Mastering Offensive Hooking and Unhooking

  Saturday, 24 February

  90 mins

ABSTRACT

Hooking is a powerful method employed to monitor, intercept and manipulate the flow of data and control within an application. It involves injecting custom code inside a target process to alter, or enhance its functionality. Hooking plays a pivotal role in anti-game cheats, fortifying security controls, gathering valuable telemetry data, and empowering Endpoint Detection and Response (EDR) systems. This workshop delves deep into advanced hooking techniques, and provides a unique opportunity for participants to master this intricate art. Whether you're a seasoned malware researcher seeking to dissect threats or a red teamer looking to uncover defense blind spots, this workshop will equip you with the skills and knowledge needed to excel in your security endeavors.

DESCRIPTION

Section 1 – The first section of the workshop will focus on basics concepts of Portable executable, PE file formats, introduction to windows APIs and foundation setting for advanced concepts and hands on in later sections.

• PE basics - Students will understand the program execution lifecycle in windows, PE file structure - imports,exports etc
• Windows API - Students will learn about inner working of windows and how various GUI components interact with the kernel via APIs and syscalls. This will include hands on labs that will require participants to use Windows APIs via code (C++) to perform simple operations like process creation, file creation etc.
• NT API & Syscalls – Students will be introduced to NT APIs present in ntdll. These APIs will be later hooked to monitor API calls transitioning from user to kernel mode via syscalls

Section 2 – Focus on this session will be to get started with hooking windows API, via manual methods as well as tools like Frida. Through these exercises, students will be made accustomed to hook windows application and monitor API arguments.

• Introduction to hooking – Students will be introduced to basics of hooking. Both manual as well as automated hooking techniques (using tools like Frida, Detour) will be demonstrated
• Hooking native windows and commercial applications - Students will be given live demonstration of hooking on few windows applications and how to identify correct APIs on which hooks need to be placed
• Simple keylogger

Section 3 – Focus of this section will be to demonstrate legitimate usage of hooking in windows systems by EDRs. Unhooking(removing existing hooks) as a concept will also be introduced as a means to bypass security controls present on a host

• EDRs - Students will receive a primer on Endpoint Detection and Response systems and how they use hooks to gather telemetry and obtain visibility inside individual processes. Decisions to resume or kill the process are formulate based on the telemetry.
• Introduction to unhooking (NTDLL/IAT) – Students will be introduced to IAT (Import Address Table) and NTDLL unhooking techniques as one of the means to evade EDR systems.

Section 4 – The final section will focus on dissecting various unhooking techniques and how evolution of these techniques happened over time as and when EDR's caught up with them

• Hells gate and Halos gate - Students will use the knowledge acquired in the previous section to understand different unhooking strategies employed in diverse scenarios to bypass EDR solutions
• Review / Key Takeaways / Q&A – The workshop will wrap up with a review of the material covered, key takeaways and answer any student questions.

In addition to the presentation material, students will be provided with a virtual machine (VM) that includes a fully functional development environment and all the necessary code samples for replicating the demonstrations showcased during the presentation.