Code Injection everyone forgets about

April 9, 2020 in Code Injection

In 2013 Nick posted an article about Windows x64 system service hooks and advanced debugging. 2 years later Alex Ionescu published his classic Esoteric Hooks (PDF), and eventually Lasha Khasaia (@_qaz_qaz) published a POC that seemed to work as well.

All these references are pretty rare, and I must admit, I have not tested the code available, but it would be a waste it this trick was not covered one way or another, as both EDR and sandboxes could be potentially fooled by it…

How does it work?

NtSetInformationProcess(NtCurrentProcess(),
ProcessInstrumentationCallback,
&callback,
sizeof(callback));

So… if you are one of the vendors that operate in this space I hope you cover this particular call, at least.

My contribution to the topic: 0. But… Better safe than sorry.

For a comprehensive list of code injection techniques, check this post.

Share this :)

Comments are closed.