Home Company Development Blog Driver to Hide Processes and Files. Second Edition: Splicing
Driver to Hide Processes and Files. Second Edition: Splicing PDF Print E-mail
Thursday, 30 June 2011 08:02

This article describes a driver that hides processes and files using the method of splicing.

Written by:

Sergey Bratus,
Software Developer of Network Security Team

Contents

Introduction
1. Introduction to Splicing Basis
1.1 Splicing
1.2 Specifics of the Technology
1.3 Splicing Scope and Methods of Detection.
2. Project Structure
2.1 Technical Side
2.2 Call Agreement and Stack
2.3 Code Review
Conclusion
Additional Information
Bibliography List

Introduction

This article is a continuation of a set of articles on hiding and detection of files and processes in the operating system. I suppose you have already read articles Driver to Hide Processes and Files and Simple SST Unhooker.

The Simple SST Unhooker article represents the method of solving the problem of substitution of function address in the SST table. In this article, I will describe program methods of hooking functions, which will make the methodology described in the Simple SST Unhooker article do not work.

Introduction to Splicing Basis

In the Driver to Hide Processes and Files article, it is written a lot about why we need the interception of system functions. In this article, I want to focus your attention on the comparison of interception technologies, their advantages and disadvantages.

We can divide the interception methods to the following groups:

  • Substitution of the address of the real function (modification of IAT tables, modification of SSDT/IDT tables);
  • Direct change of the function (splicing, interception in the kernel mode with the modification of the function body);
  • Direct substitution of the whole component of the application/system (for example, substitution of the library with a target function).

We can also divide them by the execution mode in the following way:

  • User (ring3) methods: modification of IAT tables, splicing. Their peculiarity is that you cannot change anything in the behavior of OS kernel and its extensions;
  • Kernel mode: modification of SSDT/IDT tables, interception in the kernel mode with the modification of the function body. With the help of this, you can modify data structure and the code of any part of OS and applications.

The complete article text is available only for the registered users. Please Log In or Register.
 

Share

FacebookTwitterGoogle BookmarksTechnoratiLinkedinRSS Feed

Subscribe on RSS

Apriorit Articles Apriorit Articles Dev Blog Dev Blog SQA Blog SQA Blog White Papers White Papers