| ID | F0015 |
| Objective(s) | Anti-Behavioral Analysis, Collection, Credential Access, Defense Evasion, Persistence, Privilege Escalation |
| Related ATT&CK Techniques | Hijack Execution Flow (T1574, T1625) |
| Anti-Analysis Type | Evasion |
| Version | 2.0 |
| Created | 8 November 2021 |
| Last Modified | 13 September 2023 |
Malware may execute by hijacking the way operating systems run programs. Malware (e.g. rootkit) alters API behavior or redirects execution (i.e., hooking) to a malicious API version for a variety of purposes. Malware may use hooking to load and execute code within the context of another process, hiding execution and gaining elevated privileges and access to the process's memory. Different types of hooking are defined as methods below.
Note that in MBC, Hooking is also associated with the Defense Evasion, Persistence, Privilege Escalation, and Anti-Behavioral Analysis objectives.
For discussion related to the Credential Access and Collection objectives, see Input Capture: Credential API Hooking (T1056.004).
For hooking related to memory dump evasion, see Memory Dump Evasion (B0006).
See ATT&CK: Hijack Execution Flow (T1574, T1625).
| Name | ID | Description |
|---|---|---|
| Abuse Windows Function Calls | F0015.006 | Malware abuses native Windows function calls to transfer execution to shellcode that it loads into memory. A pointer to the callback function is used to supply the memory address of the shellcode. Functions that can be abused include EnumResourceTypesA and EnumUILanguagesW. [4] |
| Export Address Table Hooking | F0015.001 | Malware (e.g. rootkit) hooks the export address table (EAT). |
| Import Address Table Hooking | F0015.003 | Malware (e.g. rootkit) modifies a process's import address table (IAT), which stores pointers to imported API functions.[1] This method is related to Unprotect technique U1217. |
| Inline Patching | F0015.002 | Inline patching (inline hooking) is done by modifying the beginning of a function (e.g., first bytes) in order to redirect the execution flow to custom code (i.e. redirecting code flow) before jumping back to the original function.[2] This method is related to Unprotect technique U1205. |
| Procedure Hooking | F0015.007 | Intercepts and executes designated code in response to events such as messages, keystrokes, and mouse inputs. [5] |
| Shadow System Service Dispatch Table Hooking | F0015.004 | The Shadow System Service Dispatch Table (SSDT) can be hooked similarly to how the SSDT and IAT are hooked. The target of the hooking with the Shadow SSDT is the Windows subsystem (win32k.sys).[3] |
| System Service Dispatch Table Hooking | F0015.005 | Malware (e.g. rootkit, malicious drivers) may hook the system service dispatch table (SSDT), also called the system service descriptor table. The SSDT contains information about the service tables used by the operating system for dispatching system calls. Hooking the SSDT enables malware to hide files, registry keys, and network connections.[3] |
| Name | Date | Method | Description |
|---|---|---|---|
| Kronos | 2014 | -- | Kronos hooks the API of processes to prevent detection. [6] |
| Ursnif | 2016 | -- | The malware hooks various DLL exported functions when the DLL component is loaded into their respective browser application to monitor network traffic. [7] |
| GravityRAT | 2018 | F0015.006 | GravityRAT abuses Microsoft's Dynamic Data Exchange (DDE) protocol. [8] |
| SYNful Knock | 2015 | -- | SYNful Knock hooks iOS functions to call and initialize the malware. [9] |
| Shamoon | 2012 | F0015.006 | Malware escalates privileges by impersonating the token through using LogonUser and ImpersonateLoggedOnUser then ImpersonateNamedPipeClient. [10] |
| Stuxnet | 2010 | F0015.003 | Stuxnet hooks ntdll.dll to monitor for requests to load specially crafted file names which are mapped to a location specified by Stuxnet. [11] |
| Stuxnet | 2010 | F0015.007 | WTR4141.tmp hooks APIs from kernel32.dll and ntdll.dll and replaces the original code for these functions with code that checks for files with properties pertaining to Stuxnet files. If a request is made to list a file with the specified properties, the response from these APIs is altered to state that the file does not exist, thereby hiding all files with these properties. [11] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| create new application domain in .NET | Hijack Execution Flow (F0015) | |
| execute shellcode via Windows callback function | Hijack Execution Flow::Abuse Windows Function Calls (F0015.006) | EnumDateFormats, GrayString, LineDDA, EnumChildWindows, EnumDesktops, EnumDesktopWindows, EnumSystemCodePages, EnumSystemGeoID, EnumSystemLanguageGroups, EnumSystemLocales, EnumThreadWindows, EnumUILanguages, EnumWindows, EnumChildWindows, EnumTimeFormats |
| rebuild import table | Hijack Execution Flow::Import Address Table Hooking (F0015.003) | LoadLibraryA, GetProcAddress |
[1] https://www.sans.org/media/score/checklists/rootkits-investigation-procedures.pdf
[2] https://www.oreilly.com/library/view/learning-malware-analysis/9781788392501/a0a506d6-d062-48c1-a0a8-57d6acb77785.xhtml
[3] https://www.mdpi.com/1999-5903/4/4/971/html
[4] http://ropgadget.com/posts/abusing_win_functions.html
[5] https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks?redirectedfrom=MSDN#hook-procedures
[6] https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/
[7] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279
[8] https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
[9] https://www.mandiant.com/resources/synful-knock-acis
[10] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[11] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en