SSDT Hooking + AV [Archive] - RCE Messageboard's Regroupment

bruno

December 4th, 2007, 16:36

Hi guys/gals,

Let's say there is an AV product that does ssdt hooks for typical things to prevent tampering (ie ZwDeleteKey, ZwDeleteValueKey, ZwTerminateProcess)

If zwcreatekey is not checked and you can add registry keys and zwreplacekey, zwrestorekey are not checked, couldn't you replace a key/value pair with bogus information and in a sense "delete" a key?

I tried finding any information on this but as you all know documentation on these API's is hard to come by. I found some documentation on common ones such as createkey but nothing in regards to the specifics I was looking for. Google results only seem to turn up malware examples and things that are hooked by it

Thanks for the help

Kayaker

December 5th, 2007, 01:04

Sounds reasonable. Only one way to tell isn't there

If you google for the Nt equivalents you can find the prototypes at
http://undocumented.ntinternals.net

Plus, they are all defined in ntoskrnl, so IDA + symbols exposes the entire function for NtReplaceKey, etc.

The Zw forms are ntdll. 7FFE0300h is a pointer to the address of KiFastSystemCall or SYSENTER

Code:



.text:7C90E34E                 public _ZwReplaceKey@12

.text:7C90E34E _ZwReplaceKey@12 proc near

.text:7C90E34E                 mov     eax, 0C1h       ; NtReplaceKey

.text:7C90E353                 mov     edx, 7FFE0300h

.text:7C90E358                 call    dword ptr [edx]

.text:7C90E35A                 retn    0Ch

.text:7C90E35A _ZwReplaceKey@12 endp

bruno

December 5th, 2007, 10:15

Thx for the help!

evilcry

December 6th, 2007, 12:31

take also a look to www.rootkit.com

Regards,
Evilcry