Sunday, 5 January 2014

Global Remote Detour: KiFastSystemCall

Hi,

I am not planning on explaining my code too much but rather give code, which is more or less straightforward in terms of the functions used and the simple logic.

Unlike the previous remote detour given I am not really creating a running thread as that will just be too slow and unneeded work.

There are 2 functions needed for the global injection: Provider(void) & Injector(DWORD Pid)
The function Provider(void) is responsible for providing each process's PID to the Injector function, then the Injector function will:


  1. Open the PID via a call to OpenProcess
  2. Using the handle it will suspend the process, ready for injection
  3. It will then write the callback into the process memory space
  4. Then will create a char array of machine code (JMP ---) then will annotate the remote callback address on to the char array.
  5. The char array will be then written on KiFastSystemCall address, 
We have detoured KiFastSystemCall, the uses of such detours are endless:

  • Self-Protection
  • Proactive AV scanning
  • Complete Control over system
  • Helpful Debugging Information
The Code Metrics:

Line Count:  105 Lines
Size: 3.05 KB (3,125 bytes)


Stay Tuned,

2 comments:

  1. Terrific work.
    Can't believe such a fine blog is attracting almost no comments!

    ReplyDelete