-
API Hooking is the act of detouring the flow of code via hotpatching. Hotpatching is defined as the modification of code during the runtime of an executable . The purpose of inline hooking to be able to capture the instance the program calls a function and then from there, observation and/or manipulation of the call can be accomplished
-
Example of an API hook
-
this technique is used by user-mode rootkits to monitor/intercept system calls and manipulate values returned by APIs to gain control of the machine .
-
the purpose of this project is to Detect user-mode API Hooks by scanning opcodes patterns then follow the jump address, and see if it jumps to a legitimate module or malicious module from the AV/malware and locate that module in all processes to get a full view of the affected processes .
-
an Example of hooked flow
-
first the program will scan for any hooking signs if any hook detected its will read the jump address and follow it and retrieves the base address of the jump address then enumerate over all processes modules in the system and locate that module in all of them.
-
an example of clean flow
2022-06-08.00-55-36.mp4
- altough this detection can be bypassed easly using IAT hooking or any kernel mode rootkit .