Results 1 to 4 of 4

Thread: SSDT Hooking + AV

  1. #1
    bruno
    Guest

    SSDT Hooking + AV

    Hi guys/gals,

    Let's say there is an AV product that does ssdt hooks for typical things to prevent tampering (ie ZwDeleteKey, ZwDeleteValueKey, ZwTerminateProcess)

    If zwcreatekey is not checked and you can add registry keys and zwreplacekey, zwrestorekey are not checked, couldn't you replace a key/value pair with bogus information and in a sense "delete" a key?

    I tried finding any information on this but as you all know documentation on these API's is hard to come by. I found some documentation on common ones such as createkey but nothing in regards to the specifics I was looking for. Google results only seem to turn up malware examples and things that are hooked by it

    Thanks for the help
    Last edited by bruno; December 4th, 2007 at 19:40.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,147
    Blog Entries
    5
    Sounds reasonable. Only one way to tell isn't there

    If you google for the Nt equivalents you can find the prototypes at
    http://undocumented.ntinternals.net

    Plus, they are all defined in ntoskrnl, so IDA + symbols exposes the entire function for NtReplaceKey, etc.

    The Zw forms are ntdll. 7FFE0300h is a pointer to the address of KiFastSystemCall or SYSENTER

    Code:
    .text:7C90E34E                 public _ZwReplaceKey@12
    .text:7C90E34E _ZwReplaceKey@12 proc near
    .text:7C90E34E                 mov     eax, 0C1h       ; NtReplaceKey
    .text:7C90E353                 mov     edx, 7FFE0300h
    .text:7C90E358                 call    dword ptr [edx]
    .text:7C90E35A                 retn    0Ch
    .text:7C90E35A _ZwReplaceKey@12 endp

  3. #3
    bruno
    Guest
    Thx for the help!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    take also a look to www.rootkit.com

    Regards,
    Evilcry

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

Similar Threads

  1. windbg and SSDT
    By WaxfordSqueers in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: July 7th, 2013, 01:32
  2. Hiding Processes - Tried SSDT not able to perform
    By ronnie291983 in forum The Newbie Forum
    Replies: 7
    Last Post: June 17th, 2010, 15:29
  3. SSDT Hooks
    By azfk in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: February 19th, 2010, 09:39
  4. Unexported SSDT functions finding method
    By j00ru vx tech blog in forum Blogs Forum
    Replies: 2
    Last Post: November 3rd, 2009, 15:04
  5. Vmware snapshot and SSDT
    By ZaiRoN in forum Blogs Forum
    Replies: 1
    Last Post: June 4th, 2008, 17:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •