Jump to content
Moopler
Sign in to follow this  
roleat

Snippet [Windows 10 x64] Hooking 64 bit ntdll.dll in WOW64 Process

Recommended Posts

System Call WOW64:

Spoiler

OpenProcess (Kernel32.dll)

calls NtOpenProcess (32bit ntdll.dll)

calls fs:[C0] (wow64cpu.dll)

calls CpupReturnFromSimulatedCode (wow64cpu.dll)

calls TurboDispatchJumpAddressEnd (wow64cpu.dll)

calls WOW64SystemServicesEx (wow64.dll)

calls whNtOpenProcess (wow64.dll)

calls NtOpenProcess (64bit ntdll.dll) <------ We place hooks in 64 bit ntdll.dll

Snippet:

Spoiler

#include "MinHook.h"
#pragma comment(lib, "libMinHook.x64.lib")
  
typedef struct _CLIENT_ID { 
  ULONG UniqueProcess; 
  ULONG UniqueThread; 
} CLIENT_ID, *PCLIENT_ID;

typedef enum _SYSTEM_INFORMATION_CLASS { 
  SystemBasicInformation = 0, 
  SystemPerformanceInformation = 2, 
  SystemTimeOfDayInformation = 3, 
  SystemProcessInformation = 5, 
  SystemProcessorPerformanceInformation = 8, 
  SystemInterruptInformation = 23, 
  SystemExceptionInformation = 33,
  SystemRegistryQuotaInformation = 37, 
  SystemLookasideInformation = 45 
} SYSTEM_INFORMATION_CLASS; 

typedef enum _MEMORY_INFORMATION_CLASS { 
  MemoryBasicInformation, 
  MemoryWorkingSetInformation,
  MemoryMappedFilenameInformation, 
  MemoryRegionInformation, 
  MemoryWorkingSetExInformation, 
  MemorySharedCommitInformation, 
  MemoryImageInformation, 
  MemoryRegionInformationEx, 
  MemoryPrivilegedBasicInformation 
} MEMORY_INFORMATION_CLASS;

typedef LPVOID POBJECT_ATTRIBUTES;

typedef NTSTATUS(NTAPI* NtOpenProcessPtr)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId); 
NtOpenProcessPtr _NtOpenProcess = NULL; 

NTSTATUS NTAPI NtOpenProcess_Hook(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId)
{ 
  
  return _NtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); 
} 

typedef NTSTATUS(NTAPI* NtQuerySystemInformationPtr)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL);
NtQuerySystemInformationPtr _NtQuerySystemInformation = NULL; 

NTSTATUS NTAPI NtQuerySystemInformation_Hook(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL) 
{
  
  return _NtQuerySystemInformation(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); 
} 

typedef NTSTATUS(NTAPI* NtQueryVirtualMemoryPtr)(IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN MEMORY_INFORMATION_CLASS MemoryInformationClass, OUT PVOID MemoryInformation, IN SIZE_T MemoryInformationLength, OUT PSIZE_T ReturnLength); 
NtQueryVirtualMemoryPtr _NtQueryVirtualMemory = NULL;

NTSTATUS NTAPI NtQueryVirtualMemory_Hook(IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN MEMORY_INFORMATION_CLASS MemoryInformationClass, OUT PVOID MemoryInformation, IN SIZE_T MemoryInformationLength, OUT PSIZE_T ReturnLength) 
{
  
  return _NtQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength); 
} 

typedef NTSTATUS(NTAPI* NtReadVirtualMemoryPtr)(IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG NumberOfBytesToRead, OUT PULONG NumberOfBytesReaded OPTIONAL); NtReadVirtualMemoryPtr _NtReadVirtualMemory = NULL; 

NTSTATUS NTAPI NtReadVirtualMemory_Hook(IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG NumberOfBytesToRead, OUT PULONG NumberOfBytesReaded OPTIONAL) 
{ 
  
  return _NtReadVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToRead, NumberOfBytesReaded); 
}

void Initialize() 
{ 
  MH_Initialize(); 
  
  MH_CreateHookApi(L"ntdll.dll", "NtOpenProcess", &NtOpenProcess_Hook, reinterpret_cast<LPVOID*>(&_NtOpenProcess)); 
  MH_CreateHookApi(L"ntdll.dll", "NtQuerySystemInformation", &NtQuerySystemInformation_Hook, reinterpret_cast<LPVOID*>(&_NtQuerySystemInformation)); 
  MH_CreateHookApi(L"ntdll.dll", "NtQueryVirtualMemory", &NtQueryVirtualMemory_Hook, reinterpret_cast<LPVOID*>(&_NtQueryVirtualMemory)); 
  MH_CreateHookApi(L"ntdll.dll", "NtReadVirtualMemory", &NtReadVirtualMemory_Hook, reinterpret_cast<LPVOID*>(&_NtReadVirtualMemory)); 
  
  MH_EnableHook(MH_ALL_HOOKS); 
  
} 

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 
{ 
  if (DLL_PROCESS_ATTACH == fdwReason) 
  { 
    Initialize(); 
  } 
  
  return TRUE; 
}

 

 

Hooking Engine:

https://github.com/Sentinel-One/minhook

 

Inject 64 bit dll into WOW64 process:

https://github.com/yardenshafir/rewolf-wow64ext

 

 

 

 

Share this post


Link to post
On 21/09/2018 at 22:44, Darter said:

my boy how have you been !?  add me on discord!!

I have you on fb already no? rajan if its u lol

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×