Video Training →Windows API Hooking

Learn windows api hooking the maldev way
What you'll learn:
What is API Hooking
Different types of hooking
inline hooking
iat hooking
dll unhooking
Requirements:
No prior experience needed but basics of windows api is an added advantage
Description:
We often hear the words in movies "he has hooks on you". this means he is controlling you.In same analogy, hooking here means controlling the function flow to examine the parameters that are being passed to the function.AV/EDR hooks some important functions in various dlls.NtVirtualAllocateMemory, ZwWriteVirtualMemory, NtCreateRemoteThread, etc are hooked5 BYTE INLINE HOOKINGIn this inline hooking, we replace first 5 bytes of legit function with a jump offset to our function.When the legit function is called, the control flow redirects to our address along with the original arguments.Now we restore those 5 bytes at legit function and then inspect the arguments for any malicious usage.we can then proceed to block or allow the functionIAT HOOKINGFirstthunk address in import descriptor table points to address of legit functions.We can overwrite this address to our malicious function.we receive arguments and then call legit functionHIDING PROCESSES FROM USER MODE PROCESSProcesses like task manager uses NtQuerySystemInformation with SYSTEM_PROCESS_INFORMATION to get all processes information.All of these processes are in linked list.We can hide our desired process by modifying the next link of previous process to the next process.DLL UNHOOKINGWe can unhook the hooked dlls by copying clean version of dll's .text section into our process.AV/EDR does not hook dlls on disk because it slows down the system heavily.We can acquire clean copy from disk or from a suspended process
Who this course is for:
Penetration testers
Malware Developers
Red Teamers
Homepage

https://www.udemy.com/course/windows-api-hooking/