Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Secure Code Study Project Tool Release

ApiHookCheck Version 1.01 (API Hook Check)

by Tan Chew Keong
15 April 2004

Download

Introduction

API hooking is a useful technique that can be used to monitor API calls used by Win32 programs. This allows understanding of the programs' functionalities based on the APIs that are called and their input parameters. However, API hooking is also used by rootkits and other malicious code to modify the behaviour of certain APIs to hide files, network ports, processes or services. This tool can help to detect the presence of system-wide API hooks that are implemented based on import/export table modifications and insertion of JMP instructions at the start of the real API.

 

API Hooking Techniques

The idea behind API hooking is to allow an API call to be redirected to a replacement function. This replacement function will usually perform some manipulation of the input parameters before transferring control back to the called API. The replacement function could also manipulate the API's return results before passing them back to the caller. This simple idea has been used by rootkits and trojans to hide files, processes and network ports. For example, by hooking FindFirstFileA and FindNextFileA, it is possible to manipulate the list of filenames returned, thus allowing certain files to be hidden from the directory listing.

This tool can detect the presence of system-wide API hooks that are implemented based on the following techniques.

  1. Import/Export Table Modification
  2. Overwriting the start of the hooked API with a JMP instruction

Import/Export Table Modification

This technique allows APIs to be hooked by making direct modifications to the Import/Export Tables of the targeted process and all its modules (DLLs). Each process and module(DLL) have their own Import Address Table (IAT) that contains the entry-point addresses of the APIs that are used. These addreseses will be used whenever the process makes a call to the repective APIs. Therefore, by replacing the entry-point address of an API (in the IAT) with that of a replacement function, it is possible to redirect any calls to the API to the replacement function.

However, modifying the IAT alone is insufficient since the targeted process might use the GetProcAddress API to obtain the real entry point address of an API. This problem could be solved by hooking the GetProcAddress API so that the address of the replacement function is returned instead. Alternatively, it is possible to directly modify the Export Address Table of the DLL that exports that particular API. Every DLL has an Export Address Table (EAT) that contains the entry-point addresses of the APIs that are implemented within the DLL. Hence, by replacing the entry-point of an API within the EAT with the relative address of the replacement function, we can cause GetProcAddress to return the address of the replacement function instead.

Overwriting the start of the hooked API with a JMP instruction

Another technique that can be used to implement API hooking involves overwriting the start of the hooked API with a JMP instruction that cause execution to be transferred to the replacement function. This technique requires less modifications within the memory space of the hooked process as compared to the previous technique.

 

ApiHookCheck Algorithm

The IAT of ApiHookCheck.exe contains the entry-point address of API imports from kernel32.dll, advapi32.dll, psapi.dll, iphlpapi.dll, snmpapi.dll and netapi32.dll. These DLL entry-point addresses are checked to ensure that they point within the memory space of their respectively DLLs. Any discrepancies (i.e. an API with entry-point address that points outside the memory space of the DLL that it belongs to) will be reported.

The EAT entries of the DLLs are also checked to ensure that all API entry-points are within the address space of their respectively DLLs. To detect API hooking based on the second method, this tool checks for the presence of JMP instruction at the start of any APIs that could cause execution to be transferred out of the memory space of the DLL.

 

Usage

ApiHookCheck.exe > result.html

This output of this tool is a HTML report that should be redirected to a file so that it could be viewed using a browser. A sample report is shown in the link below.

Sample Report

 

 

Contacts

For further enquries or to submit malicious code for our analysis, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 11/3/2004
webmaster@security.org.sg