In some security sandboxes, the injected DLL will apply Deep API hooks in user mode. Deep API hooking refers to hooks applied at lower level (closer to the user mode to kernel mode transition).
For instance, Sleep() and SleepEx() APIs are imported from kernel32.dll
These APIs will in turn call ZwDelayExecution which is imported from ntdll.dll
If we apply a hook at ZwDelayExecution, then we do not necessarily need to apply an API hook at the wrapper APIs like Sleep() and SleepEx().
Also, in some cases, viruses could bypass trivial wrapper API hooks by calling the native API imported from ntdll.dll
Let us have a look at a native API like ZwDelayExecution on Win XP SP3:
0x7fff000 = address of KUSER_SHARED_DATA structure
At offset, 0x300 in the KUSER_SHARED_DATA structure, we have the pointer to SystemCallStub
Now, the first instruction in the above Native API is of size 0x5 bytes. Since we require 0x5 bytes for an inline API hook, we can easily place our API hook there.
Let us look at ZwDelayExecution on Win 7 64-bit
As we can see, size of the first instruction is 0x3 bytes and the second instruction is 0x5 bytes. As a result of this, it is not trivial to place an inline hook for the native APIs on Win 7 64-bit in user mode.
This would also mean, that most security sandboxes would apply API hooks at wrapper APIs like Sleep() or SleepEx() imported from kernelbase.dll. This makes it easier to detect and bypass API hooks on Windows 7 64-bit.
c0d3inj3cT
For instance, Sleep() and SleepEx() APIs are imported from kernel32.dll
These APIs will in turn call ZwDelayExecution which is imported from ntdll.dll
If we apply a hook at ZwDelayExecution, then we do not necessarily need to apply an API hook at the wrapper APIs like Sleep() and SleepEx().
Also, in some cases, viruses could bypass trivial wrapper API hooks by calling the native API imported from ntdll.dll
Let us have a look at a native API like ZwDelayExecution on Win XP SP3:
0x7fff000 = address of KUSER_SHARED_DATA structure
At offset, 0x300 in the KUSER_SHARED_DATA structure, we have the pointer to SystemCallStub
Now, the first instruction in the above Native API is of size 0x5 bytes. Since we require 0x5 bytes for an inline API hook, we can easily place our API hook there.
Let us look at ZwDelayExecution on Win 7 64-bit
As we can see, size of the first instruction is 0x3 bytes and the second instruction is 0x5 bytes. As a result of this, it is not trivial to place an inline hook for the native APIs on Win 7 64-bit in user mode.
This would also mean, that most security sandboxes would apply API hooks at wrapper APIs like Sleep() or SleepEx() imported from kernelbase.dll. This makes it easier to detect and bypass API hooks on Windows 7 64-bit.
c0d3inj3cT
0 comments: