Skip main navigation

New offer! Get 30% off one whole year of Unlimited learning. Subscribe for just £249.99 £174.99. New subscribers only. T&Cs apply

Find out more

Hooked process

Article detailing user mod and kernel mode hooking techniques.
Process hooking

Malware must run!

All malware must be loaded into memory to function as either a process in its own right or it must form part of another process using a technique known as hooking.

A process running in its own right should be easy to find right? Well this is a yes and no answer! A standalone suspect process should be easier to find for an experienced malware investigator, but this is not necessarily the case for the lay person. Any suspect process may well seem legitimate without further investigation.

A hooked process (a process using another process to function) will require some specialist knowledge and understanding of Windows memory structures or the inner workings of the Windows operating system to identify. Complex malware will always hide within other processes to avoid detection.

Top Tip: Most malware will initially run from a user account area. Any process executing from a user area should be deemed suspect unless it can be verified as a legitimate process.

Additional information…

There are actually 3 user and 5 kernel hooking techniques. These are:

Graphic depicting the names of user mode and kernel mode hooking techniques. User mode: DLL. IAT & Inline. Kernel: mode SSDT, IRP, IDT, GDT & Sysenter

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now