avaxgfx Posted February 14 Report Share Posted February 14 [img]https://i.postimg.cc/BvdGyysJ/2021-11-30-17-37.png[/img] Published 2/2024 Created by Naga Sai Nikhil MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHz, 2 Ch Genre: eLearning | Language: English | Duration: 8 Lectures ( 2h 13m ) | Size: 1.7 GB [i]Learn windows api hooking the maldev way[/i] [b][i]What you'll learn:[/i][/b] What is API Hooking Different types of hooking inline hooking iat hooking dll unhooking [b][i]Requirements:[/i][/b] No prior experience needed but basics of windows api is an added advantage [b][i]Description:[/i][/b] We often hear the words in movies "he has hooks on you". this means he is controlling you.In same analogy, hooking here means controlling the function flow to examine the parameters that are being passed to the function.AV/EDR hooks some important functions in various dlls.NtVirtualAllocateMemory, ZwWriteVirtualMemory, NtCreateRemoteThread, etc are hooked5 BYTE INLINE HOOKINGIn this inline hooking, we replace first 5 bytes of legit function with a jump offset to our function.When the legit function is called, the control flow redirects to our address along with the original arguments.Now we restore those 5 bytes at legit function and then inspect the arguments for any malicious usage.we can then proceed to block or allow the functionIAT HOOKINGFirstthunk address in import descriptor table points to address of legit functions.We can overwrite this address to our malicious function.we receive arguments and then call legit functionHIDING PROCESSES FROM USER MODE PROCESSProcesses like task manager uses NtQuerySystemInformation with SYSTEM_PROCESS_INFORMATION to get all processes information.All of these processes are in linked list.We can hide our desired process by modifying the next link of previous process to the next process.DLL UNHOOKINGWe can unhook the hooked dlls by copying clean version of dll's .text section into our process.AV/EDR does not hook dlls on disk because it slows down the system heavily.We can acquire clean copy from disk or from a suspended process [b][i]Who this course is for:[/i][/b] Penetration testers Malware Developers Red Teamers Homepage https://ddownload.com/yg0zm98bdloj/Windows_API_Hooking.part1.rar https://ddownload.com/m9qrkvsjghfg/Windows_API_Hooking.part2.rar [code] https://rapidgator.net/file/a850cc3f250d3658ae78102177544ded/Windows_API_Hooking.part1.rar.html https://rapidgator.net/file/1c3a63c779d5b91ec0d36046d45d7301/Windows_API_Hooking.part2.rar.html [/code] [code] https://uploadgig.com/file/download/Bf69f25b938d015c/Windows_API_Hooking.part1.rar https://uploadgig.com/file/download/69610f23fc7A3f6D/Windows_API_Hooking.part2.rar[/code] Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now