@weolar:

No, the hook is detected but you have to choos "Show/Hide Low Risk Codes" to see the hook.

I tested with WinDbg patching this way:

Original:

kd> u MmGetSystemRoutineAddress - 10
nt!MmGetSystemRoutineAddress+0x9a:
805bd893 0f858f000000    jne     nt!MmGetSystemRoutineAddress+0x9c (805bd928)
805bd899 e9a6000000      jmp     nt!MmGetSystemRoutineAddress+0xb8 (805bd944)
805bd89e 90              nop
805bd89f 90              nop
805bd8a0 90              nop
805bd8a1 90              nop
805bd8a2 90              nop
nt!MmGetSystemRoutineAddress:
[B]805bd8a3 8bff            mov     edi,edi[/B]

Then patch it like your test, even with the hook address is inside ntoskrnl ;)

kd> ew 805bd8a3 f9e2
kd> eb 805bd89e eb
kd> eb 805bd89f 05

Hooked:

kd> u 805bd89e 
nt!MmGetSystemRoutineAddress+0xa5:
[B]805bd89e eb05            jmp     nt!MmGetSystemRoutineAddress+0x2 (805bd8a5)[/B]
805bd8a0 90              nop
805bd8a1 90              nop
805bd8a2 90              nop
nt!MmGetSystemRoutineAddress:
[B]805bd8a3 e2f9            loop    nt!MmGetSystemRoutineAddress+0xa5 (805bd89e)[/B]
805bd8a5 55              push    ebp
805bd8a6 8bec            mov     ebp,esp
805bd8a8 83ec20          sub     esp,20h

And scan for deep hooks, choose "Show/Hide Low Risk Codes", you can see the result, with target jmp is 805bd89e, which is inside ntoskrnl, i.e same module with scanned module.



Anyway, I think there're still many ways to bypass my scan engine, but i'll try to harden it as much as possible.

Regards,
t4L

@thuggie ：

I haven't  read your description deeply.let me try another way

It is so interesting that Chineses and foreigners discussing rootkit tech together.

Chinese 没有复数形式。

Hi,Can CodeWalker only detect inline hook existing in NTOSKRNL module? How about other kernel modules?

老外能看懂你說的這句, 他告訴你,他是"is translated to English"
太cool了

BTW,CodwWalker is always killed by 'Avira Antivir Premium' software.

In order to test Codewalker,i have to add cmcark_gui.exe and cmcantirootkit.sys to the Exception List of 'Avira Antivir Preimum'.

AntiRootkit software uses Rootkit techs?

CodeWalker's inline hook detection function is too weak. It cannot detect the following inline hook type.

NTOSKRNL.NtCreateFile(...)
{
    PUSH IMM32 ; // Jump to Rootkit function
    RET
   ....
}

It is strange that Rootkit Unhooker CANNOT detect the hook also,but the Wsyscheck CAN detect it correctly.

It seems that Wsyscheck is coolest:)

No, the hook is detected but you have to choos "Show/Hide Low Risk Codes" to see the hook.
u made the mistake like me before ,haha~~

@亚洲之鹰:

Hi, it's Avira's false positive detection, i guarantee that's it's safe for u to run this program ;)

Hi,Can CodeWalker only detect inline hook existing in NTOSKRNL module? How about other kernel modules?

No, CodeWalker detects hooks in all modules, as you can see in the deep scan box.

And for the push/ret hook, like weolar metioned, you have to use "Show/Hide Low Risk Codes" to see the hook.

I tested  lots of skill to bypass,and never succeeded in doing .
Perfectly well .
But  in any case I can not give it up.

;) I tried hard to cover as much hooks as I can. For sudami mentioned hooks, i think that he didnt use Show/Hide Low Risk Codes too.

Have a good day everybody.

谢谢您 :P

well done. I'm gonna make a ARK too. more or less,just so so

ARK is just an endless thing.

In my system,I just do a simple recover driver(only to recover the ntoskrnl.exe),and XXX the ntoskrnl.exe to cmd.exe.
then all the hookcheck is wrong.

and my codehook is not show at all.

在我的系统中，我用一个只还原ntoskrnl.exe的还原驱动，然后将ntoskrnl.exe换成cmd.exe
之后所有hook检查都显示了错误结果。
而且没有显示出我的hook.

Uhm, it's weird. In my design, I also put a condition for mismatch image between loaded image and on-disk image. You can test with a rootkit MD5: bb69b94d3698f6530e1bd71b675e28ce (a variant of Rustock.NDV, picture shown below).

The test for unmatch image: The rootkit stops beep.sys service, replace the original \systemroot\system32\drivers\beep.sys with a fake Beep.sys driver and restart the Beep service. After finishing all tasks, it restores the original Beep.sys and delete the fake one.

The test result:



In the box, you can see that I also check for this case.

cvcvxk, could you please describe step-by-step how you tested? If it didnt detect the mismatch between images then I might have a bug somewhere. I need to reproduce the bug and fix it ;) Thanks in advance.

cvcvxk just redirect ntoskrnl.exe to cmd.exe when you open it,then hooks in ntoskrnl.exe will not be found.

Ah, thanks achillis, but I've understood it already, but if he redirects ntoskrnl.exe to cmd.exe, it must be "Mismatch image" too. Is there anything special here?

I just made an example like redirecting ntoskrnl.exe to cmd.exe
in fact i just use memory dump of the ntoskrnl.exe(i hooked) to xxx.exe
and redirect ntoskrnl.exe to xxx.exe

then the image in memory and on disk are the same.

老v没必要和老外较真啊。。
任何工具都有弱点的。。

不放出来才是最强的

BTW：你们英语好强，我都完全不懂

evil ideas…

是啊，还是洗洗回家睡了算了~

严重同意, 做了自己用. 多好啊~~~

还是帮别人做了益工了，还提出了解决意见。

来自越南的,不错了,至少,在我的server 2008上,没有蓝屏