Userland hooking intercepts calls made by applications to high-level APIs (such as CreateProcess, VirtualAlloc, ReadFile, etc.) in DLLs like kernel32.dll and user32.dll.
Techniques:
Inline Hooking: Overwriting the prologue (first bytes) of a function to redirect execution to a monitoring or malicious function.
Import Address Table (IAT) Hooking: Changing function pointers in a module’s IAT to redirect to a different implementation.
Detour Libraries: Using Microsoft Detours or similar libraries to wrap or replace functions.
Advantages (from AV/EDR perspective):
Simpler to deploy (no kernel driver needed).
Doesn’t require admin privileges.
Fast to update, especially in cloud-connected EDRs.
Limitations:
Easily bypassed with direct syscalls.
Susceptible to unhooking by overwriting patched functions.
Can be invisible to child processes that are hollowed or spawned suspended.