View Full Version : Hiding Kernel32/NtDll hooks

May 24th, 2012, 13:44
Is it possible to hide Kernel32/NtDll hooks in user mode (from user mode detection)? To hide or to generate an access violation on read? I'm talking about the JMP or code-cave-like hooks in a loaded module. I don't know the term.

VirtualProtectEx with PAGE_EXECUTE in combination with FlushInstructionCache (from a remote process) doesn't seem to work because of unknown reasons to me. Guess I don't understand the PAGE_EXECUTE flag or there's some caching/optimization problem in my test target. Should it work?

May 24th, 2012, 16:39
It's likely your process does NOT have the privilege to run VPex over the remote process. Query your process and see if you have the right privilege (at memory, it's the vm_operation, but I'd need to check) enabled (you might have it, but disabled).
...at least, for what I've understood of your question.
About the FlushBlah, you can skip it as long as it's on local system... you're not running on an iAPX486 any more.

May 24th, 2012, 16:48
I didn't do a double check, but I'm pretty sure I have all privileges. VirtuallProtectEx and everything else succeeds. The process handle is obtained with PROCESS_ALL_ACCESS flags. PAGE_NOACCESS works ok. PAGE_EXECUTE screws things up too, when I set it on all the pages that the dll image resides and the target can't access the dll data.

One thing I didn't have was page-aligned lpAddress and dwSize, but that shouldn't be a problem according to the documentation.

What my test target does:
if(initialDwAtNtOpenProcess != *(DWORD*)GetProcAddress(GetModuleHandle("NtDll", "NtOpenProcess" {/**/}

May 24th, 2012, 17:36
PAGE_EXECUTE can be used when the PAE. Otherwise the attribute is not defined in PTE(seg. descriptor in GDT/LDT).

The patch can not be hidden.

May 24th, 2012, 19:25
What about hooking SystemCallStub and setting a hardware breakpoint to deal with detection?

May 25th, 2012, 01:56
aaah, NOW I've understood what you want to do!

...but you want to hide the page from unsermode while IN usermode, like with shadow page technique?? I don't think you can, no way.

Probably the best solution would be to place a page_guard + exception handler chain hook. A bit slow since you may end up with MANY hit in the 4kb page you need to guard, and on such case you must resume execution and deal with code executed in swuch 4kb page.
hwbp are not the best solutions because they are too few and can be washed i.e. with exception handler so you need to hook the exception chain any way to prevent it.

May 25th, 2012, 03:50
...but you want to hide the page from unsermode while IN usermode, like with shadow page technique?? I don't think you can, no way.

Yeah, basically, but not a real shadow page. Giving an access violation or even alarming the hook about the detection would be good.

I'll try a single HW BP + exception handler and see how hard that hits the performance. Page guard would make a mess.