Didier Stevens

Thursday 19 November 2009

Update: bpmtk with hook-createprocess.dll

Filed under: bpmtk,Hacking,My Software,PDF,Update — Didier Stevens @ 19:32

There are no real changes in this new version of bpmtk, only a new DLL (hook-createprocess.dll) was added. You can use this DLL to protect your Windows machine from getting infected by the current malicious documents found in-the-wild.

You can download bpmtk version here.

Hook-createprocess.dll is a DLL that patches the process into which it is loaded to prevent it from creating new processes. It does this by patching the Import Address Table of kernel32.dll for ntdll.dll to hook API functions NtCreateProcessEx, NtCreateProcess and NtCreateUserProcess.
Calls to these functions are intercepted and not passed on to the original functions. Instead, a code is returned indicating that the operation was blocked. The result is that functions in kernel32 used to create new processes fail (like WinExec) and hence that the patched process can’t create new processes.
This is all it takes to block most shellcode found in malicious documents like PDF malware. Shellcode like this does the following:

Of course, since this protective measure is taken by patching the process, shellcode could undo this patching and bypass our protection. Or it could use the ntdll API and not be hindered by our patch. But actual malware found in-the-wild doesn’t do this (not talking about targeted attacks) and is thus prevented from executing the trojan it just downloaded or extracted from the PDF document.

If you want better protection, you’ll have to use something that works at the level of the kernel, like sandboxing software.

However, this patch comes with some drawbacks, because it also blocks bening new processes. For example, the update function of Adobe Acrobat requires the creation of a new process. To reenable the creation of processes, you have to unload hook-createprocess.dll (unloading removes the hooks). bpmtk has a function to unload DLLs from a process (reject).

There are a couple of trick to load this DLL with the program you want to protect. I’ll describe a generic method in an upcoming post, but now I want to explain it for a specific program.
Programs have a list of DLLs they need for their execution. We will use a PE-file editor to add our hook-createprocess.dll to this list. hook-createprocess.dll exports a dummy function (_Dummy) just so you can add to the imports table of an executable. We will use LordPE to add hook-createprocess.dll with _Dummy to Adobe Reader:

Right-click the Import table:

And don’t forget to save…


  1. […] bestand al aan, maar nu is het voor iedereen via de "basic process manipulation toolkit" beschikbaar. Een nadeel van het bestand is dat Adobe Reader en Acrobat zichzelf niet meer kunnen updaten. […]

    Pingback by Plaats hier software gerelateerd nieuws! - Page 14 — Monday 23 November 2009 @ 17:41

  2. […] you can’t use this key to load hook-createprocess.dll, because it will load it in every process, and your Windows machine will stop […]

    Pingback by LoadDLLViaAppInit « Didier Stevens — Wednesday 23 December 2009 @ 12:20

  3. […] You can load LowerMyRights inside all processes by adding it to the AppInit_DLL registry key, but be careful, this might cripple your system as it is loaded inside every process (even at boot time), so please test first. Or else you use LoadDLLViaAppInit, or add it to the import table like explained here. […]

    Pingback by LowerMyRights « Didier Stevens — Monday 11 October 2010 @ 8:41

  4. I know, quite old post, but I have a little question.

    Adding hook-createprocess.dll to the import table loads the dll in the virtualaddress space of the corresponding executable, but how does the main module execute the function in the dll to patch functions of KERNEL32.dll?

    Comment by s0meb0dy — Monday 11 October 2010 @ 22:03

  5. @s0meb0dy Entrypoint DllMain is called when the DLL is loaded, and DllMain calls the function to patch the IAT.

    Comment by Didier Stevens — Tuesday 12 October 2010 @ 6:17

  6. Thank you!

    You always have very interesting post

    Comment by s0meb0dy — Thursday 14 October 2010 @ 16:13

  7. […] load this DLL inside a process, you can add it to the import table of the target process (EnforcePermanentDEP.dll exports function Dummy), use LoadDLLViaAppInit or use your own preferred […]

    Pingback by EnforcePermanentDEP « Didier Stevens — Monday 8 November 2010 @ 0:46

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.