You're Off the Hook: Blinding Security Software

Author(s): Jeff Tang
Category: Vulnerability Development
Duration: 45
Summary: Security companies are increasing their focus on behavior based detection to convict malicious software but thanks to Microsoft's Kernel Patch Protection (a.k.a. PatchGuard) vendors must rely on user-mode hooks in order to capture behavior telemetry.

User-mode hooking is dead. At BlackHat US 2016, the “Captain Hook” talk revealed there were multiple serious security issues in AV hooking -- we'll put the final nail in the coffin (and the second eyepatch on Captain Hook) by showing how trivial it is to bypass user-mode hooks.

In this presentation, we will demonstrate and release a universal user-mode unhooking tool that can be included in any binary to blind security software from monitoring API calls and perform heuristic behavior analysis.

Likes: 0



I assume that last sentence implies: ***preventing*** security software from performing behavior analysis.


I assume the talk will demo a few security software showing pre / post universal unhooking tool?


Does Crowdstrike / FireEye use user-land hooks?