HookChain:绕过 EDR 解决方案的新视角

Helvio Carvalho Junior
{"title":"HookChain:绕过 EDR 解决方案的新视角","authors":"Helvio Carvalho Junior","doi":"arxiv-2404.16856","DOIUrl":null,"url":null,"abstract":"In the current digital security ecosystem, where threats evolve rapidly and\nwith complexity, companies developing Endpoint Detection and Response (EDR)\nsolutions are in constant search for innovations that not only keep up but also\nanticipate emerging attack vectors. In this context, this article introduces\nthe HookChain, a look from another perspective at widely known techniques,\nwhich when combined, provide an additional layer of sophisticated evasion\nagainst traditional EDR systems. Through a precise combination of IAT Hooking\ntechniques, dynamic SSN resolution, and indirect system calls, HookChain\nredirects the execution flow of Windows subsystems in a way that remains\ninvisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without\nrequiring changes to the source code of the applications and malwares involved.\nThis work not only challenges current conventions in cybersecurity but also\nsheds light on a promising path for future protection strategies, leveraging\nthe understanding that continuous evolution is key to the effectiveness of\ndigital security. By developing and exploring the HookChain technique, this\nstudy significantly contributes to the body of knowledge in endpoint security,\nstimulating the development of more robust and adaptive solutions that can\neffectively address the ever-changing dynamics of digital threats. This work\naspires to inspire deep reflection and advancement in the research and\ndevelopment of security technologies that are always several steps ahead of\nadversaries.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"32 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-04-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"HookChain: A new perspective for Bypassing EDR Solutions\",\"authors\":\"Helvio Carvalho Junior\",\"doi\":\"arxiv-2404.16856\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In the current digital security ecosystem, where threats evolve rapidly and\\nwith complexity, companies developing Endpoint Detection and Response (EDR)\\nsolutions are in constant search for innovations that not only keep up but also\\nanticipate emerging attack vectors. In this context, this article introduces\\nthe HookChain, a look from another perspective at widely known techniques,\\nwhich when combined, provide an additional layer of sophisticated evasion\\nagainst traditional EDR systems. Through a precise combination of IAT Hooking\\ntechniques, dynamic SSN resolution, and indirect system calls, HookChain\\nredirects the execution flow of Windows subsystems in a way that remains\\ninvisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without\\nrequiring changes to the source code of the applications and malwares involved.\\nThis work not only challenges current conventions in cybersecurity but also\\nsheds light on a promising path for future protection strategies, leveraging\\nthe understanding that continuous evolution is key to the effectiveness of\\ndigital security. By developing and exploring the HookChain technique, this\\nstudy significantly contributes to the body of knowledge in endpoint security,\\nstimulating the development of more robust and adaptive solutions that can\\neffectively address the ever-changing dynamics of digital threats. This work\\naspires to inspire deep reflection and advancement in the research and\\ndevelopment of security technologies that are always several steps ahead of\\nadversaries.\",\"PeriodicalId\":501333,\"journal\":{\"name\":\"arXiv - CS - Operating Systems\",\"volume\":\"32 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-04-04\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Operating Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2404.16856\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2404.16856","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

摘要

在当前的数字安全生态系统中,威胁发展迅速且复杂多变,开发端点检测和响应(EDR)解决方案的公司不断寻求创新,不仅要跟上时代的步伐,还要预见到新出现的攻击载体。在这种情况下,本文将介绍钩链,从另一个角度审视广为人知的技术,这些技术结合在一起,就能为传统的 EDR 系统提供多一层复杂的规避手段。通过将 IAT 挂钩技术、动态 SSN 解析和间接系统调用精确地结合在一起,HookChain 可以对 Windows 子系统的执行流进行重定向,而那些只对 Ntdll.dll 采取行动的 EDR 则无法察觉,同时也无需更改相关应用程序和恶意软件的源代码。通过开发和探索 HookChain 技术,本研究极大地丰富了端点安全领域的知识体系,促进了更稳健、适应性更强的解决方案的开发,从而能够有效地应对不断变化的数字威胁动态。这项工作将激励人们在安全技术的研究和开发方面进行深入思考并不断进步,从而始终领先对手几步。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
HookChain: A new perspective for Bypassing EDR Solutions
In the current digital security ecosystem, where threats evolve rapidly and with complexity, companies developing Endpoint Detection and Response (EDR) solutions are in constant search for innovations that not only keep up but also anticipate emerging attack vectors. In this context, this article introduces the HookChain, a look from another perspective at widely known techniques, which when combined, provide an additional layer of sophisticated evasion against traditional EDR systems. Through a precise combination of IAT Hooking techniques, dynamic SSN resolution, and indirect system calls, HookChain redirects the execution flow of Windows subsystems in a way that remains invisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without requiring changes to the source code of the applications and malwares involved. This work not only challenges current conventions in cybersecurity but also sheds light on a promising path for future protection strategies, leveraging the understanding that continuous evolution is key to the effectiveness of digital security. By developing and exploring the HookChain technique, this study significantly contributes to the body of knowledge in endpoint security, stimulating the development of more robust and adaptive solutions that can effectively address the ever-changing dynamics of digital threats. This work aspires to inspire deep reflection and advancement in the research and development of security technologies that are always several steps ahead of adversaries.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Analysis of Synchronization Mechanisms in Operating Systems Skip TLB flushes for reused pages within mmap's eBPF-mm: Userspace-guided memory management in Linux with eBPF BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS Rethinking Programmed I/O for Fast Devices, Cheap Cores, and Coherent Interconnects
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1