Category:Digital-Forensics/Computer-Forensics/Hook-Injection

From aldeid
Jump to navigation Jump to search
You are here
Hook-Injection

Description

Hook injection is a way malware take advantage of Windows hooks to inject malicious content.

┌───────────────────────┐
│         User          │
└───────────────────────┘
           │
           │ Events
           v
┌───────────────────────┐
│          OS           │
└───────────────────────┘
           │
           │ Messages
           v
┌───────────────────────┐
│    Malicious DLL      │
├───────────────────────┤
│       Threads         │
├───────────────────────┤
│ Process / Application │
└───────────────────────┘

Local and remote hooks

Hooks can be:

  • local hook: messages for an internal process
  • remote hook: messages for another process (remote process)
    • high level remmote hook: requires that the hook process is an exported function in a DLL
    • low level remote hook: requires that the hook procedure is in the process that installed the hook

Thread targetting

Malware will generally target a specific process, rather than all processes. To do that, it needs to instruct the dwThreadId parameter with the process ID, as depicted on the below extract:

.text:0040E1B7                 push    esi
.text:0040E1B8                 push    edi
.text:0040E1B9                 push    offset sub_40FFAF
.text:0040E1BE                 mov     ecx, offset unk_495C08
.text:0040E1C3                 call    sub_41043D
.text:0040E1C8                 mov     edi, [esp+8+arg_0]
.text:0040E1CC                 mov     esi, eax
.text:0040E1CE                 cmp     [esi+14h], edi
.text:0040E1D1                 jz      short loc_40E1FE
.text:0040E1D3                 cmp     dword ptr [esi+28h], 0
.text:0040E1D7                 jnz     short loc_40E1FB
.text:0040E1D9                 call    ds:GetCurrentThreadId
.text:0040E1DF                 push    eax             ; dwThreadId
.text:0040E1E0                 push    0               ; hmod
.text:0040E1E2                 push    offset fn       ; lpfn
.text:0040E1E7                 push    5               ; idHook (5=WH_CBT)
.text:0040E1E9                 call    ds:SetWindowsHookExA
.text:0040E1EF                 test    eax, eax
.text:0040E1F1                 mov     [esi+28h], eax
.text:0040E1F4                 jnz     short loc_40E1FB
.text:0040E1F6                 call    sub_40AFA4

Notice that the hook uses idHook set to WH_CBT which is a message that is not used often, to be even more stealthy.

Subcategories

This category has the following 2 subcategories, out of 2 total.

Pages in category "Digital-Forensics/Computer-Forensics/Hook-Injection"

The following 4 pages are in this category, out of 4 total.