.

. A legitimate program calls the TerminateProcess function, as seen at ❶. Normally, the code will use the IAT to access the target function in Kernel32.dll, but if an IAT hook is installed, as indicated at ❷, the malicious rootkit code will be called instead. The rootkit code returns to the legitimate program to allow the TerminateProcess function to execute after manipulating some parameters. In this example, the IAT hook prevents the legitimate program from terminating a process.

. This function is used by programs like Netstat to retrieve network information from the system.

shows how the hook was initialized; the raw bytes are shown on the left, and the assembly is shown on the right.

.

Example 11-8. Installing an inline hook

100014ED         push    7 100014EF         push    offset Ptr_ZwDeviceIoControlFile 100014F4         push    offset 10004010 ;patchBytes 100014F9         push    edi 100014FA         push    esi 100014FB         call    Install_inline_hook

Now ZwDeviceIoControlFile will call the rootkit function first. The rootkit’s hooking function removes all traffic destined for port 443 and then calls the real ZwDeviceIoControlFile, so everything continues to operate as it did before the hook was installed.

Since many defense programs expect inline hooks to be installed at the beginning of functions, some malware authors have attempted to insert the jmp or the code modification further into the API code to make it harder to find.

Назад: Privilege Escalation

Дальше: Conclusion

Отправить

sss

sss

×

Войти в систему

Войти с помощью соц. сетей: