HookChain: A new perspective for Bypassing EDR Solutions

Presented at DEF CON 32 (2024), Aug. 10, 2024, 3:30 p.m. (45 minutes).

In the current digital security ecosystem, where threats evolve rapidly and with complexity, companies developing Endpoint Detection and Response (EDR) solutions are in constant search for innovations that not only keep up but also anticipate emerging attack vectors. In this context, this article introduces the HookChain, a look from another perspective at widely known techniques, which when combined, provide an additional layer of sophisticated evasion against traditional EDR systems. Through a precise combination of IAT Hooking techniques, dynamic SSN resolution, and indirect system calls, HookChain redirects the execution flow of Windows subsystems in a way that remains invisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without requiring changes to the source code of the applications and malwares involved. This work not only challenges current conventions in cybersecurity but also sheds light on a promising path for future protection strategies, leveraging the understanding that continuous evolution is key to the effectiveness of digital security. By developing and exploring the HookChain technique, this study significantly contributes to the body of knowledge in endpoint security, stimulating the development of more robust and adaptive solutions that can effectively address the ever-changing dynamics of digital threats. This work aspires to inspire deep reflection and advancement in the research and development of security technologies that are always several steps ahead of adversaries.

Presenters:

• Helvio Carvalho Junior - CEO at Sec4US
  Helvio is the CEO of Sec4US, a leading company in Cyber Security, and stands out as a renowned researcher in the field. He made history by being the first in Latin America to achieve the prestigious OSCE3 certification, a milestone that reflects his deep knowledge and technical skill. With over 23 years of experience across various segments of Information Technology, Helvio currently focuses on research in bypass techniques for Endpoint Detection and Antivirus solutions, as well as specializing in offensive information security (RedTeam). His passion for creating exploits and malware is well-known and significantly contributes to the advancement of cybersecurity.

Similar Presentations:

• THOTCON 0xA (2019) / Zombie Ant Farm: Manipulation of Whitelisted Executables in Linux for EDR Evasion
• DeepSec 2020 „The Masquerade“ / EPP/EDR - Unhooking Their Protections
• DEF CON 32 (2024) / Dodging the EDR Bullet: A Workshop on Malware Stealth Tactics Workshop