This repo contains the examples of two tools that use KiUserExceptionDispatcher & Wow64PrepareForException for hooking and threadless process injection. You can read more about this here.
This example uses KiUserExceptionDispatcher & Wow64PrepareForException and hardware breakpoints to step over inline hooks in ntdll.dll. Please note that the EDR's hook offset from the NT function stub entry is hardcoded and so are the SSNs of the NT functions.
This example uses KiUserExceptionDispatcher & Wow64PrepareForException for threadless process injection. It creates a suspended process, injects a payload and shellcode stub and finally resumes the suspended process. To raise an exception in the remote process, it can either set a hardware breakpoint on the remote thread or set a PAGE_GUARD on the remote process entry point.
To use it, simply:
.\KiUserExceptionDispatcherInjection.exe < YOUR SHELLCODE > < hwbp | page_guard >
The following are various resources that I used while writing the blog post and examples. This is by no means extensive, I definitely missed someone or some project :(
- Intel Developer Manuals
- Skywing's kernel mode to user mode callbacks series
- Applied Reverse Engineering: Exceptions and Interrupts
- OSDev - Interrupt Descriptor Table
- Axel "0vercl0k" Souchet's blog - Having a look at the Windows' User/Kernel exceptions dispatcher
- modexp - WOW64 Callback Table
- Joshua Magri - You just got vectored
- mannyfreddy - Fun with Exception Handlers
- Outflank - Early Cascade Injection