On Windows 7 (32-bit and 64-bit), a new module called Kernelbase.dll was added. What is the purpose of it?
If we check the APIs exported by kernel32.dll, we can see an API redirection performed by the Operating System.
Calls to APIs imported from kernel32.dll are redirected to kernelbase.dll
Let us have a look at it in a debugger (windbg).
Open a new process (notepad.exe) and attach windbg to it:
Below is the default list of loaded modules for notepad.exe
We can see an extra module called kernelbase.dll loaded along with notepad.exe
Let us check the API prolog of a function imported from kernel32.dll. For instance, Sleep() is a function imported from kernel32.dll
We can see that the first instruction at the API prolog of Sleep() is a jmp instruction followed by a sequence of nop instructions.
jmp qword ptr [kernel32!_imp_Sleep (00000000`7745d7a0)]
This will redirect the control flow to kernelbase.dll as shown below:
This will in turn redirect the control flow to SleepEx in kernelbase.dll
Why do we need to know this?
In most of the security sandboxes which are used to analyze viruses, they inject DLLs into the process being analyzed. The injected DLL is used to perform API hooking in order to log the activities performed by the virus. It is common for sandboxes to place inline hooks for APIs imported from kernel32.dll. However, as we can see above, in case of Windows 7 (32-bit and 64-bit), it is better to place an API hook directly at kernelbase.dll
c0d3inj3cT
If we check the APIs exported by kernel32.dll, we can see an API redirection performed by the Operating System.
Calls to APIs imported from kernel32.dll are redirected to kernelbase.dll
Let us have a look at it in a debugger (windbg).
Open a new process (notepad.exe) and attach windbg to it:
Below is the default list of loaded modules for notepad.exe
We can see an extra module called kernelbase.dll loaded along with notepad.exe
Let us check the API prolog of a function imported from kernel32.dll. For instance, Sleep() is a function imported from kernel32.dll
We can see that the first instruction at the API prolog of Sleep() is a jmp instruction followed by a sequence of nop instructions.
jmp qword ptr [kernel32!_imp_Sleep (00000000`7745d7a0)]
This will redirect the control flow to kernelbase.dll as shown below:
This will in turn redirect the control flow to SleepEx in kernelbase.dll
Why do we need to know this?
In most of the security sandboxes which are used to analyze viruses, they inject DLLs into the process being analyzed. The injected DLL is used to perform API hooking in order to log the activities performed by the virus. It is common for sandboxes to place inline hooks for APIs imported from kernel32.dll. However, as we can see above, in case of Windows 7 (32-bit and 64-bit), it is better to place an API hook directly at kernelbase.dll
c0d3inj3cT
0 comments: