was watching betabot hooks in xp sp3.
1. just before sysenter a 2 byte patch for small jump.
2. small jump to push 0xhhhhhhhh\nret
to prevent this hook from removal, programmer has vprotect'd ntdll .text section (containing this stub) with R instead of Rwe as usual.
question: since to remove this hook first we need to vprotect that .text section to RWE then replace small jump with mov edx,esp.
BUT vprotect will finally jmp back to kifastsystemcall which is hooked. it will be denied access by a good ring3 rootkit.
until now, i parsed the hook procedure in betabot 1.6 version
at hooked offset + 0x26 patching 0x74 with 0xeb keeps me away from hook routine and returns peacefully. This way all hooks are useless.
But this is OS and version specific approach.
i need a generic method to not do this manually all the time with new versions (if he keeps on doing this again in some other manner), like reading his procedures to find a bypass for each and every method.
is there a way? instead of doing some sweet kernel shit, i want to be able to remove this hook in ring3 using ring3 api's.
may be i am missing a point.
1. just before sysenter a 2 byte patch for small jump.
2. small jump to push 0xhhhhhhhh\nret
to prevent this hook from removal, programmer has vprotect'd ntdll .text section (containing this stub) with R instead of Rwe as usual.
question: since to remove this hook first we need to vprotect that .text section to RWE then replace small jump with mov edx,esp.
BUT vprotect will finally jmp back to kifastsystemcall which is hooked. it will be denied access by a good ring3 rootkit.
until now, i parsed the hook procedure in betabot 1.6 version
at hooked offset + 0x26 patching 0x74 with 0xeb keeps me away from hook routine and returns peacefully. This way all hooks are useless.
But this is OS and version specific approach.
i need a generic method to not do this manually all the time with new versions (if he keeps on doing this again in some other manner), like reading his procedures to find a bypass for each and every method.
is there a way? instead of doing some sweet kernel shit, i want to be able to remove this hook in ring3 using ring3 api's.
may be i am missing a point.
didn't think of it. Thanks a lot!