(YARA) YARA_Hook_Injection
Created the . Updated 1 year, 4 months ago.
rule HookInjection {
condition:
(
// SetWindowsHookEx is often used to install hooks
(uint32(0) == 0x00EC8B55 and (pe.exports("SetWindowsHookExA") or pe.exports("SetWindowsHookExW")))
// UnhookWindowsHookEx is often used to remove hooks
or (uint32(0) == 0x00EC8B55 and (pe.exports("UnhookWindowsHookEx")))
// A hook function often calls CallNextHookEx
or (uint32(0) == 0x00EC8B55 and (pe.exports("CallNextHookEx")))
)
}
Associated Techniques
| Technique Name | Technique ID's | Has Snippet(s) |
|---|---|---|
| Hook Injection | U1227 E1055.m01 |