[MART] - Daily Diary #393 - Rootkit techniques - API Hooking

[CTAS-MAT]

Hello,
I hope everyone is doing well!

Below is the entry for today.

11/18/2021 - Diary entry #393

In our Daily Diary #367, we discussed how Rootkit malware works, and on our Daily Diary #391 we talked about DNS Tunneling, one technique used by Rootkit to disguise their communication through DNS queries. Today we will talk about API Hooking, another technique heavily used by Rootkit to exfiltrate information and modify programs behavior.

System APIs are used by every program to communicate with the operational system. It's impossible for each program to code all the functionalities for every OS version, so APIs serve as an interface so programs can execute functions provided by the OS, like opening files, making network requests, and even authenticate.

As API calls are used in most interactions, by hooking the correct APIs malware can exfiltrate data typed into programs, modify connection requests, and even tamper with the information provided by the OS before it reaches the program. For Rootkit this is very important, as they want to remain hidden in the system. Let's say the Rootkit is stored in a certain directory in the system, with enough access it can hook the directory listing functions for the other programs in the machine, so an analyst trying to list the directory to find the files will think it's empty, when in fact the Rootkit tampered with the directory listing response, removing their files from the list.

In Windows, API hooking can be achieved easily with injected DLLs. In that scenario, before a program is started, another process allocates the malicious code and changes the original API addresses to the malicious one. In Linux, shared objects are loaded in the process by the ld.so binary, so by creating a file in the correct path or tampering with the ld.so API hooking can also be achieved by Malware.
Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211118/bd52a0b8/attachment.htm>