3. Detecting API Hooks

After injecting the malicious code into the target process, malware can hook API calls made by the target process to control its execution path and reroute it to the malicious code. The details of hooking techniques were covered in Chapter 8, Code Injection and Hooking (in the Hooking Techniques section). In this section, we will mainly focus on detecting such hooking techniques using memory forensics. To identify API hooks in both processes and kernel memory, you can use the apihooks Volatility plugin. In the following example of Zeus bot, an executable is injected into the explorer.exe process's memory at address 0x2c70000, as detected by the malfind plugin:

$ python vol.py -f zeus.vmem --profile=Win7SP1x86 malfind

Process: explorer.exe Pid: 1608 Address: 0x2c70000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6

0x02c70000 4d 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ..............
0x02c70010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02c70020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02c70030 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 ................

In the following output, the apihooks plugin detects the hook in the user-mode API HttpSendRequestA (in wininet.dll). The hooked API is then redirected to address 0x2c7ec48 (hook address). The hook address falls within the address range of the injected executable (hooking module). The name of the hooking module is unknown, because it is not normally loaded from the disk (but injected). To be specific, at the start address (0x753600fc) of the API function HttpSendRequestA, there is a jump instruction which redirects the execution flow of HttpSendRequestA to address 0x2c7ec48 within the injected executable:

$ python vol.py -f zeus.vmem --profile=Win7SP1x86 apihooks -p 1608

Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1608 (explorer.exe)
Victim module: wininet.dll (0x752d0000 - 0x753c4000)
Function: wininet.dll!HttpSendRequestA at 0x753600fc
Hook address: 0x2c7ec48
Hooking module: <unknown>

Disassembly(0):
0x753600fc e947eb918d   JMP 0x2c7ec48
0x75360101 83ec38       SUB ESP, 0x38
0x75360104 56           PUSH ESI
0x75360105 6a38         PUSH 0x38
0x75360107 8d45c8       LEA EAX, [EBP-0x38]
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset