|
Introduction
This Article Explains how to hide a registry string from regedit by hooking
the RegEnumValueW API, In this article there is a Function that hooks APIs
called
HookAPICalls. I am not the author of that function - I got it from some
website whose name I forget.
Thanks to the author of that function. The function that replaces the
RegEnumValueW is given below
LONG MyRegEnumValue(HKEY hKey,
DWORD dwIndex,
LPWSTR lpValueName,
LPDWORD lpcValueName,
LPDWORD lpReserved,
LPDWORD lpType,
LPBYTE lpData,
LPDWORD lpcbData)
{
LONG ret;
RegEnumValueWtype oldfn=(RegEnumValueWtype)RegDLL_Hooks.Functions [0].OrigFn;
char ss[10];
ret=oldfn(hKey,dwIndex,lpValueName,lpcValueName,lpReserved,lpType,lpData,lpcbData);
WideCharToMultiByte(CP_ACP, 0,lpValueName,
-1,
ss,
10,
NULL, NULL);
if (strstr(ss,"hirosh")!=NULL)
return 1;
else
return ret;
}
This function simply checks the string "hirosh" from the lpValueName and if found
it will return a 1. That means the the function has not completed successfully,
so regedit will not display any string that contains the word "hirosh".
API hooking is a powerful tool. To use this we can also hide files, processed from
OS. However, I don't know which APIs must be hooked to achieve this. If anybody knows this
please help me.
I check this program on Windows XP. regedit is OK but when I take
msconfig it displays an error. I don't know what is the problem so if anybody knows this
please help me. I am not experienced in API hooking so I am just experiment with this.
| You must Sign In to use this message board. |
|
| | Msgs 1 to 20 of 20 (Total in Forum: 20) (Refresh) | FirstPrevNext |
|
|
 |
|
|
please can u convert this source to exe and sended by mail to me : rabih_saleh@hotmail.co.uk , another question can i hide registry entry ?  please i need help for this.
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
I test your code,it can inject the dll to running exe.
but when i run regedit.exe ,the application regedit.exe will be crashed!
why ,please give me reason .
i test it in winxp sp2 and winsk sp3.alse failed
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
I build the code of testdll,but failed with the mess:
Compiling...
apihijack.cpp
c:\hidereg\testdll\apihijack.cpp(158) : error C2440: '=' : cannot convert from 'unsigned long' to 'void *'
Conversion from integral type to pointer type requires reinterpret_cast, C-style cast or function-style cast
c:\hidereg\testdll\apihijack.cpp(196) : error C2440: '=' : cannot convert from 'unsigned long *' to 'unsigned long'
This conversion requires a reinterpret_cast, a C-style cast or function-style cast
c:\hidereg\testdll\apihijack.cpp(203) : error C2446: '>' : no conversion from 'unsigned long *' to 'unsigned long'
This conversion requires a reinterpret_cast, a C-style cast or function-style cast
c:\hidereg\testdll\apihijack.cpp(203) : error C2040: '>' : 'unsigned long' differs in levels of indirection from 'unsigned long *'
c:\hidereg\testdll\apihijack.cpp(204) : error C2440: '=' : cannot convert from 'unsigned long *' to 'unsigned long'
This conversion requires a reinterpret_cast, a C-style cast or function-style cast
dllmain.cpp
Error executing cl.exe.
TestDLL.dll - 5 error(s), 0 warning(s)
how to solute it?
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
Is there any problem of using this program on Windows 2003 Platform.
I've met a lot of error message.
What's the problem of this program.
I want to modify this bug.
Help me, Please.
Thanks in advance!
csjung
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
Why the hooked function can't access to a callback? It can't read memory where jmp instruction is. How to solve this problem?
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
okay that was a nice code but can you tell me whats the stpes needed to add a new thing to br hooked without getting any problems please reply as soon as possible thanks, thumbs up
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
I want to hook IoCreateFile function, now.
Can i apply this method to hook IoCreateFile?
Then, How?
Thanks in advance!
csjung
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
|
|
|
Hi!
I've put the code to my application but i don't want to use the dll in the example...
But it looks like it doesn't work without the dll?
cyberguru
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
|
|
|
Dear ALL,
I am developing an application for Windows 2000 in MFC VC++ Version 6.0.
My application runs as an interactive service.
I used your dll in my program which is used to hide given key(s) from the registry. The program works fine and hides the given keys from registry. But when i log off my system and login, the following error occurs:
...............................
SAS Window: Winlogon.exe Application error.
The instruction at "0x01007f2d" refereced memory at "0x00006c". The memory could not be read. Click ok to close and cancel to debug.
...............................
On clicking ok the system restarts.
I think I need to free the dll before logging out. So I tried FreeLibrary in QueryEndSession, but it didnot helped.
Is there any other way to free the dll.
Or any other way out to solve the problem ?
The program is working fine when I restart and login (probably because at that time the dll is freed and loaded again,, but the same is not in case of log off and log in)
Thanks
Rohit
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
Instead of just returning 1 when the value should not be displayed, you should return the call to the old function with an increased index and for the next time the hook is called with the same key, also increase the index.
Of course you have to store somewhere how many items you've skipped accross function calls and on per key basis. If you also hook up the other Registry functions, the key would be completely stealth and unaccessible.
btw, are you realizing which security issue this is? I don't want to go into detail, but maybe someone could write a totally stealthed program (at least for normal applications, not for services or drivers). It's difficult to hook up hundreds of API functions and the program would be really, really big, but really dangerous.
It would be a great problem if you weren't able to see which programs are running in the background.
|
| Sign In·View Thread·PermaLink | 2.00/5 (1 vote) |
|
|
|
|
|
|
Hi Tim Kosse
I test ur suggection
But the problem is still there
and i tryed this code that dont hide anythink
but when i taking msconfig that will display error
LONG MyRegEnumValue(
HKEY hKey,
DWORD dwIndex,
LPWSTR lpValueName,
LPDWORD lpcValueName,
LPDWORD lpReserved,
LPDWORD lpType,
LPBYTE lpData,
LPDWORD lpcbData
){
LONG ret;
RegEnumValueWtype oldfn=(RegEnumValueWtype)RegDLL_Hooks.Functions
[0].OrigFn;
char ss[10];
ret=oldfn(hKey,dwIndex+1,lpValueName,lpcValueName,lpReserved,lpType,lpD
ata,lpcbData);
return ret;
}
|
| Sign In·View Thread·PermaLink | 1.00/5 (1 vote) |
|
|
|
|
|
|
hee
my msconfig problem is still there
what can i do?
i fwe dont remove that problem this can no use
help me if u can
hirosh
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
You should insert a key word 'WINAPI' into your own function like this:
LONG WINAPI MyRegEnumValue(...)
Then, all of your trouble above will disappear !
good luck to you ...
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
...yeah like hooking (psapi.dll) EnumProcessModules (to hide dll) and EnumProcesses to hide trojan. Nice idea for Back Orifice 2000 add in 
Even better idea would be to hook some more apis (CreateFile, FindFirst, FindNext,CreateProcess(to spawn dll as soon as program starts),...) so the trojan would be hidden even on disk. Maybe even stick it into NTFS streams (try to create program with name "bla.txt:stream1"). With some dll injection and proces rights elevation, you can actually insert remote thread into services, system processes (winlogon.exe; hmm what would i do there... what are those 2 *cool* edit boxes ) etc. so quite resonable stealth could be achived. Actually program wouldnt be *that* huge at all and there aint that much of apis to hook.
Lets see when i can finish that (ADO with bugs, databases with "too many" tables, annoying customers waiting for new update, working till night,...)
hehe guess that program wont see its light *ever*, so dont bother (I hardly believe that some teenager is able to code that).
|
| Sign In·View Thread·PermaLink | 2.00/5 (1 vote) |
|
|
|
|
|
|
Don't forget to hook up LoadLibrary, else someone could load the API functions directly from the system DLLs
There are really a lot of API functions. You have too hook all registry functions, all file functions, most shell functions (SHBrowse), the process functions and some other functions. To really hide a program, it has to hook up hundreds of api functions. And the program really need much of memory, since it has to remember the state of different api calls (most obviously for the enum functions)
I think exploiting the hooks for stealth programs is just too complex. The most efficient method for trojans and other spyware is still this: "Click here for free XXX pics", and the actual trojan should contain a small pic viewer.
Signature? I've no need for it!
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
|
|
|
|
|
|
Yaaa
i still can't remove the msconfig problem
and i have no idea about how to recover that problem
if we dont remove that msconfig problem
this can no use
So help me if u can
hirosh
|
| Sign In·View Thread·PermaLink | 4.25/5 (3 votes) |
|
|
|
|
|
|
 General  News  Question  Answer  Joke  Rant  Admin
|
