Deep API Hooking in Windows 7 64-bit
Sunday, August 31, 2014 | Author: Deep Flash
In some security sandboxes, the injected DLL will apply Deep API hooks in user mode. Deep API hooking refers to hooks applied at lower level (closer to the user mode to kernel mode transition).

For instance, Sleep() and SleepEx() APIs are imported from kernel32.dll

These APIs will in turn call ZwDelayExecution which is imported from ntdll.dll

If we apply a hook at ZwDelayExecution, then we do not necessarily need to apply an API hook at the wrapper APIs like Sleep() and SleepEx().

Also, in some cases, viruses could bypass trivial wrapper API hooks by calling the native API imported from ntdll.dll

Let us have a look at a native API like ZwDelayExecution on Win XP SP3:





0x7fff000 = address of KUSER_SHARED_DATA structure
At offset, 0x300 in the KUSER_SHARED_DATA structure, we have the pointer to SystemCallStub

Now, the first instruction in the above Native API is of size 0x5 bytes. Since we require 0x5 bytes for an inline API hook, we can easily place our API hook there.

Let us look at ZwDelayExecution on Win 7 64-bit



As we can see, size of the first instruction is 0x3 bytes and the second instruction is 0x5 bytes. As a result of this, it is not trivial to place an inline hook for the native APIs on Win 7 64-bit in user mode.

This would also mean, that most security sandboxes would apply API hooks at wrapper APIs like Sleep() or SleepEx() imported from kernelbase.dll. This makes it easier to detect and bypass API hooks on Windows 7 64-bit.

c0d3inj3cT
API Redirection on Windows 7
Sunday, August 31, 2014 | Author: Deep Flash
On Windows 7 (32-bit and 64-bit), a new module called Kernelbase.dll was added. What is the purpose of it?

If we check the APIs exported by kernel32.dll, we can see an API redirection performed by the Operating System.

Calls to APIs imported from kernel32.dll are redirected to kernelbase.dll

Let us have a look at it in a debugger (windbg).

Open a new process (notepad.exe) and attach windbg to it:

Below is the default list of loaded modules for notepad.exe


We can see an extra module called kernelbase.dll loaded along with notepad.exe

Let us check the API prolog of a function imported from kernel32.dll. For instance, Sleep() is a function imported from kernel32.dll


We can see that the first instruction at the API prolog of Sleep() is a jmp instruction followed by a sequence of nop instructions.

jmp     qword ptr [kernel32!_imp_Sleep (00000000`7745d7a0)]

This will redirect the control flow to kernelbase.dll as shown below:


This will in turn redirect the control flow to SleepEx in kernelbase.dll

Why do we need to know this?

In most of the security sandboxes which are used to analyze viruses, they inject DLLs into the process being analyzed. The injected DLL is used to perform API hooking in order to log the activities performed by the virus. It is common for sandboxes to place inline hooks for APIs imported from kernel32.dll. However, as we can see above, in case of Windows 7 (32-bit and 64-bit), it is better to place an API hook directly at kernelbase.dll

c0d3inj3cT