inlinehooks plugin & change to avpatch

[SolitudePy]

Hello, not sure if thats good enough as a standalone plugin, but I tried to re-implement apihooks. however, since there a lot of "hooks" in legitimate dlls I couldn't get it to output less false positives, ofc I am open to ideas.
also, some hooks are not relevant anymore e.g KiFastSystemCall.
even the current implementation of check_inline_hooks throw false positives, anyways that was a fun experience :D
I have left some of the pseudo-code commented for now, if you think it can be improved or removed totally.

Also I have 2 questions:
I have read a paper of @atcuno about hooktracer but couldn't find code online.
second question is something I also tried asking on your slack, maybe I misunderstand something but worth a try:
From my understanding, unhooked_system_calls plugin will enumerate all of the processes to find differences, if every process is hooked it will not be flagged as malware. a follow-up to this, a DLL is loaded to a shared memory and if it's patched the OS creates a private copy for the process, so cant we compare the hooks against the known shared read-only memory for the DLL? if not why?

Anyways, about the plugin:

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/etw_patch_dump.raw windows.inlinehooks --pid 2108
Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished                        
PID     Process Hook Type       Module  Hook Address    Function        Hook Info       Hook Hexdump    Disasm

2108    patch-etw-x64.  Inline Hook     ntdll.dll       0x7ff8013bf1f0  EtwEventWrite   Early RET
c3 8b dc 48 83 ec 58 4d 89 4b e8 33 c0 45 89 43 ...H..XM.K.3.E.C
e0 45 33 c9 49 89 43 d8                         .E3.I.C.        
0x7ff8013bf1f0: ret
0x7ff8013bf1f1: mov     ebx, esp
0x7ff8013bf1f3: sub     rsp, 0x58
0x7ff8013bf1f7: mov     qword ptr [r11 - 0x18], r9
0x7ff8013bf1fb: xor     eax, eax
0x7ff8013bf1fd: mov     dword ptr [r11 - 0x20], r8d
0x7ff8013bf201: xor     r9d, r9d
0x7ff8013bf204: mov     qword ptr [r11 - 0x28], rax

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/hook_patch_dump.raw windows.inlinehooks --pid 8004
Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished                        
PID     Process Hook Type       Module  Hook Address    Function        Hook Info       Hook Hexdump    Disasm

8004    hooking_32.exe  Inline Hook     USER32.dll      0x770e1110      MessageBoxA     JMP relative
e9 17 04 51 89 83 3d 94 5c 10 77 00 74 22 64 a1 ...Q..=.\.w.t"d.
18 00 00 00 ba a4 61 10                         ......a.        
0x770e1110:     jmp     0x5f152c
0x770e1115:     cmp     dword ptr [rip + 0x77105c94], 0
0x770e111c:     je      0x770e1140
0x770e111e:     movabs  eax, dword ptr fs:[0x1061a4ba00000018]

[SolitudePy]

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/amsi-patch.raw windows.avpatch
Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished                        
PID     Process DLL     Function        Hook Address    Hook Info       Hook Hexdump    Disasm

6740    powershell_ise  amsi.dll        AmsiScanBuffer  0x7ffd77873860  Early RET
31 c0 c3 49 89 5b 08 49 89 6b 10 49 89 73 18 57 1..I.[.I.k.I.s.W
41 56 41 57 48 83 ec 70                         AVAWH..p        
0x7ffd77873860: xor     eax, eax
0x7ffd77873862: ret
0x7ffd77873863: mov     qword ptr [r11 + 8], rbx
0x7ffd77873867: mov     qword ptr [r11 + 0x10], rbp
0x7ffd7787386b: mov     qword ptr [r11 + 0x18], rsi
0x7ffd7787386f: push    rdi
0x7ffd77873870: push    r14
0x7ffd77873872: push    r15
0x7ffd77873874: sub     rsp, 0x70

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/etw_patch_dump.raw windows.avpatch
Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished                        
PID     Process DLL     Function        Hook Address    Hook Info       Hook Hexdump    Disasm

2108    patch-etw-x64.  ntdll.dll       EtwEventWrite   0x7ff8013bf1f0  Early RET
c3 8b dc 48 83 ec 58 4d 89 4b e8 33 c0 45 89 43 ...H..XM.K.3.E.C
e0 45 33 c9 49 89 43 d8                         .E3.I.C.        
0x7ff8013bf1f0: ret
0x7ff8013bf1f1: mov     ebx, esp
0x7ff8013bf1f3: sub     rsp, 0x58
0x7ff8013bf1f7: mov     qword ptr [r11 - 0x18], r9
0x7ff8013bf1fb: xor     eax, eax
0x7ff8013bf1fd: mov     dword ptr [r11 - 0x20], r8d
0x7ff8013bf201: xor     r9d, r9d
0x7ff8013bf204: mov     qword ptr [r11 - 0x28], rax

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/stealthy_etw_patch_dump.raw windows.avpatch
Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished                        
PID     Process DLL     Function        Hook Address    Hook Info       Hook Hexdump    Disasm

180     stealthy_etw_p  ntdll.dll       EtwpEventWriteFull      0x7ffe3025f278  Early RET
c3 55 53 56 57 41 54 41 55 41 56 41 57 48 8d ac .USVWATAUAVAWH..
24 78 ff ff ff 48 81 ec                         $x...H..        
0x7ffe3025f278: ret
0x7ffe3025f279: push    rbp
0x7ffe3025f27a: push    rbx
0x7ffe3025f27b: push    rsi
0x7ffe3025f27c: push    rdi
0x7ffe3025f27d: push    r12
0x7ffe3025f27f: push    r13
0x7ffe3025f281: push    r14
0x7ffe3025f283: push    r15
0x7ffe3025f285: lea     rbp, [rsp - 0x88]

[SolitudePy]

I tried running it on fresh windows 10 machine now and the false positives is very high, however they can quickly be examined and succumb to less with few statistics with something like splunk/custom python.
e.g in this file:
inlinehooks.json
it can be seen about 95% of the hooks come from 2 module related to crypto. in other high priority functions such ntdll.dll!LdrLoadDll the Disasm field is the same between all hooks, which can also indicate something that is non-malicious. but yeah thats far from being fullproof, although the code can be reused in other plugins (e.g avpatch). also - the json dataset can be used to compare the hooks to another trusted memory image of the same machine golden image.

[SolitudePy]

any update on this? I would like to keep working on that if it's relevant, I would like help regarding my questions:x

[ikelos]

@atcuno @iMHLv2, any views on this?

[ikelos]

@Abyss-W4tcher could you cast an eye over this and give me your linux views on it please?

[SolitudePy]

@ikelos hey, this is a windows plugin. also as I said in my first message by itself its not really complete due to high volume of false positives (still can be used as a helper though).

[ikelos]

Oh, sorry I saw it was waiting on @atcuno and figured it must be a linux program. Sorry, trying to clear down outstanding issues as quickly as I can. If this isn't ready for prime-time we can mark it as a draft? That way it'll be visible here, for people to try out, and if there's more work that can reduce the false positive rate, it can get turned back into a full PR... 5:)