ID	F0015
Objective(s)	Anti-Behavioral Analysis, Collection, Credential Access, Defense Evasion, Persistence, Privilege Escalation
Related ATT&CK Techniques	Hijack Execution Flow (T1574, T1625)
Anti-Analysis Type	Evasion
Version	2.2
Created	8 November 2021
Last Modified	28 April 2024

Hijack Execution Flow

Malware may execute by hijacking the way operating systems run programs. Malware (e.g. rootkit) alters API behavior or redirects execution (i.e., hooking) to a malicious API version for a variety of purposes. Malware may use hooking to load and execute code within the context of another process, hiding execution and gaining elevated privileges and access to the process's memory. Different types of hooking are defined as methods below.

Note that in MBC, Hooking is also associated with the Defense Evasion, Persistence, Privilege Escalation, and Anti-Behavioral Analysis objectives.

For discussion related to the Credential Access and Collection objectives, see Input Capture: Credential API Hooking (T1056.004).

For hooking related to memory dump evasion, see Memory Dump Evasion (B0006).

See ATT&CK: Hijack Execution Flow (T1574, T1625).

Methods

Name	ID	Description
Abuse Windows Function Calls	F0015.006	Malware abuses native Windows function calls to transfer execution to shellcode that it loads into memory. A pointer to the callback function is used to supply the memory address of the shellcode. Functions that can be abused include EnumResourceTypesA and EnumUILanguagesW. [4]
Export Address Table Hooking	F0015.001	Malware (e.g. rootkit) hooks the export address table (EAT).
Import Address Table Hooking	F0015.003	Malware (e.g. rootkit) modifies a process's import address table (IAT), which stores pointers to imported API functions.[1] This method is related to Unprotect technique U1217.
Inline Patching	F0015.002	Inline patching (inline hooking) is done by modifying the beginning of a function (e.g., first bytes) in order to redirect the execution flow to custom code (i.e. redirecting code flow) before jumping back to the original function.[2] This method is related to Unprotect technique U1205.
Procedure Hooking	F0015.007	Intercepts and executes designated code in response to events such as messages, keystrokes, and mouse inputs. [5]
Shadow System Service Dispatch Table Hooking	F0015.004	The Shadow System Service Dispatch Table (SSDT) can be hooked similarly to how the SSDT and IAT are hooked. The target of the hooking with the Shadow SSDT is the Windows subsystem (win32k.sys).[3]
System Service Dispatch Table Hooking	F0015.005	Malware (e.g. rootkit, malicious drivers) may hook the system service dispatch table (SSDT), also called the system service descriptor table. The SSDT contains information about the service tables used by the operating system for dispatching system calls. Hooking the SSDT enables malware to hide files, registry keys, and network connections.[3]

Use in Malware

Name	Date	Method	Description
Kronos	2014	--	Kronos hooks the API of processes to prevent detection. [6]
Ursnif	2016	--	The malware hooks various DLL exported functions when the DLL component is loaded into their respective browser application to monitor network traffic. [7]
GravityRAT	2018	F0015.006	GravityRAT abuses Microsoft's Dynamic Data Exchange (DDE) protocol. [8]
SYNful Knock	2015	--	SYNful Knock hooks iOS functions to call and initialize the malware. [9]
Shamoon	2012	F0015.006	Malware escalates privileges by impersonating the token through using LogonUser and ImpersonateLoggedOnUser then ImpersonateNamedPipeClient. [10]
Stuxnet	2010	F0015.003	Stuxnet hooks ntdll.dll to monitor for requests to load specially crafted file names which are mapped to a location specified by Stuxnet. [11]
Stuxnet	2010	F0015.007	WTR4141.tmp hooks APIs from kernel32.dll and ntdll.dll and replaces the original code for these functions with code that checks for files with properties pertaining to Stuxnet files. If a request is made to list a file with the specified properties, the response from these APIs is altered to state that the file does not exist, thereby hiding all files with these properties. [11]

Detection

Tool: capa	Mapping	APIs
create new application domain in .NET	Hijack Execution Flow (F0015)	--
execute shellcode via Windows callback function	Hijack Execution Flow::Abuse Windows Function Calls (F0015.006)	EnumDateFormats, GrayString, LineDDA, EnumChildWindows, EnumDesktops, EnumDesktopWindows, EnumSystemCodePages, EnumSystemGeoID, EnumSystemLanguageGroups, EnumSystemLocales, EnumThreadWindows, EnumUILanguages, EnumWindows, EnumChildWindows, EnumTimeFormats
rebuild import table	Hijack Execution Flow::Import Address Table Hooking (F0015.003)	LoadLibraryA, GetProcAddress

Tool: CAPE	Mapping	APIs
infostealer_keylog	Hijack Execution Flow (F0015)	SetWindowsHookExA, GetAsyncKeyState, SetWindowsHookExW
infostealer_keylog	Hijack Execution Flow::Procedure Hooking (F0015.007)	SetWindowsHookExA, GetAsyncKeyState, SetWindowsHookExW
antisandbox_mouse_hook	Hijack Execution Flow (F0015)	SetWindowsHookExA, SetWindowsHookExW
antisandbox_mouse_hook	Hijack Execution Flow::Procedure Hooking (F0015.007)	SetWindowsHookExA, SetWindowsHookExW
dll_load_uncommon_file_types	Hijack Execution Flow (F0015)	LdrLoadDll
malicious_dynamic_function_loading	Hijack Execution Flow (F0015)	LdrGetProcedureAddress, LdrLoadDll