Bangeter 01-basic_malware_techniques_4.2.pdf

use:

• malfind
• ldrmodules
• apihooks

The underlying ides of hooking is: to insert code into the execution path of a legitimate program and to divert the execution to some malicous code.

* Hookin and code injection are often reoated: The malicous code to which the hooks point, is often injected into the victim process.

Inline hooking :

1. Overwrite a part of the original code in the instruction stream with a jump to your code.
2. Jump to your detour code, after the detour code is executed, execute the code that was over written with the initial jump instruction (prevent program crash) then jump back to the original position in the instruction stream of the original code.

Detection heuristic:

1. Locate functions in DLLs
2. Analyze function code to check whether there are non-legitimate execution trnsfers (JMP, CALL, etc.) to outside function.

*(Not always easy to tell letitimate from non-legitmate execution transferst, executions transferst can be obfuscated and thus difficult to detect)

The IAT is, loosely speaking a table of pointers that links function calls

• IAT entries for each DLL, and each function in DLL
• IAT is filled by the loader

Idea of IAT hookin: Modify slected function pointers, so that they point to your malicous coed.

Detection heuristic:

1. Iterate through IAT / EAT entries in DLLs of process being analyzed
2. If an entry points outside of the DLL currently being inspected, the hook detected.

• There are legitimate applications of hooking, the heuristics sometimes produce false positives.
• When hooks are places "in the middle" of a function, they will be missed by the heuristics, resultin in false negatives.