Question

Discuss how a malware can maintain persistence. What do malwares use the SetWindowsHookEx function for?

Answer 1

Malware can maintain persistence:

Malware persistence mechanisms are different method developed to allow malware to stick arround and resume running after being closed pr having the target computer restart. In this post, we'll discuss some of the most common persistence mechanism for windows malware and how to defeat them.

Bootkits are boot malware that achieves persistence by inserting itself into the windows startup procedure.

Modifying Registry keys: Modifying registry keys are often used by malware to achieve presistence on a system. Below are some of the most common registry value/locations exploited by malware.

Most persistence tchniques on a Microsoft windows platform involve the use of the Registry. Notable exceptions include the startup folder and torjanizing system binaries.

What do malwares use the SetWindowsHookEx function:

This function is used to set a hook function to be called whenever a certain event is called. Commonly used with keyloggers and spyware, this function also provides an easy way to load a DLL into all GUI processes on the system. This function is sometimes added by the compiler.

Which is then invoked whenever certain events are triggered. Let's take a look at the function syntax :

HHOOK WINAPI SetWindowsHookEx(

_In_ int idHook, _In_ HOOKPROC lpfn, _In_ HINSTANCE hMod, _In_ DWORD dwThreadId

);