Windows API Hooking

Learn windows api hooking the maldev way


What you'll learn
What is API Hooking
Different types of hooking
inline hooking
iat hooking
dll unhooking

Requirements
No prior experience needed but basics of windows api is an added advantage

Description
We often hear the words in movies “he has hooks on you”. this means he is controlling you.
In same analogy, hooking here means controlling the function flow to examine the parameters that are being passed to the function.
AV/EDR hooks some important functions in various dlls.
NtVirtualAllocateMemory, ZwWriteVirtualMemory, NtCreateRemoteThread, etc are hooked
5 BYTE INLINE HOOKING
In this inline hooking, we replace first 5 bytes of legit function with a jump offset to our function.
When the legit function is called, the control flow redirects to our address along with the original arguments.
Now we restore those 5 bytes at legit function and then inspect the arguments for any malicious usage.
we can then proceed to block or allow the function
IAT HOOKING
Firstthunk address in import descriptor table points to address of legit functions.
We can overwrite this address to our malicious function.
we receive arguments and then call legit function
HIDING PROCESSES FROM USER MODE PROCESS
Processes like task manager uses NtQuerySystemInformation with SYSTEM_PROCESS_INFORMATION to get all processes information.
All of these processes are in linked list.
We can hide our desired process by modifying the next link of previous process to the next process.
DLL UNHOOKING
We can unhook the hooked dlls by copying clean version of dll’s .text section into our process.
AV/EDR does not hook dlls on disk because it slows down the system heavily.
We can acquire clean copy from disk or from a suspended process
Who this course is for:
Penetration testers
Malware Developers
Red Teamers

More Info