Advertisement
waliedassar

Detect Wow64 User-Mode Hooks

Sep 8th, 2012
885
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 1.47 KB | None | 0 0
  1. //http://waleedassar.blogspot.com - (@waleedassar)
  2. //Code to detect Wow64 user-mode hooks.
  3. #include "stdafx.h"
  4. #include "windows.h"
  5.  
  6.  
  7. int main(int argc, char* argv[])
  8. {
  9.     unsigned short cs_=0;
  10.     unsigned char* WOW32Reserved=0;
  11.     unsigned long PEB64=0;
  12.     __asm
  13.     {
  14.         pushad
  15.         mov eax, dword ptr fs:[0xC0]
  16.         mov WOW32Reserved,eax
  17.         mov eax,dword ptr fs:[0x30]
  18.         add eax,0x1000
  19.         mov PEB64,eax
  20.         mov cs_,cs
  21.         popad
  22.     }
  23.     if(!WOW32Reserved) return 1;  //not 64-bit system
  24.     if(  (*WOW32Reserved==0xEA)&&( *(unsigned short*)(WOW32Reserved+5)!=cs_ )  )
  25.     {
  26.         unsigned long CpupReturnFromSimulatedCode=*(unsigned long*)(WOW32Reserved+1);
  27.         MEMORY_BASIC_INFORMATION MBI={0};
  28.         VirtualQuery((void*)CpupReturnFromSimulatedCode,&MBI,sizeof(MBI));
  29.         if(MBI.Type==MEM_IMAGE)
  30.         {
  31.             unsigned long ldrData=*(unsigned long*)(PEB64+0x18);
  32.             unsigned long pInLoadOrder=(ldrData+0x10);
  33.             unsigned long runner=*(unsigned long*)pInLoadOrder;
  34.             while(runner!=pInLoadOrder)
  35.             {
  36.                 unsigned long IB=*(unsigned long*)(runner+0x30);
  37.                 unsigned long szImage=*(unsigned long*)(runner+0x40);
  38.                 wchar_t* BaseName=*(wchar_t**)(runner+0x60);
  39.                 if(lstrcmpiW(BaseName,L"wow64cpu.dll")==0)
  40.                 {
  41.                     if( (CpupReturnFromSimulatedCode>=IB)&&(CpupReturnFromSimulatedCode<(IB+szImage)) ) return 1;  //the wow64 process is not hooked
  42.                     else break;
  43.                 }
  44.                 runner=*(unsigned long*)runner;
  45.             }
  46.         }
  47.     }
  48.     MessageBox(0,"Hooked Wow64 process","waliedassar",0);
  49.     return 0;  //hooked
  50. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement