WhiteHat and the Exploit Factory

Function hooking is a technique attackers use to modify/block/monitor original function calls and their intended purpose. There are a few ways to perform such an attack: Virtual Method Table hooking, Event hooks (ex: keyboard, implemented by Windows), Interception (by overwriting first bytes of the function with a jump) and Import Address Table (IAT) hooking (can be global or internal). This list in not comprehensive, but these methods are the most popular. Let's start with the relatively easy method: interception. To make it visual and simple to follow, let's apply this method to a small program which sums two numbers together and multiplies the result by 2: Once we compiled the program, we want to find magicSum function in the debugger: Here we can see, that after original setup, mathematical calculation is being performed and then we return back to the where this function was called from. In order to intercept this function we will allocate a memory block in the prog...

Dynamically Loaded Libraries (DLL) are used in almost any project, because of their unique properties: modularity, ease to support, updatability. Unfortunately, this can be easily exploited and all it takes is for the attacker to simply replace the original DLL file with the malicious one (especially if project is no longer being maintained and does not have hashing to verify that the valid DLL is being loaded). Moreover attacker can load their DLL into a remote process (usually done to stay hidden, since after DLL is injected you can run malicious code "from within" a target process). To make is easier to visualize, here is a small diagram: For example, we have a program that displays number of seconds passed since it started (not to over complicate things): An attacker can create a malicious DLL that logs pressed keys, but in this case it simply displays a message box: And attacker also has an injector that will load their DLL into the target process: The way an...