Revisiting Ring3 API Hooks: Tricks to Defeat Analysis Tools - Rafael Salema Marquez - Ekoparty - 2021

Explore advanced ring3 API hooking techniques designed to evade malware analysis tools in this 42-minute conference talk from Ekoparty 2021. Delve into the world of malware development as Rafael Salema Marquez introduces novel variations of existing API hook methods, including "Egg hook" and "Hollow hook." Learn how these techniques can confuse and defeat popular forensics tools, gaining insights into the strategies employed by malware writers to remain undetected. Examine the basic concepts of API hooks, inline hooks, and IAT hooks before diving into the intricacies of the new approaches. Follow along with practical demonstrations and proof of concept implementations, understanding their impact on virtual machine environments and analysis results.

Introduction
Agenda
Rafaels background
What is important
Dark side
Credentials
Expose new techniques
Basic knowledge
What is API hooks
Avoid distractions
Inline hooks
IAT hooks
Regular flow
How it works
Detection strategies
Egg hook
Egg hook explanation
Create process suspended
allocate memory
the fun part
proof of concept
virtual machine
fast look
results
actual results
outro