Userland hooks are a technique used to intercept and modify the execution of a function in user mode. This can be used for a variety of purposes, such as monitoring and debugging applications, or injecting malicious code into a running process.

Malicious attackers use this technique to inject malicious code and legitimate software use hooking for debugging and monitoring.

Malicious implementation

RdpThief is a dll that can be injected in the mstsc.exe (RPD client) process to identify the target host, username and password. It achieves that by hooking 3 functions:

• CredIsMarshaledCredentialW

• CryptProtectMemory

• SspiPrepareForCredRead

To hook these functions the detours package developed by Microsoft is used. It uses a technique called Inline Hooking. Inline Hooking involves inserting code into the application's code at the entry point of the function that you want to hook. This code will then call your hook function in order to extract the host, username and password before continuing with the execution of the original function.

The user logging to the remote system will have no way of knowing that this action took place unless it's picked up by an AV solution installed on the endpoint.

The extracted information are then written to disk.

EDR Implementation

EDR solutions use the same techniques to determine if a function is used for a malicious purpose. The same pattern is following:

• Inject an EDRVendor.dll in the newly created process

• Install inline hooks on frequently abused functions.

• Determine if the function is abused for malicious purpose, and if not continue execution of the original function

Let's see how an unhooked function from ntdll looks like in memory.

0:015> u ntdll!NtAdjustPrivilegesToken
ntdll!NtAdjustPrivilegesToken:
00007ffa`a898f560 4c8bd1          mov     r10,rcx
00007ffa`a898f563 b841000000      mov     eax,41h
00007ffa`a898f568 f604250803fe7f01 test    byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ffa`a898f570 7503            jne     ntdll!NtAdjustPrivilegesToken+0x15 (00007ffa`a898f575)
00007ffa`a898f572 0f05            syscall
00007ffa`a898f574 c3              ret
00007ffa`a898f575 cd2e            int     2Eh
00007ffa`a898f577 c3              ret

Without going into too much detail this is how an unhooked function looks like in a debugger.

Let's see how the exact same function looks like on a host with an EDR installed.

0:007> u ntdll!NtAdjustPrivilegesToken
ntdll!NtAdjustPrivilegesToken:
00007ff9`b062f460 e9932957bd      jmp     00007ff9`6dba1df8
00007ff9`b062f465 cc              int     3
00007ff9`b062f466 cc              int     3
00007ff9`b062f467 cc              int     3
00007ff9`b062f468 f604250803fe7f01 test    byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ff9`b062f470 7503            jne     ntdll!NtAdjustPrivilegesToken+0x15 (00007ff9`b062f475)
00007ff9`b062f472 0f05            syscall
00007ff9`b062f474 c3              ret

We can see that on the hooked function on line 3 there is a jmp instruction to an address. This essentially is how a hook looks like. The destination address will do some processing on behalf of the EDR to identify if there is any malicious intend.

In the upcoming blogs we will explore how we can bypass these hooks.