"The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. The stored credentials let users seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service.

LSASS can store credentials in multiple forms, including:

• Reversibly encrypted plaintext
• Kerberos tickets (ticket-granting tickets (TGTs), service tickets)
• NT hash
• LAN Manager (LM) hash"

  from https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication#BKMK_LSA

"The stored credentials are directly associated with the Local Security Authority Subsystem Service (LSASS) logon sessions that have been started after the last restart and have not been closed. For example, LSA sessions with stored LSA credentials are created when a user does any of the following:

• Logs on to a local session or Remote Desktop Protocol (RDP) session on the computer
• Runs a task by using the RunAs option
• Runs an active Windows service on the computer
• Runs a scheduled task or batch job
• Runs a task on the local computer by using a remote administration tool"

from https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication#BKMK_LSA

Overwrite the hook

overwrite the modified bytes in NtReadVirtualMemory with the correct ones

Pros

• relatively simple
• ensures that all functions that call NtReadVirtualMemory will benefit

Cons

• needs to be OS version specific
• security products can detect integrity violations

Examples

• https://github.com/outflanknl/Dumpert
• https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

Overwrite entire module

instead of just overwriting certain bytes, just overwrite the entire module!

Pros

• more simple than before
• ensures that all functions that call NtReadVirtualMemory will benefit
• No possibility of forgetting to unhook some things

Cons

• security products can detect integrity violations
• more noisy than previous method

Example

• https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++

Go around the hook

Try to detect hooks at runtime, and jump to the real function instead of following hook e.g. the FireWalker technique

Pros

• will work on most/all OS versions
• original hooks are left in place

Cons

• Significant performance slowdown
• Significantly complex to implement

Example

• https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking/

Bring your own

Don't call NtReadVirtualMemory, call your own function that does the same!

Pros

• Ensures that the hooks are left in place - no tampering with the hooks

Cons

• OS version specific
• Only my own code wil benefit - other libs will still call the real, hooked function

Example

• https://github.com/magnusstubman/MagnusKatz/blob/main/ConsoleApplication3/ConsoleApplication3/ConsoleApplication3.cpp#L188-L230

Conclusion

• Security products should not rely on user-mode API hooks as a security mechanism
• security mechanisms should be implemented in a privileged context, e.g. kernel mode
  • kernel mode also has it problems: malicious drivers https://github.com/br-sn/CheekyBlinder