What is User mode API-Hooking in EDR?

Imagine you’ve just got some great deals at a newly opened supermarket and are heading home with your transparent shopping bag. As you stroll by the neighborhood grocer, he peeks into your bag to see what you’ve bought. If he spots something he already stocks (something sus), he stops you and won’t let you pass.

User-mode API hooking allows EDRs to dynamically inspect code executed within the context of Windows APIs or Native APIs for potentially malicious content or behavior. There are various types of hooking, with most vendors using the inline hooking method. This method replaces a specific mov instruction—more specifically, the mov opcode and the eax SSN operands—with a 5-byte jmp instruction. The mov instruction typically moves the syscall number or system service number (SSN) to the eax register. The unconditional jmp instruction redirects to the EDR’s hooking DLL, allowing the EDR to examine the code executed within the context of the Native API for potentially malicious content.