The Dark Side of Integration: Risks of Windows OS hooks in Malicious Hands
.jpeg)
Background: Each action we perform in the Windows UI layer involves loading DLLs that contain various hooks. Hooks are similar to backend APIs, enabling us to achieve specific results. Through Windows hooks and the Windows API, the Microsoft operating system isolates and secures its ring 0 environment. These mechanisms protect the core of the OS from tampering and prevent unauthorized access.
The core concept of any type of threat functionality: To achieve their goals, automated threats must utilize those hooks because they do not have direct access to the kernel or any layer within the protected ring scope. During each program execution, the program imports built-in DLLs, which serve as wrappers for collections of those hooks.
Hooks list where we need to focus:
- GetProcAddress - One of the most well known hook based on which automation can locate memory address where can exists already created threat or any interested information .
- LoadLibrary - hook helping to load any custom created DLL file which can be served from automation side
- LdrLoadDll/LdrGetProcAddress - Get address in MZ header of process who had called it .
- CreateFile - File creation hooks
- CreateService - Service creation
- RegSetValueEx - Set value in Registry
- IsDebuggerPresent - Check if debugger exists in process
- WriteProcessMemory - Write data on memeory array
- ShellExecute - Execute shell
- NtQueryDefaultLocale - Get system local time
- NtAllocateUuids - Get user UUID
- PrivilegeCheck / NtPrivilegeCheck - Check if user token is privileged
- GetSystemInfo - Get system information
Conclusion: The noted list is not the complete ecosystem that can be leveraged by automated threats. However, focusing on these primitive elements will provide some indicators for deeper investigation into the threats you are looking for .
Happy Hunt ! Jok3r