★ WORKSHOP ★
Mastering Offensive Hooking and Unhooking
Saturday, 24 February
Hooking is a powerful method employed to monitor, intercept and manipulate the flow of data and control within an application. It involves injecting custom code inside a target process to alter, or enhance its functionality. Hooking plays a pivotal role in anti-game cheats, fortifying security controls, gathering valuable telemetry data, and empowering Endpoint Detection and Response (EDR) systems. This workshop delves deep into advanced hooking techniques, and provides a unique opportunity for participants to master this intricate art. Whether you're a seasoned malware researcher seeking to dissect threats or a red teamer looking to uncover defense blind spots, this workshop will equip you with the skills and knowledge needed to excel in your security endeavors.
Section 1 – The first section of the workshop will focus on basics concepts of Portable executable, PE file formats, introduction to windows APIs and foundation setting for advanced concepts and hands on in later sections.
- PE basics - Students will understand the program execution lifecycle in windows, PE file structure - imports,exports etc
- Windows API - Students will learn about inner working of windows and how various GUI components interact with the kernel via APIs and syscalls. This will include hands on labs that will require participants to use Windows APIs via code (C++) to perform simple operations like process creation, file creation etc.
- NT API & Syscalls – Students will be introduced to NT APIs present in ntdll. These APIs will be later hooked to monitor API calls transitioning from user to kernel mode via syscalls
Section 2 – Focus on this session will be to get started with hooking windows API, via manual methods as well as tools like Frida. Through these exercises, students will be made accustomed to hook windows application and monitor API arguments.
- Introduction to hooking – Students will be introduced to basics of hooking. Both manual as well as automated hooking techniques (using tools like Frida, Detour) will be demonstrated
- Hooking native windows and commercial applications - Students will be given live demonstration of hooking on few windows applications and how to identify correct APIs on which hooks need to be placed
- Simple keylogger
Section 3 – Focus of this section will be to demonstrate legitimate usage of hooking in windows systems by EDRs. Unhooking(removing existing hooks) as a concept will also be introduced as a means to bypass security controls present on a host
- EDRs - Students will receive a primer on Endpoint Detection and Response systems and how they use hooks to gather telemetry and obtain visibility inside individual processes. Decisions to resume or kill the process are formulate based on the telemetry.
- Introduction to unhooking (NTDLL/IAT) – Students will be introduced to IAT (Import Address Table) and NTDLL unhooking techniques as one of the means to evade EDR systems.
Section 4 – The final section will focus on dissecting various unhooking techniques and how evolution of these techniques happened over time as and when EDR's caught up with them
- Hells gate and Halos gate - Students will use the knowledge acquired in the previous section to understand different unhooking strategies employed in diverse scenarios to bypass EDR solutions
- Review / Key Takeaways / Q&A – The workshop will wrap up with a review of the material covered, key takeaways and answer any student questions.
In addition to the presentation material, students will be provided with a virtual machine (VM) that includes a fully functional development environment and all the necessary code samples for replicating the demonstrations showcased during the presentation.
Soumyadeep is a cybersecurity professional with expertise in both offensive and defensive security. Having earned certifications such as OSCP, OSEP, eCPTX and AZ-500, Soumyadeep possesses extensive skills and knowledge in both offensive and defensive cybersecurity domains. Soumyadeep has a strong foundation in red teaming and has worked with companies like Mandiant and Zscaler. Soumyadeep is a Cloud Threat Detection Engineer at CRED, specializing in tracking and disrupting cloud threat actors
Arun is an experienced Red Teamer with specialized expertise in malware development and evasion. Holding certifications like OSCP, CRTP, CRTL, CodeMachine Malware Techniques, Malware on Steroids and Hacksys Windows Kernel Exploitation, he showcases a profound grasp of offensive security. His hands-on experience with top-tier organizations like Google and Mandiant enriches his understanding of real-world cyber tactics. He has volunteered as a trainer at Blackhat Europe MIPS Exploit Development, contributed at Defcon Adversary Village, and presented talks and workshops at RedTeamSummit, c0c0n, and regional Null Meetups.