ApiMapSet Hooking (short guide)

ApiMapSet is already explained at this link : http://xchg.info/wiki/index.php?title=ApiMapSet  http://www.vxsecurity.sg/2012/02/14/apimapset-deroko-of-arteam/, but I didn’t mention that it can be used to perform hooking of certain APIs. In this example I’ve decided to take easiest one of them (only 4 exports) and to perform hooking of another process using this novel technique. Dll which I’ll fake is called : “API-MS-Win-Core-Debug-L1-1-0.dll” which exports:

What we need to perform hooking is to create dll which exports these APIs, and to place it under “c:\windows\system32\”. In my case I’ll call it “fakedll.dll”.

Procedure is very simple:

1. copy fakedll.dll to system32 folder
2. find in “ApiMapSet” entry which describes where “API-MS-Win-Core-Debug-L1-1-0.dll” is pointing (in my case it’s “kernelbase.dll”)
3. find “not used part of ApiMapSet” section. I search on 16 byte boundary for 16 zeros, and this can be safely assumed to be unused space
4. put there name of your fakedll.dll, and update “PREAL_ENTRY” so “NameOffset” and “Length” match name of this new dll
5. Create new process with “CREATE_SUSPENDED” flag, and overwrite mapped “ApiMapSet” with the one you have modified
6. Resume Process, and if everything went find you should see something like this in “DbgView”:

Lets trace it:

Isn’t this kewl?

Now imagine, that somebody places such dll in “system32 folder”, and modifies “apisetschema.dll”, isn’t this good way of hooking whole system with dll injections? Who says that your dll has to hook APIs. Think about it, but I suppose that MS will change this very often, so it just becomes nice POC, or good reversing tool for dll hijacking.

I have to note that this technique should work on Windows 7, and Window 8 as both should be using “ApiMapSet”. Sample source code has been tested only on Windows 7 SP1 with latest updates as of 02-11-2011. It might happen that code will not work on different Windows 7 if above mentioned api-ms dll has changed. I haven’t checked.

deroko of ARTeam

“Source code” : http://deroko.phearless.org/apimapsethook.zip