427 Botnet fm qxd

Application.CreateFileA-SavedStub

Download 6,98 Mb.

Pdf ko'rish

bet	290/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 286 287 288 289 290 291 292 293 ... 387

Bog'liq
Botnets - The killer web applications

Kernel32.dll-CreateFileA (*without* Hook)

Application.CreateFileA-SavedStub:
21700000
PUSH ebp
21700001
MOV ebp, esp
21700003
PUSH SS:[ebp+8]
21700006
JMP $77E8C1FD
PUSH ebp
MOV ebp, esp
PUSH SS:[ebp+8]
2
Kernel32.dll-CreateFileA (*with* Hook):
77E8C1F7
JMP [CreateFileA-Hook]
77E8C1FD
CALL +$0000d265
77E8C202
TEST eax, eax
77E8C1FD
JNZ +$05
…
...
77E8C226
RET
3
1
Kernel32.dll-CreateFileA (*without* Hook):
77E8C1F7
PUSH ebp
77E8C1F8
MOV ebp, esp
77E8C1FA
PUSH SS:[ebp+8]
77E8C1FD
CALL +$0000d265
77E8C202
TEST eax, eax
77E8C1FD
JNZ +$05
…
...
77E8C226
RET
PUSH ebp
MOV ebp, esp
PUSH SS:[ebp+8]
427_Botnet_10.qxd 1/9/07 3:06 PM Page 357

reside in the virtual memory of the calling process. Accordingly, the cwmon-
itor.dll is able to locate these functions in memory, either by using the API
function
GetProcAddress
or by manually parsing the EAT of the containing
Windows DLL module. For catching all calls to the particular function, a JMP
instruction is written to its code location as the first operation.This JMP
operation is used to reroute the execution to a customized
hook function
.
As an example, Figure 10.5 shows an extract of the
CreateFileA
function
from kernel32.dll, which is used to open an existing or create a new file. In
the upper part of the figure, the original and unmodified version of this func-
tion is shown.The first three instructions are displayed in a light gray box, the
following ones in a dark gray box.The operations from the light gray one are
those which are overwritten by the JMP instruction when the hook is
installed.You can see that in the lower part of the figure the first light gray
box is completely missing because it has been overwritten.The following
bytes from the dark gray box are not modified at all. At hook installation,
before the introducing bytes of a function are overwritten, these have to be
saved to some other memory location because they might be needed later to
perform the original API function. In the lowest box of the figure, you can
see that these bytes are copied to a location called
SavedStub
. Now, each time
the
CreateFileA
function is called, first the JMP operation is executed and
control is delegated (1) to the hook function (shown in the middle box of the
lower figure part). If the original API should be called from inside the hook
function, first the
SavedStub
is executed (2) and then control is transmitted
back (3) to the original API function. In fact, the operations from the dark
gray box, which have not been modified, are then executed .This form of
API hooking is the most effective and comfortable one that can be done from
user mode. But because it is detectable by the malware application, coming
releases of CWSandbox will use some form of
kernel mode hooking
. It is also
possible for an application to not use the Windows API functions at all but to
perform the relevant system calls directly.This technique is hard and laborious
to implement, so this usually is not done in malware.

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 286 287 288 289 290 291 292 293 ... 387