Hooking via InstrumentationCallback1 minute read
I want to write about very interesting epilogue hooking method presented by
Alex Ionescu at
An epilogue detour allows for post-processing. They are useful for filtering output parameters once an original routine has performed its duties.
I know it’s not a new technique, but I found this very interesting, also all POC codes, which I found crashes.
I tried to create POC which does not crashes (at least for me) and ends normally (by the way, it’s EXE, not DLL)
KPROCESS structure contains field called
Windows Vista and later you can specify callback address using
InstrumentationCallback field and the callback will be called after each time any function returns from kernel to user mode.
One way to specify callback address is by using a driver, but as turns out there is a much easier way via
NtSetInformationProcess API from user mode without any special privileges, we just need to specify correct structures and that’s all.
There are pitfalls, we have to use assembly inside our code for the callback function, due to we need to deal with registers directly.
That’s all :) Works on
Windows 10 v1709 x64
You can get POC code from GitHub
My twitter: @_qaz_qaz