{"id":7105,"date":"2020-04-09T23:38:10","date_gmt":"2020-04-09T23:38:10","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=7105"},"modified":"2020-04-10T00:11:47","modified_gmt":"2020-04-10T00:11:47","slug":"code-injection-everyone-forgets-about","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/04\/09\/code-injection-everyone-forgets-about\/","title":{"rendered":"Code Injection everyone forgets about"},"content":{"rendered":"\n<p>In 2013 <a href=\"https:\/\/www.codeproject.com\/Articles\/543542\/Windows-x64-system-service-hooks-and-advanced-debu\">Nick<\/a> posted an article about Windows x64 system service hooks and advanced debugging. 2 years later Alex Ionescu published his classic <a href=\"https:\/\/github.com\/ionescu007\/HookingNirvana\/blob\/master\/Esoteric%20Hooks.pdf\">Esoteric Hooks<\/a> (PDF), and eventually Lasha Khasaia (<a href=\"https:\/\/twitter.com\/_qaz_qaz\">@_qaz_qaz<\/a>) published a <a href=\"https:\/\/secrary.com\/Random\/InstrumentationCallback\/\">POC<\/a> that seemed to work as well.<\/p>\n\n\n\n<p>All these references are pretty rare, and I must admit, I have not tested the code available, but it would be a waste it this trick was not covered one way or another, as both EDR and sandboxes could be potentially fooled by it&#8230;<\/p>\n\n\n\n<p>How does it work?<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">NtSetInformationProcess(NtCurrentProcess(),\nProcessInstrumentationCallback,\n&amp;callback,\nsizeof(callback));<\/pre>\n\n\n\n<p>So&#8230; if you are one of the vendors that operate in this space I hope you cover this particular call, at least.<\/p>\n\n\n\n<p>My contribution to the topic: 0. But&#8230; Better safe than sorry.<\/p>\n\n\n\n<p>For a comprehensive list of code injection techniques, check this <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/05\/26\/plata-o-plomo-code-injections-execution-tricks\/\">post<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In 2013 Nick posted an article about Windows x64 system service hooks and advanced debugging. 2 years later Alex Ionescu published his classic Esoteric Hooks (PDF), and eventually Lasha Khasaia (@_qaz_qaz) published a POC that seemed to work as well. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/04\/09\/code-injection-everyone-forgets-about\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[57],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7105"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7105"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7105\/revisions"}],"predecessor-version":[{"id":7114,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7105\/revisions\/7114"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}