Index > Course > 2021-02-16: Injection through Hooks
Touch up: Process Replacement involves copying each PE section of the malware into a new process.
Hook Injection describes a way to load malware using Windows Hooks.
Normal Traffic Flow:
With hook injection, add “Malicious DLLs” as a destination to step 4. The malware adds itself as a place to send messages.
Local hooks observe / manipulate messages destined to an internal process. These are useful for debugging and software development. Remote Hooks observe / manipulate messages to other processes. Malware will use remote hooks.
High level remote hooks use a function exported from a DLL. The OS maps the function into the process space of the hooked thread.
Low level remote hooks require that the hook procedure be contained inside the process to be hooked. This hooking process completes quickly.
Hook based keyloggers register high or low level remote hooks with the WH_KEYBOARD or WH_KEYBOARD_LL hook procedure types.
Keyloggers will use:
SetWindowsHookExA (
int idHook, // The type of hook procedure
HOOKPROC lpfn, // Pointer to the hook callback - in a high level hook, this can be in a DLL, otherwise must be in the originating process
HINSTANCE // what goes here?
);
When the hook is set, messages will be given to our callback. The callback should call CallNextHookEx to pass execution along and not lock things up.
The detours library is a powerful tool for modifying processes, though it isn’t used as often today.
Asyncronous Procedure Call
Creating a thread comes with some overhead. When threads aren’t busy and are in an alertable state, the OS can ask them to call specific functions - these are APCs. Instead of creating a new thread, we ask an existing thread to call some function.
Lab2 is due in one week, and contains 4 exercises from the textbook.