[abas2run]

Hi

can any one explain syscall proxing as an anti-forensics technique?
I read related contents but I can't follow how does it work...

thanks

[SomeUnusedName]

User mode programs rely on syscalls to query certain data about the system, as all the data structures are stored in kernel mode. For example if you view a directory's contents, what happens in the background is that a syscall is made to enumerate directory conents. If you hook that function, you can filter the response any way you like.

For example, you can hide files by hooking the relevant APIs, you can hide registry keys, you can hide programs, you can hide network connections, as all these actions rely on querying the kernel for that information.

So if the forensics tool on a live system is relying on user mode APIs to get a process list for example, you will only see what the syscall hook will allow you to see.

[rnd.usr]

As above. You can hooks API's like NtCreateProcess and look for strings that match and then wipe certain things on the file system(eg. if DumpIt is shown, force shutdown.). I've seen this in action btw and is called DMS(Dead Man's hand).

My example is kinda bad because you just need to rename the process, but of course there's more advanced ways to do it.