Kernel mode hooking

c++ / delphi package - dll injection and api hooking
Post Reply
linden
Posts: 36
Joined: Tue Mar 08, 2005 9:17 am
Location: Japan

Kernel mode hooking

Post by linden »

Hi, madshi, and everyone,

I ended up coming here after discovering that one of security related app running in my system is loading mchInjDrv, which found to be VERY suspecious, because it was loaded from a temporary path! (Why are you hiding your driver ?)

Well, after downloading and looking at your library, I found this package to be REALLY GREAT! Now I am considering of using it my self.

By the way, presently, I am looking for something that can help me to hook kernel mode API's, I.E. the ZwXXX functions, and EVERYTHING that is exported by ntoskrnl.exe and HAL.dll. I know there is a way to hook the ZwXXX functions by patching the system service table, but this is not what I want. (Because they can be easily detected and unhooked from the user mode by accessing \\device\\physicalmemory). What I want is something that can insert a jump at entry of the "real" ZwXXX (NtXXX) function, so I will never miss a hook. Unfortunately, I cannot find any resources as how to implement this type of hook in the kernel mode.

Do you have any plan to make a kernel mode support version of madCodeHook? Or do you know of any documents or resouces that describes the detour-method hooking in the kernel mode?
Top
Runner
Posts: 90
Joined: Tue Dec 14, 2004 1:04 pm

Post by Runner »

You cannot use madCodeHook in Kernel mode. But you can still hook all of the NT... and ZW.... APIS. Just hook them in the NTDLL.dll library where they are exported to the user world. There you can hook them the same way as hooking any other Win32 API call.

Hope this helps.
Top
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:
Contact nildo

Re: Kernel mode hooking

Post by nildo »

linden wrote:Hi, madshi, and everyone,

I ended up coming here after discovering that one of security related app running in my system is loading mchInjDrv, which found to be VERY suspecious, because it was loaded from a temporary path! (Why are you hiding your driver ?)
I think he uses this driver for detecting new executions under winNT (& injecting) ofr SystemWide hooks
Top
madshi
Site Admin
Posts: 10764
Joined: Sun Mar 21, 2004 5:25 pm

Re: Kernel mode hooking

Post by madshi »

linden wrote:Why are you hiding your driver ?
Simply to make life for you programmers easy. You call InjectLibrary and that madCodeHook uses a driver for that internally is something you can forget about.
linden wrote:Do you have any plan to make a kernel mode support version of madCodeHook? Or do you know of any documents or resouces that describes the detour-method hooking in the kernel mode?
I've no plans for that. If you want to do real kernel mode hooking, perhaps EliCZ' kernel mode hooking library is of use for you?
Top
Post Reply

Return to “madCodeHook”