notification callback routine to monitor which processes is created/terminated so he could inject code into those. Several topic related to this has been discussed for years. You can google for "process notification callback" and "Apc usermode injection". Or you can use 3rd party app to simplify the development such as madCodeHook.
From usermode, you can use DLL injection ( via many ways ). Again, just google for that term.
Its ring3 solution. I know for NotifyRoutine and ring0. And I cant agree that there are many solutions for usermode. To be more precise I'm emulating PsSetLoadImageNotifyRoutine via that hook of CreateProcessW so I inject my code/dll in each process that is spawned.
Now what I need is some other solution that is most likely more stable then mine.
Thanks
PS AppInitDLL is more stable I agree but lets say I dont inject DLL all the time (sometimes I do DCI - direct code injection)
Last edited by nonhuman (2011-12-14 17:39:13)
inline hooking without dll is more stealth than dll injection, rootkit unhookers wont be able to know where the hooks are coming from while they will easily see where the hooks are coming from when you inject a dll and can easily delete the dll, making the ring3 hooks undetected from kernel mode rk unhookers will be hard though
Yep, he's looking for a solution to just inject the code inside another process to intercept/hook the creation of another process.
Speaking about hiding from rk unhookers, hiding the hooks from kernel-mode from ring3 is 100% impossible due to the fact there's no way to neither forging memory nor forge false file content for a ring3 application. The only way to prevent kernel mode based antirootkit from usermode based app is to prohibit them to load their drivers ( via hooking, monitoring creating file/writing file and some other hardcore methods but it will take too long to mention them there ).
crim, do you have ICQ?
Last edited by d_p (2011-12-17 04:34:37)
Yep, he's looking for a solution to just inject the code inside another process to intercept/hook the creation of another process.
Speaking about hiding from rk unhookers, hiding the hooks from kernel-mode from ring3 is 100% impossible due to the fact there's no way to neither forging memory nor forge false file content for a ring3 application. The only way to prevent kernel mode based antirootkit from usermode based app is to prohibit them to load their drivers ( via hooking, monitoring creating file/writing file and some other hardcore methods but it will take too long to mention them there ).
crim, do you have ICQ?
93 - 88 - 73 - 00, but i rarely have time to get online though