Post

Api Unhooking

Posted Updated
By 2 min read

Let’s talk about Api Unhooking

Introduction

Well, first, we need to discuss what is hooking. Here, we will talk about inline hooking in user space. Inline hooking in user space involves intercepting and modifying the behavior of a program during its execution by injecting custom code directly into its memory. Let’s take the example of the MessageBoxA function, which displays a message box in Windows.

The process begins by identifying the MessageBoxA function within the target process. Then, custom code is injected into the memory space of the process. This injected code contains instructions to intercept calls to MessageBoxA.

When a call to MessageBoxA is made during program execution, the flow of control is redirected to the injected custom code instead. This allows us to perform additional actions before or after the original MessageBoxA function executes. For instance, we could log parameters, modify the message being displayed, or take any other desired action.

After executing our custom code, we may choose to either let the original MessageBoxA function execute as usual or redirect the flow of execution back to the original function. This depends on the specific requirements of our hook.

Inline hooking in user space provides flexibility and power, allowing for dynamic modifications to program behavior without altering the original source code. However, it also poses risks such as compatibility issues with software updates and the potential introduction of security vulnerabilities if not implemented carefully.

image

Frida tools

Frida is a dynamic instrumentation toolkit that allows developers and security researchers to inject JavaScript or Python scripts into running processes on various platforms such as Windows, macOS, Linux, Android, and iOS. This enables real-time manipulation, analysis, and monitoring of the target application’s behavior, including function tracing, hooking, and memory access. Frida is widely used for debugging, reverse engineering, and penetration testing purposes due to its flexibility, ease of use, and platform support.

Let’s use frida-trace to hook CreateFileA function in notepad.exe

1

pip install frida-tools

image

Command: frida-trace -f C:\Windows\system32\notepad -i KERNEL32!CreateFileA

  • frida-trace: Frida command-line tool for dynamic tracing.
  • -f C:\Windows\system32\notepad: Target process is Notepad application.
  • -i KERNEL32!CreateFileA: Traces usage of CreateFileA function in KERNEL32 library.

As you can see, frida injects it’s dll into the target process

image

great, now let’s do something a little bit different.

This is a practical case for educational purposes only.

Evastion Techniques
C++ Malware Analysis
This post is licensed under CC BY 4.0 by the author.