IA32 Advanced Function Hooking

1

• IA32 Advanced Function Hooking
• Phrack 58, by mayhem
• Dan Austin

2
Advanced Function Hooking

• Introduction
• Function Hooking Basics
• LKH Details
• Conclusion

3
Introduction

• What is a function hook?
• Security aspects
• Background

4
What is a Function Hook?

• Intercepts the normal flow of execution from a
  system function
• Many legitamate uses
• Debugging
• Patching
• Logging/Profiling
• Abuse

5
Security Concerns

• Trusted system functions can be intercepted and
  replaced/modified
• Many rootkits use function call hooking
• Hide processes
• Hide files
• Propagation

6
Background

• Originally made public in 1999 by Silvio Cesare
• Modified first 5 bytes of function
• Used to keep certain processes from being
  accounted (rootkit)

7
Function Hooking Basics

• Assembler Intensive
• What really is function hooking?
• Things to remember

8
Assembly Usage in Hooking

• Depends on function memory addresses
• Depends on stack setup and maintenance
• C assembly standard exploitation
• EAX will hold return value
• ESP is stack pointer
• EBP is stack offset
• Others too...

9
What really is function hooking?

• Modification of original function entry address
  to our function in a runtime environment
• Preprocessing the stack
• Modification of parameters callbacks
• Resetting the entry point of the original function

10
Things to Remember...

• Frame pointer usage/non-usage
• Code must be position independent
• Must be able to call original function
• EAX must hold the correct (or seemingly correct)
  return value
• Parameter accession post function return

11
LKH Details

• Installation of function hook
• Stack setup
• Return addresses
• Hooking code

12
Installation of Function Hook

• Overwrite the first seven bytes of the victim
  function with an indirect jump to our function
• Save the original function bytes and original
  function address

13
Stack Setup

• Set stack information to allow parameter
  accession from callback functions
• Set space for callback functions (initialize with
  NOP's)
• Each callback is five bytes call func_addr
• Reset the stack (add 0x04, ESP)
• NOTE the original function's stack frame is
  still overwritten

14
Return Addresses

• EAX is written to contain our hooking code
• Instruction pointer is saved
• Old return value is saved in EAX
• New return address is modified to return just
  after the saved instruction pointer
• Control returns to original function for cleanup

15
Hooking Code The Hook

• mov evil_func_addr, EAX
• jmp EAX
• Total size 7 bytes

16
Hooking Code Reset to original

• pusha
• movl 0x00, esi patched in runtime
• movl 0x00, edi patched in runtime
• push ds
• pop es
• cld
• xor ecx ecx
• movb 0x07, cl
• rep movsl

17
Hooking Code hook_t Structure

• typedef s_hook
• int addr
• int offset
• char saved_bytes7
• char voodoo_bytes7
• char hookHOOK_SIZE
• char cache1CACHE1_SIZE
• char cache2CACHE2_SIZE
• hook_t

18
Contacts/Links

• Newest version of LKH http//www.devhell.com/may
  hem/projects/lkh
• Phrack Inc
  http//www.phrack.org
• Rootkit
  http//www.rootkit.com
• Article http//www.phrack.org/phrack/58/p58-0x06
• Mayhem's contact info mayhem_at_hert.org

19

• Questions?