Now On Stage! Deep Hooks: Monitoring Native Execution In WOW64 Applications

A few months back, we published a 3-part series of blog posts, presenting a research carried out by two of our researchers: Yarden Shafir and Assaf Carlsbad. Find the full research here:
Part 1: http://bit.ly/DeepHooks1
Part 2: http://bit.ly/DeepHooks2
Part 3: http://bit.ly/DeepHooks3
The research introduced a new way of monitoring parts of WoW64 processes that are usually ignored by security products. This blind spot often leads to exploitation by sophisticated pieces of malware. The technique presented in the research can be used to better monitor WoW64 processes, making detection harder to bypass. The research is the basis for some new SentinelOne detection capabilities, for example, detecting the notorious “Heaven’s Gate” bypass technique.

Following its publication, the research drew a lot of interest from the community. The researchers were invited to various cybersecurity conferences to share their insights.

For those of you who are intrigued by WOW64 applications and how to protect them, here is their talk from BSidesTLV. You can also meet them on August 30, at the HITB GSEC 2018 Conference.

-~-