This information is nothing new, but I think it's very interesting none-the-less. Given the prevalence of hooks (detours, hotpatches, IAT hooks) in todays scene, it is becoming more important to understand how to circumvent these rudimentary attempts at slowing us down.

Hooks have been spoken about ad nauseum here at zonehacks so I won't explain what they are or how to use them... this is all assumed knowledge (and if you're still uncertain, just browse over Specific's articles). Besides this article is not about hooks per se, but rather how to call function without executing the modified (hooked) line(s) of code.

And so, I present some usermood tricks for invoking/calling WriteProcessMemory when WPM is hooked;

kernel32.WriteProcessMemory Trampoline

USAGE:
 push lpNumberOfBytesWritten ;out
 push nSize ;in
 push lpBuffer ;in
 push lpBaseAddress ;in
 push hProcess ;in
 CALL @WriteProcessMemoryTrampoline

@WriteProcessMemoryTrampoline: mov eax, WriteProcessMemory ; IAT mov eax, [eax+2] ; .idata mov eax, [eax] ; kernel32.WriteProcessMemory add eax, 5 ; kernel32.WriteProcessMemory+5 mov edi, edi ; emulate first instruction push ebp ; emulate second instruction mov ebp, esp ; emulate third instruction jmp eax ; JMP to kernel32.WriteProcessMemory+5

ntdll.ZwWriteVirtualMemory Trampoline ( LoadLibrary/GetProcAddress)

USAGE:
 push lpNumberOfBytesWritten ;out
 push nSize ;in
 push lpBuffer ;in
 push lpBaseAddress ;in
 push hProcess ;in
 CALL @ZwWriteVirtualMemoryTrampoline

@ZwWriteVirtualMemoryTrampoline: jmp @F pszModule db "ntdll.dll", 0 pszFunc db "ZwWriteVirtualMemory", 0 @@: push offset pszModule call LoadLibrary push offset pszFunc push eax call GetProcAddress mov ebx, eax add ebx, 05h ; ntdll.ZwWriteVirtualMemory+5 mov eax, 115h ; emulate first instruction jmp ebx ; JMP to ntdll.ZwWriteVirtualMemory+5

ZwWriteProcessMemory via Syscall

USAGE:
 push lpNumberOfBytesWritten ;out
 push nSize ;in
 push lpBuffer ;in
 push lpBaseAddress ;in
 push hProcess ;in
 CALL @ZwWPMSysCall

@ZwWPMSysCall: push ebp mov ebp, esp push [ebp+18h] push [ebp+14h] push [ebp+10h] push [ebp+0ch] push [ebp+8h] mov eax, 115h mov edx, 7FFE0300h call dword ptr [edx] leave retn 18h

ZwWriteProcessMemory via KiFastSystemCall

USAGE:
 push lpNumberOfBytesWritten ;out
 push nSize ;in
 push lpBuffer ;in
 push lpBaseAddress ;in
 push hProcess ;in
 CALL @WPM_KiFastSystemCall

@WPM_KiFastSystemCall: push ebp mov ebp, esp jmp @F pszModule db "ntdll.dll", 0 pszFunction db "KiFastSystemCall", 0 @@: push offset pszModule call LoadLibrary push offset pszFunction push eax call GetProcAddress mov ebx, eax push [ebp+18h] push [ebp+14h] push [ebp+10h] push [ebp+0ch] push [ebp+8h] mov eax, 115h call ebx leave retn 14h

ZwWriteVirtualMemory via SYSENTER / Int 2E

USAGE:
 push lpNumberOfBytesWritten ;out
 push nSize ;in
 push lpBuffer ;in
 push lpBaseAddress ;in
 push hProcess ;in
 CALL @WPM_sysenter

@WPM_sysenter: push ebp mov ebp, esp push [ebp+18h] push [ebp+14h] push [ebp+10h] push [ebp+0ch] push [ebp+8h] call @stub leave retn 014h @stub: mov eax, 0115h mov edx, esp int 02Eh ret