You're Off the Hook: Blinding Security Software
Category: Vulnerability Development
Summary: Security companies are increasing their focus on behavior based detection to convict malicious software but thanks to Microsoft's Kernel Patch Protection (a.k.a. PatchGuard) vendors must rely on user-mode hooks in order to capture behavior telemetry.
User-mode hooking is dead. At BlackHat US 2016, the “Captain Hook” talk revealed there were multiple serious security issues in AV hooking -- we'll put the final nail in the coffin (and the second eyepatch on Captain Hook) by showing how trivial it is to bypass user-mode hooks.
In this presentation, we will demonstrate and release a universal user-mode unhooking tool that can be included in any binary to blind security software from monitoring API calls and perform heuristic behavior analysis.