SlideShare a Scribd company logo

Inline Hooking in Windows

High-Tech Bridge SA (HTBridge)
High-Tech Bridge SA (HTBridge)

This document is the second of a series of five articles relating to the art of hooking.

Technology
1 of 26
Download to read offline
Your texte here …. Inline Hooking in Windows 6 September 2011 Brian MARIANI Senior Security Consultant ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
SOME IMPORTANT POINTS Your texte here ….  This document is the second of a series of five articles relating to the art of hooking.  As a test environment we will use an english Windows Seven SP1 operating system distribution. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
WHAT IS AN INLINE HOOK Your texte here …. When an inline hook is implemented it will overwrite the first bytes codes of a windows api in order to redirect code flow. This kind of technique can be used in ring 3 or ring 0 modes. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
CHARACTERISTICS Your texte here ….  Inline hooking is more robust than import address table (IAT) hooks.  They do not have problems related to dll binding at runtime.  They can trap any function call, not just system calls.  No device driver is required.  They are widely used in many renowned professional applications and well-known rootkits. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
SOME GOOD UTILITIES  Your the Defcon 17 Nick Harbour has presented a good tool At texte here …. named apithief.  The tool launches a process in a suspended state.  It then injects a DLL and hook Win32 API functions.  The tool can then monitor the api behavior. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
SOME BAD UTILITIES  Your texte here …. widespread malware take advantage of Well-known and this kind of technique to hook key api windows components in order to spy and steal sensitive information from the user.  One of these famous malwares is Zeus, also known as Zbot, PRG, Wsnpoem or Gorhax. ws2_32! WSASend API hooked ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
Implementing an inline hook  Your texte hereour dll into the process we want to hijack. We inject …. (Please see Userland Hooking in Windows)  The first bytes of the target api are saved, these are the bytes that will be overwritten.  We place a jump, call or push-ret instruction.  The jump redirects the code flow to our function.  The hook can later call the original api using the saved bytes of the hooked function.  The original function will return control to our function and then data can be easily tampered. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
WHAT ARE WE GOING TO OVERWRITE  Your texte here …. It is very important to determine what and where we are going to overwrite the bytes codes.  Knowing exactly how much space we have at our disposal is really important, otherwise we can destroy the logic of the api, or write beyond his borders.  An unconditional jump will require 5 bytes.  We need to disassemble the beginning of the target api. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
WHERE ARE WE GOING TO OVERWRITE  Your texte herea windows api function is usually the same. The start of ….  After XP-SP2 Microsoft decided to change the windows api preamble: MOV EDI,EDI PUSH EBP MOV EBP,ESP  This allow for hot-patching, inserting a new code without the need to reboot the box.  We can use these five bytes to insert our own set of instructions. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
WHERE ARE WE GOING TO OVERWRITE  Your texte here …. why we select the start of the function is Another reason because the more deeper into the function the hook is located, the more we must be careful with the code.  If you hook deeper into the function, you can create unwanted issues.  Things become more complex.  Keep it simple and stupid. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
AN UNSUCCESSFUL HOOK  Your we try to …. If texte here hook every function in the same way we can modify the logic of the function.  In the picture below we have inserted an unconditional jump that destroy the logic of the function. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
A SUCCESSFUL HOOK  Your this particular example the prolog of httpsendrequest In texte here …. API has been hooked with a jump to our function.  We have used the first 5 bytes of the target function to place our jmp instruction. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
INLINE HOOKING PRACTICAL EXAMPLE (1)  Yourthis practical example our target is a simple chat system In texte here …. using nc.exe, but every program using WS2_32.DLL!Send Api could be used.  We want to hijack the sent messages from one of two users.  To accomplish this task we inject our DLL into nc.exe process and we hook the aforementioned api.  Then we jump into our function and we change the stack parameters, then we adjust our stack to avoid incovenients and finally we jump again to WS2_32.DLL!Send api.  This hook example can be used to create more complex scenarios. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
INLINE HOOKING PRACTICAL EXAMPLE (2)  Your textehooking the WS2_32.dll!send API we attach with Before here …. our debugger to the nc.exe process which is already listening on port 9999. We can see the unhook prolog. WS2_32!Send ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
INLINE HOOKING PRACTICAL EXAMPLE (3)  Your texte here …. for inbound connections (upper image) and the client Server is listening connects (lower image). All is working normally and users are discussing without any issues. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
INLINE HOOKING PRACTICAL EXAMPLE (4)  Yourthis time we inject our DLL into the nc.exe process. At texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
INLINE HOOKING PRACTICAL EXAMPLE (5)  Your texte here …. Let’s check using the our debugger how’s things have changed.  The API preamble has been modified. It has been replaced with a jump to our evil function. WS2_32!Send ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
INLINE HOOKING PRACTICAL EXAMPLE (6)  Your texte here our function at address 0x6FAC11D0. Let’s check …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
INLINE HOOKING PRACTICAL EXAMPLE (7)  Your texte here …. the chat has changed too :] The behavior of ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
DETECTING INLINE HOOKING (1)  Your texte here …. Detecting inline hooks is pretty simple.  Rootkits detectors like gmer, or BlackLight from Fsecure do a good job.  Let’s do an injection test into Internet Explorer 8.0 in Windows 7 and hook wininet!HttpSendRequestW Api. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
DETECTING INLINE HOOKING (2)  Your texte here …. place :] The hook is in ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
DETECTING INLINE HOOKING (3)  Your texte has …. But it here been successfully detected by gmer anti- rootkit. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
CONCLUSION  Inline hooks can be very useful when trying to reverse Your texte here …. malware.  Paradoxically nowadays malcode use this technique to change the behavior of the operating system in order to steal personal information.  By understanding and identifying hooks, thought, you will be able to detect most public rootkits and malwares.  We hope this document help you understand and master inline hooks.  Demo video: Inline Hooking in Windows ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
TO BE CONTINUED Your texte here ….  In future documents we will introduce Kernel Hooking. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
REFERENCES  Your texte here …. Subverting the Windows Kernel (Greg Hoglund & James Butler)  Professional Rootkits (Ric Vieler)  Programming application for Microsoft Windows fourth edition (Jeffrey Ritchter)  http://msdn.microsoft.com/en-us/magazine/cc301805.aspx  Programming Windows Security (Keith Brown)  http://support.microsoft.com/kb/197571  http://www.youtube.com/watch?v=2RJyR9igsdI  http://community.websense.com/blogs/securitylabs/archive/tags/ Zeus/default.aspx  http://www.ibm.com/developerworks/linux/library/l-ia/index.html  http://www.gmer.net/ ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
Thank-you for reading Your texte here …. Thank you for reading Your questions are always welcome! Brian.mariani@htbridge.ch ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 

Recommended

ゼロから学ぶIoT
ゼロから学ぶIoTゼロから学ぶIoT
ゼロから学ぶIoTMasaru Takahashi
 
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~junichi anno
 
Java vs JavaScript | Edureka
Java vs JavaScript | EdurekaJava vs JavaScript | Edureka
Java vs JavaScript | EdurekaEdureka!
 
Tech Summit 2018 【事例紹介】 自社サービスに Azure IoT Hub Device Provisioning Serviceを適用してみた
Tech Summit 2018 【事例紹介】 自社サービスに Azure IoT Hub Device Provisioning Serviceを適用してみたTech Summit 2018 【事例紹介】 自社サービスに Azure IoT Hub Device Provisioning Serviceを適用してみた
Tech Summit 2018 【事例紹介】 自社サービスに Azure IoT Hub Device Provisioning Serviceを適用してみたMasaru Takahashi
 
あなたも「違いが分かる人」になりましょう! ~ Azure, AzureStack, AzureStack HCI ~
あなたも「違いが分かる人」になりましょう! ~ Azure, AzureStack, AzureStack HCI ~あなたも「違いが分かる人」になりましょう! ~ Azure, AzureStack, AzureStack HCI ~
あなたも「違いが分かる人」になりましょう! ~ Azure, AzureStack, AzureStack HCI ~Masahiko Ebisuda
 
Sql serve2019 staticdatamaskting
Sql serve2019 staticdatamasktingSql serve2019 staticdatamaskting
Sql serve2019 staticdatamasktingMicrosoft
 
Azure active directory によるデバイス管理の種類とトラブルシュート事例について
Azure active directory によるデバイス管理の種類とトラブルシュート事例についてAzure active directory によるデバイス管理の種類とトラブルシュート事例について
Azure active directory によるデバイス管理の種類とトラブルシュート事例についてShinya Yamaguchi
 
20221209-ApacheSolrによるはじめてのセマンティックサーチ.pdf
20221209-ApacheSolrによるはじめてのセマンティックサーチ.pdf20221209-ApacheSolrによるはじめてのセマンティックサーチ.pdf
20221209-ApacheSolrによるはじめてのセマンティックサーチ.pdfKoji Sekiguchi
 

Recommended

ゼロから学ぶIoT
ゼロから学ぶIoTゼロから学ぶIoT
ゼロから学ぶIoTMasaru Takahashi
 
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~junichi anno
 
Java vs JavaScript | Edureka
Java vs JavaScript | EdurekaJava vs JavaScript | Edureka
Java vs JavaScript | EdurekaEdureka!
 
Tech Summit 2018 【事例紹介】 自社サービスに Azure IoT Hub Device Provisioning Serviceを適用してみた
Tech Summit 2018 【事例紹介】 自社サービスに Azure IoT Hub Device Provisioning Serviceを適用してみたTech Summit 2018 【事例紹介】 自社サービスに Azure IoT Hub Device Provisioning Serviceを適用してみた
Tech Summit 2018 【事例紹介】 自社サービスに Azure IoT Hub Device Provisioning Serviceを適用してみたMasaru Takahashi
 
あなたも「違いが分かる人」になりましょう! ~ Azure, AzureStack, AzureStack HCI ~
あなたも「違いが分かる人」になりましょう! ~ Azure, AzureStack, AzureStack HCI ~あなたも「違いが分かる人」になりましょう! ~ Azure, AzureStack, AzureStack HCI ~
あなたも「違いが分かる人」になりましょう! ~ Azure, AzureStack, AzureStack HCI ~Masahiko Ebisuda
 
Sql serve2019 staticdatamaskting
Sql serve2019 staticdatamasktingSql serve2019 staticdatamaskting
Sql serve2019 staticdatamasktingMicrosoft
 
Azure active directory によるデバイス管理の種類とトラブルシュート事例について
Azure active directory によるデバイス管理の種類とトラブルシュート事例についてAzure active directory によるデバイス管理の種類とトラブルシュート事例について
Azure active directory によるデバイス管理の種類とトラブルシュート事例についてShinya Yamaguchi
 
20221209-ApacheSolrによるはじめてのセマンティックサーチ.pdf
20221209-ApacheSolrによるはじめてのセマンティックサーチ.pdf20221209-ApacheSolrによるはじめてのセマンティックサーチ.pdf
20221209-ApacheSolrによるはじめてのセマンティックサーチ.pdfKoji Sekiguchi
 
我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?
我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?
我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?臺灣塔米歐
 
よくある質問と対策 2015
よくある質問と対策 2015よくある質問と対策 2015
よくある質問と対策 2015Atsushi Tanaka
 
Core java
Core java Core java
Core java Shubham singh
 
Executing SQL Queries and Making Plugins
Executing SQL Queries and Making PluginsExecuting SQL Queries and Making Plugins
Executing SQL Queries and Making Pluginskhcoder
 
Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~
Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~
Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~Takunori Minamisawa
 
CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨
CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨
CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨EriMizuki1
 
実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターン実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターンHiroyasu Suzuki
 
Springboot introduction
Springboot introductionSpringboot introduction
Springboot introductionSagar Verma
 
Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)
Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)
Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)オラクルエンジニア通信
 
Spring Framework
Spring Framework Spring Framework
Spring Framework tola99
 
Spring framework Introduction
Spring framework IntroductionSpring framework Introduction
Spring framework IntroductionAnuj Singh Rajput
 
Servlet.ppt
Servlet.pptServlet.ppt
Servlet.pptVMahesh5
 
هندسة البرمجيات 1
هندسة البرمجيات 1هندسة البرمجيات 1
هندسة البرمجيات 1alaa_ward
 
Are Dragons Real?
Are Dragons Real?Are Dragons Real?
Are Dragons Real?Sebastian Wardin
 
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~Trainocate Japan, Ltd.
 
Microsoft Azureのビッグデータ基盤とAIテクノロジーを活用しよう
Microsoft Azureのビッグデータ基盤とAIテクノロジーを活用しようMicrosoft Azureのビッグデータ基盤とAIテクノロジーを活用しよう
Microsoft Azureのビッグデータ基盤とAIテクノロジーを活用しようHideo Takagi
 
AWS Cloud Design Pattern for Enterprise
AWS Cloud Design Pattern for EnterpriseAWS Cloud Design Pattern for Enterprise
AWS Cloud Design Pattern for EnterpriseAkio Katayama
 
NGINX Back to Basics Part 3: Security (Japanese Version)
NGINX Back to Basics Part 3: Security (Japanese Version)NGINX Back to Basics Part 3: Security (Japanese Version)
NGINX Back to Basics Part 3: Security (Japanese Version)NGINX, Inc.
 
Spring boot
Spring bootSpring boot
Spring bootGyanendra Yadav
 
[Japan Tech summit 2017] SEC 004
[Japan Tech summit 2017] SEC 004[Japan Tech summit 2017] SEC 004
[Japan Tech summit 2017] SEC 004Microsoft Tech Summit 2017
 
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksClient-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksHigh-Tech Bridge SA (HTBridge)
 
Spying Internet Explorer 8.0
Spying Internet Explorer 8.0Spying Internet Explorer 8.0
Spying Internet Explorer 8.0High-Tech Bridge SA (HTBridge)
 

More Related Content

What's hot

我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?
我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?
我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?臺灣塔米歐
 
よくある質問と対策 2015
よくある質問と対策 2015よくある質問と対策 2015
よくある質問と対策 2015Atsushi Tanaka
 
Executing SQL Queries and Making Plugins
Executing SQL Queries and Making PluginsExecuting SQL Queries and Making Plugins
Executing SQL Queries and Making Pluginskhcoder
 
Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~
Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~
Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~Takunori Minamisawa
 
CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨
CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨
CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨EriMizuki1
 
実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターン実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターンHiroyasu Suzuki
 
Springboot introduction
Springboot introductionSpringboot introduction
Springboot introductionSagar Verma
 
Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)
Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)
Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)オラクルエンジニア通信
 
Spring Framework
Spring Framework Spring Framework
Spring Framework tola99
 
Spring framework Introduction
Spring framework IntroductionSpring framework Introduction
Spring framework IntroductionAnuj Singh Rajput
 
Servlet.ppt
Servlet.pptServlet.ppt
Servlet.pptVMahesh5
 
هندسة البرمجيات 1
هندسة البرمجيات 1هندسة البرمجيات 1
هندسة البرمجيات 1alaa_ward
 
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~Trainocate Japan, Ltd.
 
Microsoft Azureのビッグデータ基盤とAIテクノロジーを活用しよう
Microsoft Azureのビッグデータ基盤とAIテクノロジーを活用しようMicrosoft Azureのビッグデータ基盤とAIテクノロジーを活用しよう
Microsoft Azureのビッグデータ基盤とAIテクノロジーを活用しようHideo Takagi
 
AWS Cloud Design Pattern for Enterprise
AWS Cloud Design Pattern for EnterpriseAWS Cloud Design Pattern for Enterprise
AWS Cloud Design Pattern for EnterpriseAkio Katayama
 
NGINX Back to Basics Part 3: Security (Japanese Version)
NGINX Back to Basics Part 3: Security (Japanese Version)NGINX Back to Basics Part 3: Security (Japanese Version)
NGINX Back to Basics Part 3: Security (Japanese Version)NGINX, Inc.
 

What's hot (20)

我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?
我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?
我家已經有一臺有線路由器,請問WF2419要如何設定才能接在這原有的路由器下正常運作?
 
よくある質問と対策 2015
よくある質問と対策 2015よくある質問と対策 2015
よくある質問と対策 2015
 
Core java
Core java Core java
Core java
 
Executing SQL Queries and Making Plugins
Executing SQL Queries and Making PluginsExecuting SQL Queries and Making Plugins
Executing SQL Queries and Making Plugins
 
Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~
Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~
Azure DevOps ハンズオン Vo.1 ~Azure Boards を用いたアジャイル計画とポートフォリオマネジメント~
 
CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨
CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨
CSカレッジアワード 出題者:ヘイ株式会社さま 水木絵梨
 
実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターン実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターン
 
Springboot introduction
Springboot introductionSpringboot introduction
Springboot introduction
 
Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)
Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)
Oracle Database: リリースモデルとアップグレード・パッチ計画 (2021年2月版)
 
Spring Framework
Spring Framework Spring Framework
Spring Framework
 
Spring framework Introduction
Spring framework IntroductionSpring framework Introduction
Spring framework Introduction
 
Servlet.ppt
Servlet.pptServlet.ppt
Servlet.ppt
 
هندسة البرمجيات 1
هندسة البرمجيات 1هندسة البرمجيات 1
هندسة البرمجيات 1
 
Are Dragons Real?
Are Dragons Real?Are Dragons Real?
Are Dragons Real?
 
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~
 
Microsoft Azureのビッグデータ基盤とAIテクノロジーを活用しよう
Microsoft Azureのビッグデータ基盤とAIテクノロジーを活用しようMicrosoft Azureのビッグデータ基盤とAIテクノロジーを活用しよう
Microsoft Azureのビッグデータ基盤とAIテクノロジーを活用しよう
 
AWS Cloud Design Pattern for Enterprise
AWS Cloud Design Pattern for EnterpriseAWS Cloud Design Pattern for Enterprise
AWS Cloud Design Pattern for Enterprise
 
NGINX Back to Basics Part 3: Security (Japanese Version)
NGINX Back to Basics Part 3: Security (Japanese Version)NGINX Back to Basics Part 3: Security (Japanese Version)
NGINX Back to Basics Part 3: Security (Japanese Version)
 
Spring boot
Spring bootSpring boot
Spring boot
 
[Japan Tech summit 2017] SEC 004
[Japan Tech summit 2017] SEC 004[Japan Tech summit 2017] SEC 004
[Japan Tech summit 2017] SEC 004
 

Viewers also liked

Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksClient-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksHigh-Tech Bridge SA (HTBridge)
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatHigh-Tech Bridge SA (HTBridge)
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsHigh-Tech Bridge SA (HTBridge)
 
Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackHigh-Tech Bridge SA (HTBridge)
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksHigh-Tech Bridge SA (HTBridge)
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
DIDÁCTICA Y MAPA CONCEPTUAL
DIDÁCTICA Y MAPA CONCEPTUALDIDÁCTICA Y MAPA CONCEPTUAL
DIDÁCTICA Y MAPA CONCEPTUALMagdalena Guirau
 
PROJECTE DE TREBALL FET PELS XIQUETS
PROJECTE DE TREBALL FET PELS XIQUETSPROJECTE DE TREBALL FET PELS XIQUETS
PROJECTE DE TREBALL FET PELS XIQUETSlaucs1975
 
Weird photos pics on floidbox.com
Weird photos pics on floidbox.comWeird photos pics on floidbox.com
Weird photos pics on floidbox.comFlorin Levarda
 
startup-ecosystem-survey-slovakia-2016
startup-ecosystem-survey-slovakia-2016startup-ecosystem-survey-slovakia-2016
startup-ecosystem-survey-slovakia-2016George Delaney FCA
 
ツイートするだけクライアント
ツイートするだけクライアントツイートするだけクライアント
ツイートするだけクライアント森理 麟
 
Informe general
Informe generalInforme general
Informe generalkode99
 

Viewers also liked (20)

Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksClient-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacks
 
Spying Internet Explorer 8.0
Spying Internet Explorer 8.0Spying Internet Explorer 8.0
Spying Internet Explorer 8.0
 
Userland Hooking in Windows
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in Windows
 
Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitManipulating Memory for Fun & Profit
Manipulating Memory for Fun & Profit
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent Threat
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley Framework
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in Windows
 
Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attack
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacks
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
DIDÁCTICA Y MAPA CONCEPTUAL
DIDÁCTICA Y MAPA CONCEPTUALDIDÁCTICA Y MAPA CONCEPTUAL
DIDÁCTICA Y MAPA CONCEPTUAL
 
PROJECTE DE TREBALL FET PELS XIQUETS
PROJECTE DE TREBALL FET PELS XIQUETSPROJECTE DE TREBALL FET PELS XIQUETS
PROJECTE DE TREBALL FET PELS XIQUETS
 
Weird photos pics on floidbox.com
Weird photos pics on floidbox.comWeird photos pics on floidbox.com
Weird photos pics on floidbox.com
 
startup-ecosystem-survey-slovakia-2016
startup-ecosystem-survey-slovakia-2016startup-ecosystem-survey-slovakia-2016
startup-ecosystem-survey-slovakia-2016
 
Rr100 b
Rr100 bRr100 b
Rr100 b
 
Integration for manufacturing The eScop Approach
Integration for manufacturing The eScop ApproachIntegration for manufacturing The eScop Approach
Integration for manufacturing The eScop Approach
 
ツイートするだけクライアント
ツイートするだけクライアントツイートするだけクライアント
ツイートするだけクライアント
 
Informe general
Informe generalInforme general
Informe general
 
Baum2
Baum2Baum2
Baum2
 

Similar to Inline Hooking in Windows

CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityHigh-Tech Bridge SA (HTBridge)
 
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)High-Tech Bridge SA (HTBridge)
 
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences ExploitationNovell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences ExploitationHigh-Tech Bridge SA (HTBridge)
 
The Role of Standards in IoT Security
The Role of Standards in IoT SecurityThe Role of Standards in IoT Security
The Role of Standards in IoT SecurityHannes Tschofenig
 
20101109 (tech ed) how frameworks kill projects
20101109 (tech ed) how frameworks kill projects20101109 (tech ed) how frameworks kill projects
20101109 (tech ed) how frameworks kill projectsSander Hoogendoorn
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSВозможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSCisco Russia
 
GeeCON Microservices 2015 scaling micro services at gilt
GeeCON Microservices 2015 scaling micro services at giltGeeCON Microservices 2015 scaling micro services at gilt
GeeCON Microservices 2015 scaling micro services at giltAdrian Trenaman
 
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)Jonathan Engelsma
 
Developer-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for KubernetesDeveloper-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for KubernetesDevOps Indonesia
 
Docker cloud hybridation & orchestration
Docker cloud hybridation & orchestrationDocker cloud hybridation & orchestration
Docker cloud hybridation & orchestrationAdrien Blind
 
JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017ElifTech
 
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...Henning Jacobs
 
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Jan Löffler
 
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudRadical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudZalando Technology
 
Introduction to the Container Networking and Security
Introduction to the Container Networking and SecurityIntroduction to the Container Networking and Security
Introduction to the Container Networking and SecurityCloud 66
 

Similar to Inline Hooking in Windows (20)

CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
 
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
 
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences ExploitationNovell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
 
The Role of Standards in IoT Security
The Role of Standards in IoT SecurityThe Role of Standards in IoT Security
The Role of Standards in IoT Security
 
20101109 (tech ed) how frameworks kill projects
20101109 (tech ed) how frameworks kill projects20101109 (tech ed) how frameworks kill projects
20101109 (tech ed) how frameworks kill projects
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
The State of Wicket
The State of WicketThe State of Wicket
The State of Wicket
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSВозможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OS
 
GeeCON Microservices 2015 scaling micro services at gilt
GeeCON Microservices 2015 scaling micro services at giltGeeCON Microservices 2015 scaling micro services at gilt
GeeCON Microservices 2015 scaling micro services at gilt
 
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
 
voip_en
voip_envoip_en
voip_en
 
Developer-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for KubernetesDeveloper-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for Kubernetes
 
Docker cloud hybridation & orchestration
Docker cloud hybridation & orchestrationDocker cloud hybridation & orchestration
Docker cloud hybridation & orchestration
 
JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017
 
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
 
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...
 
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudRadical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the Cloud
 
Introduction to the Container Networking and Security
Introduction to the Container Networking and SecurityIntroduction to the Container Networking and Security
Introduction to the Container Networking and Security
 

Recently uploaded

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Inline Hooking in Windows

  • 1. Your texte here …. Inline Hooking in Windows 6 September 2011 Brian MARIANI Senior Security Consultant ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 2. SOME IMPORTANT POINTS Your texte here ….  This document is the second of a series of five articles relating to the art of hooking.  As a test environment we will use an english Windows Seven SP1 operating system distribution. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 3. WHAT IS AN INLINE HOOK Your texte here …. When an inline hook is implemented it will overwrite the first bytes codes of a windows api in order to redirect code flow. This kind of technique can be used in ring 3 or ring 0 modes. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 4. CHARACTERISTICS Your texte here ….  Inline hooking is more robust than import address table (IAT) hooks.  They do not have problems related to dll binding at runtime.  They can trap any function call, not just system calls.  No device driver is required.  They are widely used in many renowned professional applications and well-known rootkits. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 5. SOME GOOD UTILITIES  Your the Defcon 17 Nick Harbour has presented a good tool At texte here …. named apithief.  The tool launches a process in a suspended state.  It then injects a DLL and hook Win32 API functions.  The tool can then monitor the api behavior. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 6. SOME BAD UTILITIES  Your texte here …. widespread malware take advantage of Well-known and this kind of technique to hook key api windows components in order to spy and steal sensitive information from the user.  One of these famous malwares is Zeus, also known as Zbot, PRG, Wsnpoem or Gorhax. ws2_32! WSASend API hooked ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 7. Implementing an inline hook  Your texte hereour dll into the process we want to hijack. We inject …. (Please see Userland Hooking in Windows)  The first bytes of the target api are saved, these are the bytes that will be overwritten.  We place a jump, call or push-ret instruction.  The jump redirects the code flow to our function.  The hook can later call the original api using the saved bytes of the hooked function.  The original function will return control to our function and then data can be easily tampered. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 8. WHAT ARE WE GOING TO OVERWRITE  Your texte here …. It is very important to determine what and where we are going to overwrite the bytes codes.  Knowing exactly how much space we have at our disposal is really important, otherwise we can destroy the logic of the api, or write beyond his borders.  An unconditional jump will require 5 bytes.  We need to disassemble the beginning of the target api. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 9. WHERE ARE WE GOING TO OVERWRITE  Your texte herea windows api function is usually the same. The start of ….  After XP-SP2 Microsoft decided to change the windows api preamble: MOV EDI,EDI PUSH EBP MOV EBP,ESP  This allow for hot-patching, inserting a new code without the need to reboot the box.  We can use these five bytes to insert our own set of instructions. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 10. WHERE ARE WE GOING TO OVERWRITE  Your texte here …. why we select the start of the function is Another reason because the more deeper into the function the hook is located, the more we must be careful with the code.  If you hook deeper into the function, you can create unwanted issues.  Things become more complex.  Keep it simple and stupid. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 11. AN UNSUCCESSFUL HOOK  Your we try to …. If texte here hook every function in the same way we can modify the logic of the function.  In the picture below we have inserted an unconditional jump that destroy the logic of the function. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 12. A SUCCESSFUL HOOK  Your this particular example the prolog of httpsendrequest In texte here …. API has been hooked with a jump to our function.  We have used the first 5 bytes of the target function to place our jmp instruction. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 13. INLINE HOOKING PRACTICAL EXAMPLE (1)  Yourthis practical example our target is a simple chat system In texte here …. using nc.exe, but every program using WS2_32.DLL!Send Api could be used.  We want to hijack the sent messages from one of two users.  To accomplish this task we inject our DLL into nc.exe process and we hook the aforementioned api.  Then we jump into our function and we change the stack parameters, then we adjust our stack to avoid incovenients and finally we jump again to WS2_32.DLL!Send api.  This hook example can be used to create more complex scenarios. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 14. INLINE HOOKING PRACTICAL EXAMPLE (2)  Your textehooking the WS2_32.dll!send API we attach with Before here …. our debugger to the nc.exe process which is already listening on port 9999. We can see the unhook prolog. WS2_32!Send ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 15. INLINE HOOKING PRACTICAL EXAMPLE (3)  Your texte here …. for inbound connections (upper image) and the client Server is listening connects (lower image). All is working normally and users are discussing without any issues. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 16. INLINE HOOKING PRACTICAL EXAMPLE (4)  Yourthis time we inject our DLL into the nc.exe process. At texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 17. INLINE HOOKING PRACTICAL EXAMPLE (5)  Your texte here …. Let’s check using the our debugger how’s things have changed.  The API preamble has been modified. It has been replaced with a jump to our evil function. WS2_32!Send ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 18. INLINE HOOKING PRACTICAL EXAMPLE (6)  Your texte here our function at address 0x6FAC11D0. Let’s check …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 19. INLINE HOOKING PRACTICAL EXAMPLE (7)  Your texte here …. the chat has changed too :] The behavior of ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 20. DETECTING INLINE HOOKING (1)  Your texte here …. Detecting inline hooks is pretty simple.  Rootkits detectors like gmer, or BlackLight from Fsecure do a good job.  Let’s do an injection test into Internet Explorer 8.0 in Windows 7 and hook wininet!HttpSendRequestW Api. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 21. DETECTING INLINE HOOKING (2)  Your texte here …. place :] The hook is in ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 22. DETECTING INLINE HOOKING (3)  Your texte has …. But it here been successfully detected by gmer anti- rootkit. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 23. CONCLUSION  Inline hooks can be very useful when trying to reverse Your texte here …. malware.  Paradoxically nowadays malcode use this technique to change the behavior of the operating system in order to steal personal information.  By understanding and identifying hooks, thought, you will be able to detect most public rootkits and malwares.  We hope this document help you understand and master inline hooks.  Demo video: Inline Hooking in Windows ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 24. TO BE CONTINUED Your texte here ….  In future documents we will introduce Kernel Hooking. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 25. REFERENCES  Your texte here …. Subverting the Windows Kernel (Greg Hoglund & James Butler)  Professional Rootkits (Ric Vieler)  Programming application for Microsoft Windows fourth edition (Jeffrey Ritchter)  http://msdn.microsoft.com/en-us/magazine/cc301805.aspx  Programming Windows Security (Keith Brown)  http://support.microsoft.com/kb/197571  http://www.youtube.com/watch?v=2RJyR9igsdI  http://community.websense.com/blogs/securitylabs/archive/tags/ Zeus/default.aspx  http://www.ibm.com/developerworks/linux/library/l-ia/index.html  http://www.gmer.net/ ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch 
  • 26. Thank-you for reading Your texte here …. Thank you for reading Your questions are always welcome! Brian.mariani@htbridge.ch ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch