So, as per usual in Mimics “offence” on Warden, they achieved quite the spectacle. The resulting hilarity was the hooking of VirtualQueryEx. Sure, nothing wrong with that, right? Wrong. They’re also hooking VirtualQuery for good measure; lets take a look at VirtualQuery...
76126201 > 8BFF mov edi,edi
76126203 55 push ebp
76126204 8BEC mov ebp,esp
76126206 FF75 10 push dword ptr ss:[ebp+10]
76126209 FF75 0C push dword ptr ss:[ebp+C]
7612620C FF75 08 push dword ptr ss:[ebp+8]
7612620F 6A FF push -1
76126211 E8 BAFFFFFF call kernel32.VirtualQueryEx
76126216 5D pop ebp
76126217 C2 0C00 retn 0C
So in summary, they’re hooking redundant API, including window finding API (which, might i add is pointless).
Attached are Hookshark images showing how easily detectable Mimic is. (Yes, you can see my WardenLogger; woopty doo!)
Here is my handle and here is my spout.
When I get all steamed up, hear me shout.
Tip me over and maybe we should have just hooked the syscall to NtUserBuildHwndList instead of all that other shit, too.
You have the advantage of agility. It must be used to its full extent.
Besides, in usermode, manual syscall > any api hooks you have. :P
I'm not calling for mad crazy shit all the time at any cost, but I think the "right" spot for me, at least, is measured risk over safety.
http://www.cypherjb.com/blog/2009/05/21/presenting-wardenmimic/#comments
sku