What is User mode API-Hooking in EDR?

Imagine you’ve just got some great deals at a newly opened supermarket and are heading home with your transparent shopping bag. As you stroll by the neighborhood grocer, he peeks into your bag to see what you’ve bought. If he spots something he already stocks (something sus), he stops you and won’t let you pass.

User-mode API hooking allows EDRs to dynamically inspect code executed within the context of Windows APIs or Native APIs for potentially malicious content or behavior. There are various types of hooking, with most vendors using the inline hooking method. This method replaces a specific mov instruction—more specifically, the mov opcode and the eax SSN operands—with a 5-byte jmp instruction. The mov instruction typically moves the syscall number or system service number (SSN) to the eax register. The unconditional jmp instruction redirects to the EDR’s hooking DLL, allowing the EDR to examine the code executed within the context of the Native API for potentially malicious content.

As a Threat Intelligence Analyst, part of my job involves scrolling through darknet forums and detecting potential attacks, breaches, and leaks (not the other one). One thing that always crosses my mind is how confidential data is freely posted on these forums. Most interesting one is of course stealer logs.

A stealer is a Trojan that gathers information from a system. The most common form of stealers are those that gather logon information, like usernames and passwords, and then send the information to another system either via email or over a network.