Shady shenanigans collection

Kernel hooking/exploitation

HOW TO HOOK WIN32 API WITH KERNEL PATCHING

This post is about SSDT patching to perform API hooking within the kernel instead of the classic user mode hooking using remote threads and things like that.

SSDT hooking is as far as I know the lowest level technique to replace/hook/intercept/whatever API and for this reason has been used for years both by malwares writers and AV vendors.

Hooking the kernel directly

Sometimes, we run into a situation when we badly need to hook some kernel function, but are unable to do it via conventional PE-based hooking. This article explains how kernel functions can be directly hooked. As a sample project, we are going to present a removable USB storage device as a basic disk to the system, so that we can create and manage multiple partitions on it (for this or that reason, Windows does not either allow or recognize multiple partitions on removable storage devices, so we are going to cheat the system). On this particular occasion, we will hook only one function, but the approach described in this article can be extended to handle multiple functions (for example, one of my projects required direct hooking of quite a few functions from the NDIS library). You should clearly realize that this article is about direct hooking and not about dealing with USB storage, so please don't tell me that the sample problem may have been solved differently.

SecWiki/windows-kernel-exploits

List ow Windows kernel exploits.

taviso/ctftool

This is ctftool, an interactive command line tool to experiment with CTF, a little-known protocol used on Windows to implement Text Services. This might be useful for studying Windows internals, debugging complex issues with Text Input Processors and analyzing Windows security.

mrexodia/TitanHide

TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.

x64dbg/ScyllaHide

ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library. It hooks various functions to hide debugging. This tool is intended to stay in user mode (ring 3). If you need kernel mode (ring 0) Anti-Anti-Debug, please see TitanHide.

Mattiwatti/EfiGuard

EfiGuard is a portable x64 UEFI bootkit that patches the Windows boot manager, boot loader and kernel at boot time in order to disable PatchGuard and Driver Signature Enforcement (DSE).

hfiref0x/UPGDSED

Universal PatchGuard and Driver Signature Enforcement Disable

9176324/Shark

Turn off PatchGuard in real time for win7 (7600) ~ win10 (18950).

Process & Memory

DarthTon/Blackbone

Windows memory hacking library

Dramacydal/WhiteMagic

API to work with Win32 process memory and hardware breakpoints

acidburn974/Blackmagic

Memory reading and Writing for C# / VB / .Net Applications.

DLL-injection (user-land)

vmcall/loadlibrayy

x64 PE injector with kernel handle elevation and thread hijacking capabilities

Misc.

zaproxy/zaproxy

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

Once again: BthPS3 has nothing to do with the input and output of the controller, it handles the connection to Windows, nothing more, nothing less. Those issues are Shibari business and possibly there's some overlooked hack or trick that MIJ accounts for but I don't know of that and don't have the capacity to go after that so I can't really recommend any solution at this point in time.

TL;DR: It is what it is

Cheers

@mmbossoni all devices I wanna support are already supported. If the reports differ that's not the business of BthPS3 but of Shibari or a function driver and I don't have the capacity to further dig into that with my current resources. So I guess no, I won't follow that route as long as I'm solo on this.

Has nothing to do with the functionality, try a complete reinstall. Shibari creates a log with information on what's happening, look at that and/or share it here, otherwise it's poke in the dark.

Cheers

Hey hey!

Odd, you can try to look in Task Scheduler, look for an entry named ViGEmBusUpdater and manually delete that. Then try running the setup again.

Cheers

Ahoy! It's fixed for good now

Cheers

Yeeeeeeaaaaah this subdomain is on the "old" webserver having config issues unfortunately, I'll fix as soon as I get to it, thanks.

@felagund cool! Glad to see my genius contributes to getting rid of SCP

Hey hey, cool find! This is the project mentioned, right? I didn't know that

Yeah, makes sense, since I don't plan on adding anything "official" for Motion support myself anytime soon I see there's benefit in defaulting to disabling that functionality.

Do bear in mind that I have to submit to Microsoft again for such changes so no promises on when an update becomes available.

Also I guess a little configuration tool for the basic service settings would be useful.

Cheers

Shibari is the culprit then

Thanks for reporting, no ETA of any attempt to look into this though.