Jump to content
begood

Patching Kernel32 for Fun and Profit

Recommended Posts

Kernel32.dll is a dynamic link library present in all 32-bit and 64-bit versions of Microsoft Windows. It exposes to applications most of the Win32 base APIs, such as memory management, input/output operations, (process and thread) creation, and synchronization functions. In this video Spiffomatic64 shows us how to patch Kernel32 by using OllyDbg. He demonstrates the power of patching with a simple example where he swaps filenames in a function call with the DLL.

The patching mechanism works by putting an unconditional jump instruction in the beginning of the function to be patched and then points the jump to a location in the .text segment where the attacker's code resides. Once the attacker's code is executed, control is transfered back to the original function code. Of course, the attacker's code needs to ensure that all the state (registers, flags etc) are saved before his code executes and then restored back to their original state before returning control to the original function code. He also needs to execute the code he replaced with the unconditional jump instruction before passing control back. This will ensure that the system does not crash or behave unexpectedly when control is given back. Spiffomatic64 demos this entire process in depth and detail. This video is very important in understanding rootkits, as most of them use similar techniques to take control and camouflage their presence in an infected system.

There is a fair bit if assembly language involved in this video. If you are unfamiliar with Assembly Language programming, then begin with the 12 part Assembly Language Primer for Hackers which we created a while back. It is important to note that our tutorial used the AT&T syntax while this video uses the Intel syntax for Assembly language.

Thanks go out to Spiffomatic64 for submitting this video to SecurityTube. You can visit his site here. This is recommended watch for people interested in rootkits and other malware.

Patching Kernel32 for Fun and Profit Tutorial

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...