1 minute read

User-mode hooks are unreliable and there are tons of ways to bypass them, for example, makin loads ntdll from the %temp% directory and bypasses all hooks from original ntdll , but it loads DLL, so it’s noisy. What about using ntdll level functions? it’s better than using KernelBase and other higher level DLLs but still easy to hook.

Today I want to talk about another method, which I think is hardest one to hook from user mode - reimplementing ntdll functions.

To become more stealthy we need to go deeper, use undocumented functions, which makes our methods Windows version depended.

NOTE: Windows Version 1709 x64

We can use IDA or any other disassembler to rewrite functions.

NtCreateFile :

NtClose :

Main:

NOTE: for more stability, you can extract index number from ntdll at runtime:

Download the source code from here.

DEMO:

(click here to view a larger version)

Twitter: @_qaz_qaz