Go Back   EXETOOLS FORUM > General > Source Code


Thread Tools Display Modes
Old 05-12-2016, 03:15
sh3dow sh3dow is offline
Join Date: Oct 2014
Posts: 81
Rept. Given: 91
Rept. Rcvd 76 Times in 21 Posts
Thanks Given: 165
Thanks Rcvd at 90 Times in 32 Posts
sh3dow Reputation: 76
Hades:Windows kernel driver lets reverse engineers monitor user and kernel mode code

Hades is a Windows kernel driver that lets reverse engineers monitor and affect the execution of both user and kernel mode code. It works through binary instrumentation, but it's much more lightweight that frameworks like Pin.

Debugging protected code can be hell.
Reverse engineers frequently need to analyze protected code, whether they're evaluating the latest protection system or trying to figure out what a new piece of malware does. We wrote Hades to make that job a little easier.
Hades is a tool for dynamic application analysis. It has function hooking capabilities similar to Microsoft Detours and WinAPIOverride (WAO), and it can also function as a debugger. We developed it to help us analyze some malware binaries that were able to detect Detours and WAO. Both of these tools work by injecting a DLL into a target binary; the DLL places hooks in specific sets of functions and logs information when those functions are called. The malware we were examining could detect that unauthorized DLLs were being loaded into the current process space. To avoid detection, we created an instrumentation tool based on instruction rerouting (to avoid most debugger detection techniques) that runs from the kernel rather than using DLL injection (which avoids DLL detection)

How if works
Hades is based on the concept of instruction rerouting. First, a target executable is identified for instrumentation. The Hades driver registers a callback function using PsSetLoadImageNotifyRoutine to detect when the target executable is loaded. When the target is loaded, but before it begins executing, Hades sets up a system call hook that will allow control to pass from the target to the Hades driver. First, a system call is hooked (any will do). Then a trampoline to a shared area of memory is created. Finally, an instruction rerouting hook (a JMP to the trampoline code) is installed in the process at a user-specified virtual address and target execution is resumed.
Once the instruction pointer hits our rerouting hook control is passed to the trampoline, which invokes an interrupt that will send execution to our hooked system call, where the Hades driver takes control. The driver will save the context (registers, stack, etc.) and display it, change any registers specified by the user, execute the original function bytes, and return control to the process at a point just after the rerouted instruction (virtual address + [JMP size]).
Transitioning from user space to kernel space is achieved by trampolining through the system call dispatcher, which has memory accessible to both kernel and user code. The trampoline is installed in the SharedUserData memory area, which Windows uses as an efficient way to provide processes with certain frequently requested information. Hades uses this area as a scratch space and to host its code for transitioning to the kernel from user space. The trampoline code is installed at offset 0x800 within the SharedUserData area (at address 0x7FFE000 from user space) to place it past Windows function pointers (which are the intended use of this area).
The trampoline is made up of two parts: a hook-specific set of instructions that save the processor state and identify the hooked function, and a generic handler that calls Hades hooked system call. Breaking up the trampoline in this way allows us to have multiple function rerouting routines installed in the targeted binary.

http://www.hexeffect.com/hades.html ---> website
https://github.com/jnraber/Hades -----> source code
Hades was presented at Black Hat 2011 and WCRE 2011
Reply With Quote
The Following 5 Users Say Thank You to sh3dow For This Useful Post:
alephz (05-13-2016), nimaarek (09-09-2017), TechLord (05-12-2016), tonyweb (05-14-2016)

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to pass the large data in kernel mode to user mode? benina General Discussion 3 03-06-2010 04:50
Modifying Kernel Mode Driver for Hyper Threading aldente General Discussion 8 08-13-2004 10:11
Kernel Mode Driver for NT SPeY General Discussion 12 04-22-2004 15:34

All times are GMT +8. The time now is 01:42.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX