Anti-Hooking checks of SmokeLoader 2018

SmokeLoader is a quite old but still very popular bot generally used to drop other malware families or deploy additional modules that implement some nice features.

The other day I was checking a sample from a recent campaign, and as I was stepping through the loader I found some interesting stuff I hadn't seen before. In the latest releases of the 2018 version of SmokeLoader they have implemented some anti-debugging checks, as well as anti-vm, anti-disassembly and anti-analysis in general.

CERT Polska did a great job describing most of them. Some are really neat, like the one that calculates the address of the next instructions based on the values of BeingDebugged and NtGlobalFlag.

However, the anti-hooking check is not described in the blog post (maybe it wasn't present yet) and it's actually preventing SmokeLoader from detonating on Cuckoo Sandbox and possibly others.

The assembly snippet of this check is the following:

I've commented the assembly to make it easier to read.

Basically the bot has a list of Windows functions that it's checking for userland hooks. To do this, it compares the first bytes of each function with hardcoded assembly byte patterns commonly used when hooking functions in userland.

We can see in the Cuckoo's monitor source code that the opcodes used for hooking are the same.

The Windows functions checked at this stage are:


Finally, if three or more of these functions are detected to be hooked, SmokeLoader simply terminates its execution.

This isn't a new technique to detect hooks, but it's always nice to see these checks implemented in real-world malware.

You may find the hashes and samples in the Malware Traffic campaign post, but I've also uploaded the unpacked SmokeLoader sample to VT: 26f02a2ed9a1f1902862101f70e361d7