anomaly in betabot

Discussion on reverse-engineering and debugging.
Post Reply
TheExecuter
Posts: 25
Joined: Sat Aug 10, 2013 5:02 pm

anomaly in betabot

Post by TheExecuter » Thu Jan 09, 2014 1:37 pm

was watching betabot hooks in xp sp3.
1. just before sysenter a 2 byte patch for small jump.
2. small jump to push 0xhhhhhhhh\nret
Image
to prevent this hook from removal, programmer has vprotect'd ntdll .text section (containing this stub) with R instead of Rwe as usual.

question: since to remove this hook first we need to vprotect that .text section to RWE then replace small jump with mov edx,esp.
BUT vprotect will finally jmp back to kifastsystemcall which is hooked. it will be denied access by a good ring3 rootkit.

until now, i parsed the hook procedure in betabot 1.6 version
Image
at hooked offset + 0x26 patching 0x74 with 0xeb keeps me away from hook routine and returns peacefully. This way all hooks are useless.
But this is OS and version specific approach.
i need a generic method to not do this manually all the time with new versions (if he keeps on doing this again in some other manner), like reading his procedures to find a bypass for each and every method.
is there a way? instead of doing some sweet kernel shit, i want to be able to remove this hook in ring3 using ring3 api's.
may be i am missing a point.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: anomaly in betabot

Post by EP_X0FF » Thu Jan 09, 2014 2:15 pm

Do direct syscall.
Ring0 - the source of inspiration

TheExecuter
Posts: 25
Joined: Sat Aug 10, 2013 5:02 pm

Re: anomaly in betabot

Post by TheExecuter » Thu Jan 09, 2014 2:22 pm

EP_X0FF wrote:Do direct syscall.
:oops: didn't think of it. Thanks a lot!

Post Reply