New 64-Bit Windows Rootkit Already ‘In The Wild’ this is an article that has been issued of late and this case remind me with what Microsoft announced regarding windows Vista. security specialist stated at a previous time that there will be no rootkit may run on this operating system due to the security enhancement but after a while we are finding all kind of malwares may run on this system ( see Microsoft Vista Kernel Protection is Cracked and MS Watches as Vista Gets ‘0wn3d’ by Rootkit).
Now we will be explaining how it is possible to create rootkits , Hooking is a technique used to intercept function calls or messages or events passed between software components communication by adding a special function to the top of the hook chain, Installing hook can be used for legitimate purposes such as remote administration , system monitoring and non-legitimate like spyware, rootkits, key loggers and other malicious programs and aims to supervise user activities on the operating systems.
In the past malwares has been easily detected as they take executable forms but now things are getting more serious. Antimalware’s are detecting viruses’ by signatures matching scans on memory footprint and disk storage. Now the question is how we can hook new operating systems? Where we can place our hook for best results?
The best way to install your hook is by creating a proxy function , in another way you should define which function you are looking to intercept and then you get function address using GetProcAddress as follows:(GetProcAddress(GetModuleHandle(“ntdll.dll”), “CsrNewThread”);
Educated person knows that to intercept function is by using different DLL libraries such as (ntdll.dll, kernel32.dll or kernelbase.dll in windows7, advapi32.dll…).
So what we’re going to do is to create a DLL proxy function, load it into the target machine and when the application calls the original function, our function is going to get executed with the original one this way is just a piece of cake.
You start by your function followed with the original function as follows:
[php]Int NewFunction (void *param1,
Int param2, bool param3)
Return OriginalFunction (param1,
But here it is important to note that DLL proxying can be detected easily by memory scanning based software however there is techniques of hooking implementation, which will be undetectable by these methods which called STEALTH Hooking and we will be explaining this on next post.
make sure you subscribe to my RSS feed!