1. What are userland hooks?
#EDREvasion #UserlandHooks
Userland hooks are a technique used to intercept and modify the execution of a function in user mode. This can be used for a variety of purposes, such as monitoring and debugging applications, or injecting malicious code into a running process.
Malicious attackers use this technique to inject malicious code and legitimate software use hooking for debugging and monitoring.
Malicious implementation
RdpThief is a dll that can be injected in the mstsc.exe (RPD client) process to identify the target host, username and password. It achieves that by hooking 3 functions:
To hook these functions the detours package developed by Microsoft is used. It uses a technique called Inline Hooking. Inline Hooking involves inserting code into the application's code at the entry point of the function that you want to hook. This code will then call your hook function in order to extract the host, username and password before continuing with the execution of the original function.
The user logging to the remote system will have no way of knowing that this action took place unless it's picked up by an AV solution installed on the endpoint.
The extracted information are then written to disk.
EDR Implementation
EDR solutions use the same techniques to determine if a function is used for a malicious purpose. The same pattern is following:
Inject an EDRVendor.dll in the newly created process
Install inline hooks on frequently abused functions.
Determine if the function is abused for malicious purpose, and if not continue execution of the original function
Let's see how an unhooked function from ntdll looks like in memory.
0:015> u ntdll!NtAdjustPrivilegesToken
ntdll!NtAdjustPrivilegesToken:
00007ffa`a898f560 4c8bd1 mov r10,rcx
00007ffa`a898f563 b841000000 mov eax,41h
00007ffa`a898f568 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ffa`a898f570 7503 jne ntdll!NtAdjustPrivilegesToken+0x15 (00007ffa`a898f575)
00007ffa`a898f572 0f05 syscall
00007ffa`a898f574 c3 ret
00007ffa`a898f575 cd2e int 2Eh
00007ffa`a898f577 c3 ret
Without going into too much detail this is how an unhooked function looks like in a debugger.
Let's see how the exact same function looks like on a host with an EDR installed.
0:007> u ntdll!NtAdjustPrivilegesToken
ntdll!NtAdjustPrivilegesToken:
00007ff9`b062f460 e9932957bd jmp 00007ff9`6dba1df8
00007ff9`b062f465 cc int 3
00007ff9`b062f466 cc int 3
00007ff9`b062f467 cc int 3
00007ff9`b062f468 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ff9`b062f470 7503 jne ntdll!NtAdjustPrivilegesToken+0x15 (00007ff9`b062f475)
00007ff9`b062f472 0f05 syscall
00007ff9`b062f474 c3 ret
We can see that on the hooked function on line 3 there is a jmp instruction to an address. This essentially is how a hook looks like. The destination address will do some processing on behalf of the EDR to identify if there is any malicious intend.
In the upcoming blogs we will explore how we can bypass these hooks.
Last updated
Was this helpful?