3. Detecting API Hooks
After injecting the malicious code into the target process, malware can hook API calls made by the target process to control its execution path and reroute it to the malicious code. The details of hooking techniques were covered in Chapter 8, Code Injection and Hooking (in the Hooking Techniques section). In this section, we will mainly focus on detecting such hooking techniques using memory forensics. To identify API hooks in both process and kernel memory, you can use the apihooks
Volatility plugin. In the following example of Zeus bot, an executable is injected into the explorer.exe
process's memory at address 0x2c70000
, as detected by the malfind
plugin:
$ python vol.py -f zeus.vmem --profile=Win7SP1x86 malfind Process: explorer.exe Pid: 1608 Address: 0x2c70000 Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE Flags: Protection: 6 0x02c70000 4d 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ.............. 0x02c70010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00...