next time include a smidge more details 
and Anytime..
to explain the size it is more then likely 5 because that is the size of a hook..for example..heres a small somewhat abstracted example..of how i think 'it' looks..
VirtualProtect the Start of the function..you got that..so
maybe this can help if your injecting a dll and then hooking.. or you are hooking yourself.. :d
Code:
pushad
lea eax,HkParams
lea edi,ByteArray
mov esi,[eax]HkParams.hkTAddress
mov ecx,0x5
push esi
rep movsb
pop esi
push eax
mov al,byte ptr [eax]HkParams.Opcode
mov byte ptr [esi],al
pop eax
mov ebx,[eax]HkParams.hkAddress
add esi,5
sub ebx,esi
sub esi,4
mov dword ptr [esi],ebx
popad
this is a small snippet from hkHooking Namespace I coded..that still needs work.. the other methods besides apc injection are easily implemented... IM currently toying with seeing if I can add a section to a Files in Memory image sections in runtime.. or preruntime.. need to mimic the base concept of rebuilding everything for a "attached section" but this shouldn't be to hard a task for the Ldr Routines... but this topic is widely talked about and now documented partly by piotr bania..
known 'hooking' methods and some concept methods...
the old '5 byte overwrite'..
2 byte hooking ebf9
mov edi,edi
old 5 byte overwrite with a spin
hooking of iether the "int3's or the nop's"..If now if you cant locate them up,you can search down..jmp up 7 or down the length of the function..
single byte hooks the Kernel Call Routines Service Identifier..use a kernel driver similar to stoned's 'service adding' features ....at least i would do that..havent analysed any of his code yet..
Shared Section Code used as hook routine..and the 'client' part of the subsystem implements the hooks.. preruntime..havent tested the client by injecting it yet though, but i have successfully hooked myself in some of the various tests to accomplish this..
IAT Hooking hooking the ImportAddress Table..
basicly hooks the Import Address Table to 'filter or hooking' the function upon call from the 'host' process..and can be used to gain information from a remote process..
IAT hooking can be easily bypassed by GetProcessAddress or a similar routine as well as signature scanning for the function..
EAT (or AddressLookupHooking)used for GetProcessAddress or other type lookup that retrieve the address from the EAT..
SigScanning for the function bypasses EAT.
Ghostwriting..on rootkit.com
.Mapped memory double checking with a gathered 'mapped' signature can detect runtime hooking and most of these types hooks not IAT or EAT..unless you modify the original module,then it becomes the tactic that they verify your system version and then download the dll,and do another mapped checking...and then you got issues with gathering the file from the socket securely..
Modified Stack hooking(im working on it..)with 'code' that searchs for and uses the found code to bulid itself..this can be done by providing a usable 'Stack swapping and Context poisoning' methodolgy..searching for places to use these Mentioned methods will be the fun part ..as well as chaining them together.. :d
BanMe
Bookmarks