What You Will Learn!
- What is API Hooking
- Different types of hooking
- inline hooking
- iat hooking
- dll unhooking
Description
We often hear the words in movies “he has hooks on you”. this means he is controlling you.
In same analogy, hooking here means controlling the function flow to examine the parameters that are being passed to the function.
AV/EDR hooks some important functions in various dlls.
NtVirtualAllocateMemory, ZwWriteVirtualMemory, NtCreateRemoteThread, etc are hooked
5 BYTE INLINE HOOKING
In this inline hooking, we replace first 5 bytes of legit function with a jump offset to our function.
When the legit function is called, the control flow redirects to our address along with the original arguments.
Now we restore those 5 bytes at legit function and then inspect the arguments for any malicious usage.
we can then proceed to block or allow the function
IAT HOOKING
Firstthunk address in import descriptor table points to address of legit functions.
We can overwrite this address to our malicious function.
we receive arguments and then call legit function
HIDING PROCESSES FROM USER MODE PROCESS
Processes like task manager uses NtQuerySystemInformation with SYSTEM_PROCESS_INFORMATION to get all processes information.
All of these processes are in linked list.
We can hide our desired process by modifying the next link of previous process to the next process.
DLL UNHOOKING
We can unhook the hooked dlls by copying clean version of dll’s .text section into our process.
AV/EDR does not hook dlls on disk because it slows down the system heavily.
We can acquire clean copy from disk or from a suspended process
Who Should Attend!
- Penetration testers
- Malware Developers
- Red Teamers