Bypasss User-Mode Hooks1 minute read
User-mode hooks are unreliable and there are tons of ways to bypass them, for example,
ntdll from the
%temp% directory and bypasses all hooks from original
ntdll, but it loads DLL, so it’s noisy. What about using
ntdll level functions? it’s better than using
KernelBase and other higher level DLLs but still easy to hook.
Today I want to talk about another method, which I think is hardest one to hook from user mode - reimplementing
To become more stealthy we need to go deeper, use undocumented functions, which makes our methods Windows version depended.
NOTE: Windows Version 1709 x64
We can use IDA or any other disassembler to rewrite functions.
NOTE: for more stability, you can extract index number from
ntdll at runtime:
Download the source code from here.
(click here to view a larger version)