AV/EPP/EDR Windows API hook list

admin 2023年4月17日09:30:35评论164 views字数 4139阅读13分47秒阅读模式

AV/EPP/EDR Windows API hook list

CrowdStrike_EPP_EDR

Hooks redirect to "EDR hooking.dll" >> umppc*****.dll for example umppc16606.dll
>>Hooks in ntdll.dll<<[-] NtDeviceIoControlFile [-] NtSetInformationThread [-] NtAllocateVirtualMemory [-] NtSetInformationProcess [-] NtQueryInformationThread [-] NtMapViewOfSection [-] NtUnmapViewOfSection [-] NtWriteVirtualMemory [-] NtReadVirtualMemory [-] NtQueueApcThread [-] NtProtectVirtualMemory [-] NtResumeThread [-] NtAllocateVirtualMemoryEx [-] NtCreateMutant [-] NtGetContextThread [-] NtMapViewOfSectionEx [-] NtQueueApcThreadEx [-] NtSetContextThread [-] NtSuspendThread [-] NtUnmapViewOfSectionEx >>Hooks in win32u.dll<< [-] NtUserSetProp [-] NtUserSetWindowLong [-] NtUserSetWindowsHookEx [-] NtUserSetWindowsHookAW [-] NtGdiAddFontMemResourceEx [-] NtGdiAddFontResourceW [-] NtGdiAddRemoteFontToDC [-] NtUserSetWindowLongPtr Total: 28 hooks


SentinelOne_EPP_EDR

Hooks redirect to !EDR hooking.dll! >> inprocessclient64.dll
>>Hooks in ntdll.dll<<[-] LdrLoadDll [-] RtlAddVectoredExceptionHandler [-] NtSetInformationThread [-] NtSetInformationProcess [-] NtFreeVirtualMemory [-] NtOpenProcess [-] NtMapViewOfSection [-] NtUnmapViewOfSection [-] NtTerminateProcess [-] NtQuerySystemInformation [-] NtWriteVirtualMemory [-] NtReadVirtualMemory [-] NtQueueApcThread [-] NtResumeThread [-] NtCreateThreadEx [-] NtCreateUserProcess [-] NtLoadDriver [-] NtMapUserPhysicalPages [-] NtQuerySystemInformationEx [-] NtQueueApcThreadEx [-] NtSetContextThread [-] KiUserApcDispatcher >>Hooks in KernelBase.dll<<[-] CreateProcessInternalW [-] CopyFileExW [-] LoadLibraryA [-] UnhandledExceptionFilter >>Hooks in combase.dll<< [-] CoGetInstanceFromIStorage >>Hooks in crypt32.dll<< [-] CryptUnprotectData >>Hooks in ole32.dll<< [-] CoGetObject >>Hooks in samcli.dll<<[-] NetUserAdd
>>Hooks in shell32.dll<<[-] Shell_NotifyIconW >>Hooks in sspicli.dll<<[-] InitializeSecurityContextW [-] LsaCallAuthenticationPackage >>Hooks in user32.dll<< [-] CreateWindowExA [-] CreateWindowExW [-] PeekMessageA [-] PeekMessageW [-] SetWindowLongPtrW [-] SetWindowLongW [-] GetKeyState [-] GetMessageW [-] SystemParametersInfoW [-] GetAsyncKeyState [-] GetMessageA [-] SystemParametersInfoA [-] SetWindowsHookExW [-] ExitWindowsEx [-] SetWindowLongA [-] SetWindowLongPtrA [-] SetWindowsHookExA

>>Hooks in win32u.dll<<[-] NtUserSetProp [-] NtUserShowWindow [-] NtUserGetKeyboardState [-] NtUserAttachThreadInput [-] NtUserRegisterRawInputDevices
Total: 55 hooks


TrendMicro_EPP_EDR

Hooks redirect to "EDR hooking.dll" tmmon64.dll
>>Hooks in ntdll.dll<<[-] LdrUnloadDll [-] LdrLoadDll [-] NtDeviceIoControlFile [-] NtSetInformationThread [-] NtQueryInformationThread [-] NtMapViewOfSection [-] NtUnmapViewOfSection [-] NtTerminateProcess [-] NtWriteVirtualMemory [-] NtReadVirtualMemory [-] NtQueueApcThread [-] NtCreateThread [-] NtProtectVirtualMemory [-] NtCreateMutant [-] NtCreateThreadEx [-] NtGetContextThread [-] NtLoadDriver [-] NtSetContextThread [-] NtUnmapViewOfSectionEx

>>Hooks in kernel32.dll<<[-] CreateMailslotA [-] CreateMailslotW [-] MoveFileW [-] CreateRemoteThread [-] CreateNamedPipeA [-] CopyFileA [-] CopyFileExA [-] MoveFileA [-] MoveFileWithProgressA

>>Hooks in KernelBase.dll<<[-] CreateProcessInternalA [-] CreateProcessInternalW [-] CreateRemoteThreadEx [-] DeleteFileA [-] DeleteFileW [-] FindFirstFileW [-] FindFirstFileExW [-] CreateFileA [-] CreateFileW [-] MoveFileWithProgressW [-] CopyFileW [-] CopyFileExW [-] VirtualAlloc [-] ImpersonateLoggedOnUser [-] WriteProcessMemory [-] FindFirstFileA [-] VirtualAllocEx [-] CreateNamedPipeW [-] FindFirstFileExA

>>Hooks in advapi32.dll<<[-] OpenEventLogW [-] CloseEventLog [-] EncryptFileW [-] CreateServiceA [-] CreateServiceW [-] ClearEventLogA [-] ClearEventLogW [-] OpenEventLogA

>>Hooks in samcli.dll<<[-] NetUserGetLocalGroups [-] NetUserGetInfo [-] NetUserEnum [-] NetUserAdd [-] NetUserChangePassword [-] NetUserDel [-] NetUserGetGroups [-] NetUserSetGroups [-] NetUserSetInfo

>>Hooks in sechost.dll<<[-] !StartServiceW [-] !OpenServiceW [-] !OpenServiceA [-] !StartServiceA

>>Hooks in user32.dll<<[-] SetWindowsHookExW [-] SetWindowsHookA [-] SetWindowsHookExA [-] SetWindowsHookW [-] MessageBoxA [-] MessageBoxExA [-] MessageBoxExW [-] MessageBoxW

>>Hooks in wevtapi.dll<<[-] EvtOpenSession [-] EvtClose [-] EvtClearLog

>>Hooks in win32u.dll<<[-] NtUserShowWindow

>>Hooks in wininet.dll<<[-] InternetCreateUrlW [-] InternetConnectW [-] InternetConnectA [-] InternetCreateUrlA [-] InternetOpenUrlA [-] InternetOpenUrlW
Total: 86 hooks


原文始发于微信公众号(Khan安全攻防实验室):AV/EPP/EDR Windows API hook list

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年4月17日09:30:35
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   AV/EPP/EDR Windows API hook listhttp://cn-sec.com/archives/1673550.html

发表评论

匿名网友 填写信息