A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #23068  by abas2run
 Sun Jun 08, 2014 9:33 am
Hi

can any one explain syscall proxing as an anti-forensics technique?
I read related contents but I can't follow how does it work...

thanks
 #23301  by SomeUnusedName
 Mon Jul 07, 2014 9:45 am
User mode programs rely on syscalls to query certain data about the system, as all the data structures are stored in kernel mode. For example if you view a directory's contents, what happens in the background is that a syscall is made to enumerate directory conents. If you hook that function, you can filter the response any way you like.

For example, you can hide files by hooking the relevant APIs, you can hide registry keys, you can hide programs, you can hide network connections, as all these actions rely on querying the kernel for that information.

So if the forensics tool on a live system is relying on user mode APIs to get a process list for example, you will only see what the syscall hook will allow you to see.
 #23348  by rnd.usr
 Sat Jul 12, 2014 12:18 pm
As above. You can hooks API's like NtCreateProcess and look for strings that match and then wipe certain things on the file system(eg. if DumpIt is shown, force shutdown.). I've seen this in action btw and is called DMS(Dead Man's hand).

My example is kinda bad because you just need to rename the process, but of course there's more advanced ways to do it.