[Translate] understand/detect inline Hooks/winapi Hooks (RING3)

Original link: https://userpc.net/2017/12/03/understanding-detecting-inline-hooks-winapi-hooks-ring3/

ever wonder how malicious software can get credentials from a Web browser? the most popular method is the Man-in-the-browser (MITB) attack, which is known as the inline hooking (sometimes called detours). The Inline hooks is particularly generic and is common in malicious software. With inline Hooks, malware can control the flow of any process, it manipulates processes, and malware authors can do whatever they do. Let's see how they do it.

How does the Get your code into the target process?

The first step in the Inline hooks is to have your code run in the target process. This process is called injection .

there are several common injection methods, such as createremotethread/rtlcreateuserthread/queueuserapc/setwindowshookex/setthreadcontext/reflex injection/ Atom injection and so on. in Our example, we used VirtualAllocEx to allocate a storage area in Firefox 0x0D000000 . it CreateRemoteThread will then be used to 0x0D000000 Hook and initialize the executable area within Firefox. (The actual injection process is a complex topic for yourself, not within the scope of this article.) Below is what we injected the code block to look like.

The Inline hooks is composed of four parts: Hook,shellcode (here with the NOP padding), trample and return.

What is a Windows API?

This is a set of functions and data structures that a Windows program can use to let Windows do something, such as opening a file, displaying a message, and so on.

Almost all operations of a Windows program call various APS?? I function.

Overall, all Windows makes available API functions called "in Windows API".

The hook

Hook sometimes called trampoline . , similar to a traffic warden transfer of traffic to another location. In our example, we will hook up the send() ws2_32 function. Here are the ws2_32!send first few instructions . to successfully hook up, we want to override some of the instructions that exist for the Send () function. Below the green box instructions we will cover it out .

Note that five bytes will be overwritten. This is the exact number of bytes we need to hook up: one is to jmp jump into our code instructions 0x0D000000 . (There are other ways to place hooks such as push address, ret command combination.) After the hook , the function looks like this: send()

The malicious Code

Now that the execution process has been redirected to the code we injected, the register must be saved to ensure that we do not crash when we return to the Send () function. in the 32-bit process, we can use the Pushad instruction to save all registers . When Shellcode is executed, the value of all registers is restored using the Popad instruction, returning to send() At the time of initial execution. Now that we are in control send() function, we have to come up with something interesting. One thing we can do is send a POST request and send data back to us, parsing to see if the login credentials are included.

The execution of trampled bytes and the return

after we've done something useful in shellcode, we have to make sure our program returns to its exact state before the hook. First, we use the popad instructions to restore all registers. Do you remember the five bytes we covered with the hook? These instructions still need to be run, so they are copied to the end of our shellcode at the hook, allowing them to run seamlessly after recovering the registers. Finally, we safely tune back to send () + 0x05(the length of our hook instruction).

Putting it all together

Let's take a look at the whole process again. The following arrows are the normal execution flow after restoring the send () hooks inside Firefox :

After injecting our detour, the execution of the process is shown in

：

Reasons for hooking API calls

you can come up with any purpose to hook each API. Here are a few:

• urlmon!URLDownloadToFile-Used to intercept downloaded files. Hook the global function to prevent new malware from being downloaded.
• ws2_32!send-Used to capture unencrypted traffic post credentials.
• GetHostByName-Hooks the function in order to ignore the specified command and control the traffic on the site.
• ws2_32!recv-Used to capture data for incoming packets of unencrypted traffic.
• Advapi32!CryptEncrypt-Used to capture previously encrypted data, because send()之后的数据 it will not be plain text .
• Advapi32!CryptDecrypt-Used to decrypt data from recv ().
• User32!GetMessage-Used to intercept the mouse click on the message from the virtual keyboard to click on the picture.
• Kernel32!ExitProcess-Prevents the process from ending itself (bypassing game anticheats)

Detection

here is a simple solution to the pseudo code, if the attacker is a harduser is not very effective. This code below will check the ExitProcess at the beginning of the pre-0xe9 for comparison (opcode jmp)

Farproc Address = GetProcAddress (GetModuleHandle ("Kernel32.dll"),"  ExitProcess"); if 0xe9 ) {printf ("Api hooked\n"); // Do your thing}

[Translate] understand/detect inline Hooks/winapi Hooks (RING3)