cd ../../Random Posts

Bypasss User-Mode Hooks

1 minute read

User-mode hooks are unreliable and there are tons of ways to bypass them, for example, makin loads ntdll from the %temp% directory and bypasses all hooks from original ntdll, but it loads DLL, so it’s noisy. What about using ntdll level functions? it’s better than using KernelBase and other higher level DLLs but still easy to hook.

Today I want to talk about another method, which I think is hardest one to hook from user mode - reimplementing ntdll functions.

To become more stealthy we need to go deeper, use undocumented functions, which makes our methods Windows version depended.

NOTE: Windows Version 1709 x64

We can use IDA or any other disassembler to rewrite functions.

NtCreateFile:

NtCreateFile

NtClose:

NtClose

Main:

NOTE: for more stability, you can extract index number from ntdll at runtime:

ntdll

Download the source code from here.

DEMO:

bypasshookdemo

(click here to view a larger version)

Twitter: @_qaz_qaz