(YARA) YARA_Hook_Injection
rule HookInjection {
condition:
(
// SetWindowsHookEx is often used to install hooks
(uint32(0) == 0x00EC8B55 and (pe.exports("SetWindowsHookExA") or pe.exports("SetWindowsHookExW")))
// UnhookWindowsHookEx is often used to remove hooks
or (uint32(0) == 0x00EC8B55 and (pe.exports("UnhookWindowsHookEx")))
// A hook function often calls CallNextHookEx
or (uint32(0) == 0x00EC8B55 and (pe.exports("CallNextHookEx")))
)
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Hook Injection | U1227 E1055.m01 |
Created
December 6, 2022
Last Revised
December 6, 2022