[ C ] NtOpenProcess hook.
A ‘Crude’ method of preventing access to a program is by hooking NtOpenProcess and denying any request for a handle. Simple. The screenshot below shows what happens when I tried to terminate notepad, which at the time was ‘protected’ by this hook. A detour hook would be preferable to an SSDT pointer change as it is less detectable, but I’ll cover that some other time.
Operation: Once the executable has been run and you’ve entered your target process name (with the .exe!) and you are presented with an arrow (–>), you have three commands. HOOK, UNHOOK, EXIT. They’re fairly explanatory. Unhook before you exit. Make sure you’ve spelt the process name correctly.
Ok, as with many previous things this is XP only. Both the syscall and EPROCESS offsets would need to be changed for other OS’s or SP’s. A list of both is available below:
New EPROCESS offsets for windows 7
List of current windows syscalls
This rootkit has featured in the following Academic papers:
+ “A Multi Agent-Based Framework for Network Intelligence and Intrusion Prevention – by BSc Amani Salah Eldin Abdalaziz, Prof. Mohamed Shouman, Prof. Hossam M. Faheem and Prof. Ibrahim Elhenawy”.
+ “Virtual Machines Security in IaaS Platform – by Amani Ibrahim, James Hamlyn-Harris, John Grundy (Swinburne University of Technology)”