cd ../../Random Posts

Hooking via InstrumentationCallback

1 minute read

I want to write about very interesting epilogue hooking method presented by Alex Ionescu at REcon 2015.

An epilogue detour allows for post-processing. They are useful for filtering output parameters once an original routine has performed its duties.

I know it’s not a new technique, but I found this very interesting, also all POC codes, which I found crashes.

I tried to create POC which does not crashes (at least for me) and ends normally (by the way, it’s EXE, not DLL)

KPROCESS structure contains field called InstrumentationCallback at 0x2c8:

Windows Vista and later you can specify callback address using InstrumentationCallback field and the callback will be called after each time any function returns from kernel to user mode.

One way to specify callback address is by using a driver, but as turns out there is a much easier way via NtSetInformationProcess API from user mode without any special privileges, we just need to specify correct structures and that’s all.

There are pitfalls, we have to use assembly inside our code for the callback function, due to we need to deal with registers directly.

That’s all :) Works on Windows 10 v1709 x64

You can get POC code from GitHub