Usermode tricks for calling WriteProcessMemory
This information is nothing new, but I think it's very interesting none-the-less. Given the prevalence of hooks (detours, hotpatches, IAT hooks) in todays scene, it is becoming more important to understand how to circumvent these rudimentary attempts at slowing us down.
Hooks have been spoken about ad nauseum here at zonehacks so I won't explain what they are or how to use them... this is all assumed knowledge (and if you're still uncertain, just browse over Specific's articles). Besides this article is not about hooks per se, but rather how to call function without executing the modified (hooked) line(s) of code.
And so, I present some usermood tricks for invoking/calling WriteProcessMemory when WriteProcessMemory is hooked;
kernel32.WriteProcessMemory Trampoline
USAGE:
PHP Code:
push lpNumberOfBytesWritten ;out
push nSize ;in
push lpBuffer ;in
push lpBaseAddress ;in
push hProcess ;in
CALL @WriteProcessMemoryTrampoline
@WriteProcessMemoryTrampoline:
mov eax, WriteProcessMemory ; IAT
mov eax, [eax+2] ; .idata
mov eax, [eax] ; kernel32.WriteProcessMemory
add eax, 5 ; kernel32.WriteProcessMemory+5
mov edi, edi ; emulate first instruction
push ebp ; emulate second instruction
mov ebp, esp ; emulate third instruction
jmp eax ; JMP to kernel32.WriteProcessMemory+5
ntdll.ZwWriteVirtualMemory Trampoline ( LoadLibrary/GetProcAddress)
USAGE:
PHP Code:
push lpNumberOfBytesWritten ;out
push nSize ;in
push lpBuffer ;in
push lpBaseAddress ;in
push hProcess ;in
CALL @ZwWriteVirtualMemoryTrampoline
@ZwWriteVirtualMemoryTrampoline:
jmp @F
pszModule db "ntdll.dll", 0
pszFunc db "ZwWriteVirtualMemory", 0
@@:
push offset pszModule
call LoadLibrary
push offset pszFunc
push eax
call GetProcAddress
mov ebx, eax
add ebx, 05h ; ntdll.ZwWriteVirtualMemory+5
mov eax, 115h ; emulate first instruction
jmp ebx ; JMP to ntdll.ZwWriteVirtualMemory+5
ZwWriteProcessMemory via Syscall
USAGE:
PHP Code:
push lpNumberOfBytesWritten ;out
push nSize ;in
push lpBuffer ;in
push lpBaseAddress ;in
push hProcess ;in
CALL @ZwWPMSysCall
@ZwWPMSysCall:
push ebp
mov ebp, esp
push [ebp+18h]
push [ebp+14h]
push [ebp+10h]
push [ebp+0ch]
push [ebp+8h]
mov eax, 115h
mov edx, 7FFE0300h
call dword ptr [edx]
leave
retn 18h
ZwWriteProcessMemory via KiFastSystemCall
USAGE:
PHP Code:
push lpNumberOfBytesWritten ;out
push nSize ;in
push lpBuffer ;in
push lpBaseAddress ;in
push hProcess ;in
CALL @WPM_KiFastSystemCall
@WPM_KiFastSystemCall:
push ebp
mov ebp, esp
jmp @F
pszModule db "ntdll.dll", 0
pszFunction db "KiFastSystemCall", 0
@@:
push offset pszModule
call LoadLibrary
push offset pszFunction
push eax
call GetProcAddress
mov ebx, eax
push [ebp+18h]
push [ebp+14h]
push [ebp+10h]
push [ebp+0ch]
push [ebp+8h]
mov eax, 115h
call ebx
leave
retn 14h
ZwWriteVirtualMemory via SYSENTER / Int 2E
USAGE:
PHP Code:
push lpNumberOfBytesWritten ;out
push nSize ;in
push lpBuffer ;in
push lpBaseAddress ;in
push hProcess ;in
CALL @WPM_sysenter
@WPM_sysenter:
push ebp
mov ebp, esp
push [ebp+18h]
push [ebp+14h]
push [ebp+10h]
push [ebp+0ch]
push [ebp+8h]
call @stub
leave
retn 014h
@stub:
mov eax, 0115h
mov edx, esp
int 02Eh
ret
Author: Ksbunker