The course teaches techniques to defeat analysis tools by revisiting ring3 API hooks. The learning outcomes include understanding API hook variations like "Egg hook" and "Hollow hook" to confuse and defeat malware analysis and forensics tools. The course covers topics such as basic knowledge of API hooks, inline hooks, IAT hooks, detection strategies, and practical demonstrations. The intended audience includes individuals interested in cybersecurity, malware analysis, and threat detection. The teaching method involves a presentation by Rafael Salema Marquez, focusing on introducing and demonstrating the discussed techniques.
Revisiting Ring3 API Hooks: Tricks to Defeat Analysis Tools - Rafael Salema Marquez - Ekoparty - 2021
Ekoparty Security Conference via YouTube
Overview
Syllabus
Introduction
Agenda
Rafaels background
What is important
Dark side
Credentials
Expose new techniques
Basic knowledge
What is API hooks
Avoid distractions
Inline hooks
IAT hooks
Regular flow
How it works
Detection strategies
Egg hook
Egg hook explanation
Create process suspended
allocate memory
the fun part
proof of concept
virtual machine
fast look
results
actual results
outro
Taught by
Ekoparty Security Conference
