1. Home
  2. Research and Development
  3. Shady shenanigans collection

Shady shenanigans collection

  • nefarius

    Kernel hooking/exploitation

    HOW TO HOOK WIN32 API WITH KERNEL PATCHING

    This post is about SSDT patching to perform API hooking within the kernel instead of the classic user mode hooking using remote threads and things like that.

    SSDT hooking is as far as I know the lowest level technique to replace/hook/intercept/whatever API and for this reason has been used for years both by malwares writers and AV vendors.

    Hooking the kernel directly

    Sometimes, we run into a situation when we badly need to hook some kernel function, but are unable to do it via conventional PE-based hooking. This article explains how kernel functions can be directly hooked. As a sample project, we are going to present a removable USB storage device as a basic disk to the system, so that we can create and manage multiple partitions on it (for this or that reason, Windows does not either allow or recognize multiple partitions on removable storage devices, so we are going to cheat the system). On this particular occasion, we will hook only one function, but the approach described in this article can be extended to handle multiple functions (for example, one of my projects required direct hooking of quite a few functions from the NDIS library). You should clearly realize that this article is about direct hooking and not about dealing with USB storage, so please don't tell me that the sample problem may have been solved differently.

    SecWiki/windows-kernel-exploits

    List ow Windows kernel exploits.

    taviso/ctftool

    This is ctftool, an interactive command line tool to experiment with CTF, a little-known protocol used on Windows to implement Text Services. This might be useful for studying Windows internals, debugging complex issues with Text Input Processors and analyzing Windows security.

    mrexodia/TitanHide

    TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.

    x64dbg/ScyllaHide

    ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library. It hooks various functions to hide debugging. This tool is intended to stay in user mode (ring 3). If you need kernel mode (ring 0) Anti-Anti-Debug, please see TitanHide.

    Mattiwatti/EfiGuard

    EfiGuard is a portable x64 UEFI bootkit that patches the Windows boot manager, boot loader and kernel at boot time in order to disable PatchGuard and Driver Signature Enforcement (DSE).

    hfiref0x/UPGDSED

    Universal PatchGuard and Driver Signature Enforcement Disable

    9176324/Shark

    Turn off PatchGuard in real time for win7 (7600) ~ win10 (18950).

    adrianyy/kernelhook

    Inline hooking in Windows kernel. This is simple tool to show how to properly create inline hooks in kernel. It requires disabling PatchGuard which is relatively simple via patching kernel image (ntoskrnl.exe).

    Process & Memory

    DarthTon/Blackbone

    Windows memory hacking library

    Dramacydal/WhiteMagic

    API to work with Win32 process memory and hardware breakpoints

    acidburn974/Blackmagic

    Memory reading and Writing for C# / VB / .Net Applications.

    DLL-injection (user-land)

    vmcall/loadlibrayy

    x64 PE injector with kernel handle elevation and thread hijacking capabilities

    Dewera/Lunar

    A lightweight native DLL mapping library that supports mapping directly from memory

    ThirteenAG/Ultimate-ASI-Loader

    ASI Loader is the tool that loads custom libraries with the file extension .asi into any game process.

    fancycode/MemoryModule

    MemoryModule is a library that can be used to load a DLL completely from memory - without storing on the disk first.

    GFX

    crosire/d3d8to9

    This is a pseudo-driver module that intends to improve compatibility and stability in games using Direct3D 8 for rendering by converting all API calls and lowlevel shaders to equivalent Direct3D 9 ones. By that it also opens those games to the new possibilities from proven tools and wrappers written for Direct3D 9.

    megai2/d912pxy

    d912pxy is a way to make games that use DirectX 9 use DirectX 12 instead, without changing any game code.

    Misc.

    zaproxy/zaproxy

    The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

    0
Log in to reply