{"title":"HookChain:绕过 EDR 解决方案的新视角","authors":"Helvio Carvalho Junior","doi":"arxiv-2404.16856","DOIUrl":null,"url":null,"abstract":"In the current digital security ecosystem, where threats evolve rapidly and\nwith complexity, companies developing Endpoint Detection and Response (EDR)\nsolutions are in constant search for innovations that not only keep up but also\nanticipate emerging attack vectors. In this context, this article introduces\nthe HookChain, a look from another perspective at widely known techniques,\nwhich when combined, provide an additional layer of sophisticated evasion\nagainst traditional EDR systems. Through a precise combination of IAT Hooking\ntechniques, dynamic SSN resolution, and indirect system calls, HookChain\nredirects the execution flow of Windows subsystems in a way that remains\ninvisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without\nrequiring changes to the source code of the applications and malwares involved.\nThis work not only challenges current conventions in cybersecurity but also\nsheds light on a promising path for future protection strategies, leveraging\nthe understanding that continuous evolution is key to the effectiveness of\ndigital security. By developing and exploring the HookChain technique, this\nstudy significantly contributes to the body of knowledge in endpoint security,\nstimulating the development of more robust and adaptive solutions that can\neffectively address the ever-changing dynamics of digital threats. This work\naspires to inspire deep reflection and advancement in the research and\ndevelopment of security technologies that are always several steps ahead of\nadversaries.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"32 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-04-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"HookChain: A new perspective for Bypassing EDR Solutions\",\"authors\":\"Helvio Carvalho Junior\",\"doi\":\"arxiv-2404.16856\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In the current digital security ecosystem, where threats evolve rapidly and\\nwith complexity, companies developing Endpoint Detection and Response (EDR)\\nsolutions are in constant search for innovations that not only keep up but also\\nanticipate emerging attack vectors. In this context, this article introduces\\nthe HookChain, a look from another perspective at widely known techniques,\\nwhich when combined, provide an additional layer of sophisticated evasion\\nagainst traditional EDR systems. Through a precise combination of IAT Hooking\\ntechniques, dynamic SSN resolution, and indirect system calls, HookChain\\nredirects the execution flow of Windows subsystems in a way that remains\\ninvisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without\\nrequiring changes to the source code of the applications and malwares involved.\\nThis work not only challenges current conventions in cybersecurity but also\\nsheds light on a promising path for future protection strategies, leveraging\\nthe understanding that continuous evolution is key to the effectiveness of\\ndigital security. By developing and exploring the HookChain technique, this\\nstudy significantly contributes to the body of knowledge in endpoint security,\\nstimulating the development of more robust and adaptive solutions that can\\neffectively address the ever-changing dynamics of digital threats. This work\\naspires to inspire deep reflection and advancement in the research and\\ndevelopment of security technologies that are always several steps ahead of\\nadversaries.\",\"PeriodicalId\":501333,\"journal\":{\"name\":\"arXiv - CS - Operating Systems\",\"volume\":\"32 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-04-04\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Operating Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2404.16856\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2404.16856","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
HookChain: A new perspective for Bypassing EDR Solutions
In the current digital security ecosystem, where threats evolve rapidly and
with complexity, companies developing Endpoint Detection and Response (EDR)
solutions are in constant search for innovations that not only keep up but also
anticipate emerging attack vectors. In this context, this article introduces
the HookChain, a look from another perspective at widely known techniques,
which when combined, provide an additional layer of sophisticated evasion
against traditional EDR systems. Through a precise combination of IAT Hooking
techniques, dynamic SSN resolution, and indirect system calls, HookChain
redirects the execution flow of Windows subsystems in a way that remains
invisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without
requiring changes to the source code of the applications and malwares involved.
This work not only challenges current conventions in cybersecurity but also
sheds light on a promising path for future protection strategies, leveraging
the understanding that continuous evolution is key to the effectiveness of
digital security. By developing and exploring the HookChain technique, this
study significantly contributes to the body of knowledge in endpoint security,
stimulating the development of more robust and adaptive solutions that can
effectively address the ever-changing dynamics of digital threats. This work
aspires to inspire deep reflection and advancement in the research and
development of security technologies that are always several steps ahead of
adversaries.