Navigation

    ViGEm Forums

    • Register
    • Login
    • Search
    • Recent
    • Tags
    • Popular
    • Twitter
    • GitHub
    • Discord

    Shady shenanigans collection

    Research and Development
    1
    1
    230
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nefarius
      nefarius last edited by nefarius

      Kernel hooking/exploitation

      HOW TO HOOK WIN32 API WITH KERNEL PATCHING

      This post is about SSDT patching to perform API hooking within the kernel instead of the classic user mode hooking using remote threads and things like that.

      SSDT hooking is as far as I know the lowest level technique to replace/hook/intercept/whatever API and for this reason has been used for years both by malwares writers and AV vendors.

      Hooking the kernel directly

      Sometimes, we run into a situation when we badly need to hook some kernel function, but are unable to do it via conventional PE-based hooking. This article explains how kernel functions can be directly hooked. As a sample project, we are going to present a removable USB storage device as a basic disk to the system, so that we can create and manage multiple partitions on it (for this or that reason, Windows does not either allow or recognize multiple partitions on removable storage devices, so we are going to cheat the system). On this particular occasion, we will hook only one function, but the approach described in this article can be extended to handle multiple functions (for example, one of my projects required direct hooking of quite a few functions from the NDIS library). You should clearly realize that this article is about direct hooking and not about dealing with USB storage, so please don't tell me that the sample problem may have been solved differently.

      SecWiki/windows-kernel-exploits

      List ow Windows kernel exploits.

      taviso/ctftool

      This is ctftool, an interactive command line tool to experiment with CTF, a little-known protocol used on Windows to implement Text Services. This might be useful for studying Windows internals, debugging complex issues with Text Input Processors and analyzing Windows security.

      mrexodia/TitanHide

      TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.

      x64dbg/ScyllaHide

      ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library. It hooks various functions to hide debugging. This tool is intended to stay in user mode (ring 3). If you need kernel mode (ring 0) Anti-Anti-Debug, please see TitanHide.

      Mattiwatti/EfiGuard

      EfiGuard is a portable x64 UEFI bootkit that patches the Windows boot manager, boot loader and kernel at boot time in order to disable PatchGuard and Driver Signature Enforcement (DSE).

      hfiref0x/UPGDSED

      Universal PatchGuard and Driver Signature Enforcement Disable

      9176324/Shark

      Turn off PatchGuard in real time for win7 (7600) ~ win10 (18950).

      adrianyy/kernelhook

      Inline hooking in Windows kernel. This is simple tool to show how to properly create inline hooks in kernel. It requires disabling PatchGuard which is relatively simple via patching kernel image (ntoskrnl.exe).

      Process & Memory

      DarthTon/Blackbone

      Windows memory hacking library

      Dramacydal/WhiteMagic

      API to work with Win32 process memory and hardware breakpoints

      acidburn974/Blackmagic

      Memory reading and Writing for C# / VB / .Net Applications.

      DLL-injection (user-land)

      vmcall/loadlibrayy

      x64 PE injector with kernel handle elevation and thread hijacking capabilities

      Dewera/Lunar

      A lightweight native DLL mapping library that supports mapping directly from memory

      ThirteenAG/Ultimate-ASI-Loader

      ASI Loader is the tool that loads custom libraries with the file extension .asi into any game process.

      fancycode/MemoryModule

      MemoryModule is a library that can be used to load a DLL completely from memory - without storing on the disk first.

      GFX

      crosire/d3d8to9

      This is a pseudo-driver module that intends to improve compatibility and stability in games using Direct3D 8 for rendering by converting all API calls and lowlevel shaders to equivalent Direct3D 9 ones. By that it also opens those games to the new possibilities from proven tools and wrappers written for Direct3D 9.

      megai2/d912pxy

      d912pxy is a way to make games that use DirectX 9 use DirectX 12 instead, without changing any game code.

      Misc.

      zaproxy/zaproxy

      The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post