IA32 Advanced Function Hooking - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

IA32 Advanced Function Hooking

Description:

IA32 Advanced Function Hooking. Phrack 58, by mayhem. Dan Austin. Advanced Function Hooking ... Newest version of LKH: http://www.devhell.com/~mayhem/projects/lkh ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 20
Provided by: ecs4
Category:

less

Transcript and Presenter's Notes

Title: IA32 Advanced Function Hooking


1
  • IA32 Advanced Function Hooking
  • Phrack 58, by mayhem
  • Dan Austin

2
Advanced Function Hooking
  • Introduction
  • Function Hooking Basics
  • LKH Details
  • Conclusion

3
Introduction
  • What is a function hook?
  • Security aspects
  • Background

4
What is a Function Hook?
  • Intercepts the normal flow of execution from a
    system function
  • Many legitamate uses
  • Debugging
  • Patching
  • Logging/Profiling
  • Abuse

5
Security Concerns
  • Trusted system functions can be intercepted and
    replaced/modified
  • Many rootkits use function call hooking
  • Hide processes
  • Hide files
  • Propagation

6
Background
  • Originally made public in 1999 by Silvio Cesare
  • Modified first 5 bytes of function
  • Used to keep certain processes from being
    accounted (rootkit)

7
Function Hooking Basics
  • Assembler Intensive
  • What really is function hooking?
  • Things to remember

8
Assembly Usage in Hooking
  • Depends on function memory addresses
  • Depends on stack setup and maintenance
  • C assembly standard exploitation
  • EAX will hold return value
  • ESP is stack pointer
  • EBP is stack offset
  • Others too...

9
What really is function hooking?
  • Modification of original function entry address
    to our function in a runtime environment
  • Preprocessing the stack
  • Modification of parameters callbacks
  • Resetting the entry point of the original function

10
Things to Remember...
  • Frame pointer usage/non-usage
  • Code must be position independent
  • Must be able to call original function
  • EAX must hold the correct (or seemingly correct)
    return value
  • Parameter accession post function return

11
LKH Details
  • Installation of function hook
  • Stack setup
  • Return addresses
  • Hooking code

12
Installation of Function Hook
  • Overwrite the first seven bytes of the victim
    function with an indirect jump to our function
  • Save the original function bytes and original
    function address

13
Stack Setup
  • Set stack information to allow parameter
    accession from callback functions
  • Set space for callback functions (initialize with
    NOP's)
  • Each callback is five bytes call func_addr
  • Reset the stack (add 0x04, ESP)
  • NOTE the original function's stack frame is
    still overwritten

14
Return Addresses
  • EAX is written to contain our hooking code
  • Instruction pointer is saved
  • Old return value is saved in EAX
  • New return address is modified to return just
    after the saved instruction pointer
  • Control returns to original function for cleanup

15
Hooking Code The Hook
  • mov evil_func_addr, EAX
  • jmp EAX
  • Total size 7 bytes

16
Hooking Code Reset to original
  • pusha
  • movl 0x00, esi patched in runtime
  • movl 0x00, edi patched in runtime
  • push ds
  • pop es
  • cld
  • xor ecx ecx
  • movb 0x07, cl
  • rep movsl

17
Hooking Code hook_t Structure
  • typedef s_hook
  • int addr
  • int offset
  • char saved_bytes7
  • char voodoo_bytes7
  • char hookHOOK_SIZE
  • char cache1CACHE1_SIZE
  • char cache2CACHE2_SIZE
  • hook_t

18
Contacts/Links
  • Newest version of LKH http//www.devhell.com/may
    hem/projects/lkh
  • Phrack Inc
    http//www.phrack.org
  • Rootkit
    http//www.rootkit.com
  • Article http//www.phrack.org/phrack/58/p58-0x06
  • Mayhem's contact info mayhem_at_hert.org

19
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com