├── README.md
├── Palo_Cortex_EPP_EDR
├── CrowdStrike_EPP_EDR
├── SentinelOne_EPP_EDR
└── TrendMicro_EPP_EDR


/README.md:
--------------------------------------------------------------------------------
1 | # AV/EPP/EDR Windows API hook list
2 | Depending on the product you are dealing with from a red team perspective, the EPP/EDR will use usermod hooks to monitor red team activity. 
3 | Most often they set their usermod hooks in ntdll.dll, but depending on the EPP/EDR they also use hooks in many other dlls. 
4 | To learn more about this, take a look at the following nice blog post by **ZeroPeril** https://zeroperil.co.uk/blog/hookdump/
5 | 
6 | To check which APIs are hooked, I used the repo from zeroperil https://github.com/zeroperil/HookDump
7 | The approach of this tool is in my opinion more reliable than others, because it does not only do simple checks for Nt or Zw inline API hooks.
8 | 


--------------------------------------------------------------------------------
/Palo_Cortex_EPP_EDR:
--------------------------------------------------------------------------------
 1 | Usermode Hooks which redirect to cyvrtrap.dll or cyinjct.dll
 2 | 
 3 | Usermode Hooks in ntdll.dll >> inline hooking (jmp) >> cyvrtrap.dll
 4 | [-] NtSetInformationProcess 
 5 | [-] NtFreeVirtualMemory 
 6 | [-] NtCreateThreadEx 
 7 | 
 8 | Usermode Hooks in ntdll.dll >> based on PUSH; RET Hooks >> cyinjct.dll
 9 | [-] NtMapViewOfSection 
10 | [-] NtUnmapViewOfSection
11 | 
12 | 
13 | Usermode Hooks in kernel32.dll >> inline hooking (jmp) >> cyvrtrap.dll
14 | [-] CreateRemoteThread
15 | [-] VirtualAlloc
16 | [-] VirtualAllocEx 
17 | 
18 | 
19 | Usermode Hooks in kernelbase.dll >> inline hooking (jmp) >> cyvrtrap.dll
20 | [-] CreateRemoteThreadEx 
21 | [-] CreateFileA 
22 | [-] VirtualAlloc 
23 | [-] VirtualAllocEx 
24 | 
25 | 
26 | Total: 12 hooks
27 | 


--------------------------------------------------------------------------------
/CrowdStrike_EPP_EDR:
--------------------------------------------------------------------------------
 1 | Usermode Hooks which redirect to umppc*****.dll
 2 | 
 3 | Usermode Hooks in ntdll.dll >> inline hooking (jmp)
 4 | [-] NtDeviceIoControlFile 
 5 | [-] NtSetInformationThread 
 6 | [-] NtAllocateVirtualMemory 
 7 | [-] NtSetInformationProcess 
 8 | [-] NtQueryInformationThread 
 9 | [-] NtMapViewOfSection 
10 | [-] NtUnmapViewOfSection 
11 | [-] NtWriteVirtualMemory 
12 | [-] NtReadVirtualMemory 
13 | [-] NtQueueApcThread 
14 | [-] NtProtectVirtualMemory 
15 | [-] NtResumeThread 
16 | [-] NtAllocateVirtualMemoryEx 
17 | [-] NtCreateMutant 
18 | [-] NtGetContextThread 
19 | [-] NtMapViewOfSectionEx 
20 | [-] NtQueueApcThreadEx 
21 | [-] NtSetContextThread 
22 | [-] NtSuspendThread 
23 | [-] NtUnmapViewOfSectionEx 
24 |     
25 | 
26 | Usermode Hooks in win32u.dll >> inline hooking (jmp)
27 | [-] NtUserSetProp 
28 | [-] NtUserSetWindowLong 
29 | [-] NtUserSetWindowsHookEx 
30 | [-] NtUserSetWindowsHookAW 
31 | [-] NtGdiAddFontMemResourceEx 
32 | [-] NtGdiAddFontResourceW 
33 | [-] NtGdiAddRemoteFontToDC 
34 | [-] NtUserSetWindowLongPtr 
35 |     
36 | Total: 28 hooks
37 | 


--------------------------------------------------------------------------------
/SentinelOne_EPP_EDR:
--------------------------------------------------------------------------------
 1 | Usermode Hooks which redirect to inprocessclient64.dll
 2 | 
 3 | Usermode Hooks in ntdll.dll >> inline hooking (jmp)
 4 | [-] LdrLoadDll 
 5 | [-] RtlAddVectoredExceptionHandler 
 6 | [-] NtSetInformationThread 
 7 | [-] NtSetInformationProcess 
 8 | [-] NtFreeVirtualMemory 
 9 | [-] NtOpenProcess 
10 | [-] NtMapViewOfSection 
11 | [-] NtUnmapViewOfSection 
12 | [-] NtTerminateProcess 
13 | [-] NtQuerySystemInformation 
14 | [-] NtWriteVirtualMemory 
15 | [-] NtReadVirtualMemory 
16 | [-] NtQueueApcThread 
17 | [-] NtResumeThread 
18 | [-] NtCreateThreadEx 
19 | [-] NtCreateUserProcess 
20 | [-] NtLoadDriver 
21 | [-] NtMapUserPhysicalPages 
22 | [-] NtQuerySystemInformationEx 
23 | [-] NtQueueApcThreadEx 
24 | [-] NtSetContextThread 
25 | [-] KiUserApcDispatcher 
26 |     
27 | 
28 | Usermode Hooks in kernelbase.dll >> inline hooking (jmp)
29 | [-] CreateProcessInternalW 
30 | [-] CopyFileExW 
31 | [-] LoadLibraryA 
32 | [-] UnhandledExceptionFilter 
33 |     
34 | 
35 | Usermode Hooks in combase.dll >> inline hooking (jmp)
36 | [-] CoGetInstanceFromIStorage 
37 |     
38 |     
39 | Usermode Hooks in crypt32.dll >> inline hooking (jmp)
40 | [-] CryptUnprotectData 
41 |     
42 | 
43 | Usermode Hooks in ole32.dll >> inline hooking (jmp)
44 | [-] CoGetObject 
45 |     
46 | 
47 | Usermode Hooks in samcli.dll >> inline hooking (jmp)
48 | [-] NetUserAdd 
49 |     
50 | 
51 | Usermode Hooks in shell32.dll >> inline hooking (jmp)
52 | [-] Shell_NotifyIconW 
53 |     
54 | 
55 | Usermode Hooks in sspicli.dll >> inline hooking (jmp)
56 | [-] InitializeSecurityContextW 
57 | [-] LsaCallAuthenticationPackage 
58 |     
59 | 
60 | Usermode Hooks in user32.dll >> inline hooking (jmp)
61 | [-] CreateWindowExA 
62 | [-] CreateWindowExW 
63 | [-] PeekMessageA 
64 | [-] PeekMessageW 
65 | [-] SetWindowLongPtrW 
66 | [-] SetWindowLongW 
67 | [-] GetKeyState 
68 | [-] GetMessageW 
69 | [-] SystemParametersInfoW 
70 | [-] GetAsyncKeyState 
71 | [-] GetMessageA 
72 | [-] SystemParametersInfoA 
73 | [-] SetWindowsHookExW 
74 | [-] ExitWindowsEx 
75 | [-] SetWindowLongA 
76 | [-] SetWindowLongPtrA 
77 | [-] SetWindowsHookExA 
78 | 
79 | 
80 | Usermode Hooks in win32u.dll >> inline hooking (jmp)
81 | [-] NtUserSetProp 
82 | [-] NtUserShowWindow 
83 | [-] NtUserGetKeyboardState 
84 | [-] NtUserAttachThreadInput 
85 | [-] NtUserRegisterRawInputDevices 
86 | 
87 | Total: 55 hooks
88 | 


--------------------------------------------------------------------------------
/TrendMicro_EPP_EDR:
--------------------------------------------------------------------------------
  1 | Usermode Hooks which redirect to tmmon64.dll
  2 | 
  3 | Usermode Hooks in ntdll.dll >> inline hooking (jmp)
  4 | [-] LdrUnloadDll 
  5 | [-] LdrLoadDll 
  6 | [-] NtDeviceIoControlFile 
  7 | [-] NtSetInformationThread 
  8 | [-] NtQueryInformationThread 
  9 | [-] NtMapViewOfSection 
 10 | [-] NtUnmapViewOfSection 
 11 | [-] NtTerminateProcess 
 12 | [-] NtWriteVirtualMemory 
 13 | [-] NtReadVirtualMemory 
 14 | [-] NtQueueApcThread 
 15 | [-] NtCreateThread 
 16 | [-] NtProtectVirtualMemory 
 17 | [-] NtCreateMutant 
 18 | [-] NtCreateThreadEx 
 19 | [-] NtGetContextThread 
 20 | [-] NtLoadDriver 
 21 | [-] NtSetContextThread 
 22 | [-] NtUnmapViewOfSectionEx 
 23 | 
 24 | 
 25 | Usermode Hooks in kernel32.dll >> inline hooking (jmp)
 26 | [-] CreateMailslotA 
 27 | [-] CreateMailslotW 
 28 | [-] MoveFileW 
 29 | [-] CreateRemoteThread 
 30 | [-] CreateNamedPipeA 
 31 | [-] CopyFileA 
 32 | [-] CopyFileExA 
 33 | [-] MoveFileA 
 34 | [-] MoveFileWithProgressA 
 35 | 
 36 | 
 37 | Usermode Hooks in kernelbase.dll >> inline hooking (jmp)
 38 | [-] CreateProcessInternalA 
 39 | [-] CreateProcessInternalW 
 40 | [-] CreateRemoteThreadEx 
 41 | [-] DeleteFileA 
 42 | [-] DeleteFileW 
 43 | [-] FindFirstFileW 
 44 | [-] FindFirstFileExW 
 45 | [-] CreateFileA 
 46 | [-] CreateFileW 
 47 | [-] MoveFileWithProgressW 
 48 | [-] CopyFileW 
 49 | [-] CopyFileExW 
 50 | [-] VirtualAlloc 
 51 | [-] ImpersonateLoggedOnUser 
 52 | [-] WriteProcessMemory 
 53 | [-] FindFirstFileA 
 54 | [-] VirtualAllocEx 
 55 | [-] CreateNamedPipeW 
 56 | [-] FindFirstFileExA 
 57 | 
 58 | 
 59 | Usermode Hooks in advapi32.dll >> inline hooking (jmp)
 60 | [-] OpenEventLogW 
 61 | [-] CloseEventLog 
 62 | [-] EncryptFileW 
 63 | [-] CreateServiceA 
 64 | [-] CreateServiceW 
 65 | [-] ClearEventLogA 
 66 | [-] ClearEventLogW 
 67 | [-] OpenEventLogA 
 68 | 
 69 | 
 70 | Usermode Hooks in samcli.dll >> inline hooking (jmp)
 71 | [-] NetUserGetLocalGroups 
 72 | [-] NetUserGetInfo 
 73 | [-] NetUserEnum 
 74 | [-] NetUserAdd 
 75 | [-] NetUserChangePassword 
 76 | [-] NetUserDel 
 77 | [-] NetUserGetGroups 
 78 | [-] NetUserSetGroups 
 79 | [-] NetUserSetInfo 
 80 | 
 81 | 
 82 | Usermode Hooks in sechost.dll >> inline hooking (jmp)
 83 | [-] !StartServiceW 
 84 | [-] !OpenServiceW 
 85 | [-] !OpenServiceA 
 86 | [-] !StartServiceA 
 87 | 
 88 | 
 89 | Usermode Hooks in user32.dll >> inline hooking (jmp)
 90 | [-] SetWindowsHookExW 
 91 | [-] SetWindowsHookA 
 92 | [-] SetWindowsHookExA 
 93 | [-] SetWindowsHookW 
 94 | [-] MessageBoxA 
 95 | [-] MessageBoxExA 
 96 | [-] MessageBoxExW 
 97 | [-] MessageBoxW 
 98 | 
 99 | 
100 | Usermode Hooks in wevtapi.dll >> inline hooking (jmp)
101 | [-] EvtOpenSession 
102 | [-] EvtClose 
103 | [-] EvtClearLog 
104 | 
105 | 
106 | Usermode Hooks in win32u.dll >> inline hooking (jmp)
107 | [-] NtUserShowWindow 
108 | 
109 | 
110 | Usermode Hooks in wininet.dll >> inline hooking (jmp)
111 | [-] InternetCreateUrlW 
112 | [-] InternetConnectW 
113 | [-] InternetConnectA 
114 | [-] InternetCreateUrlA 
115 | [-] InternetOpenUrlA 
116 | [-] InternetOpenUrlW 
117 | 
118 | Total: 86 hooks
119 | 


--------------------------------------------------------------------------------