Now On Stage! Deep Hooks: Monitoring Native Execution In WOW64 Applications

Four months ago we published a 3-part series of blog posts, presenting research carried out by two of our researchers: Yarden Shafir and Assaf Carlsbad. The research introduced a new way of monitoring parts of WoW64 processes that are usually ignored by security products. This blindspot often leads to exploitation by sophisticated pieces of malware. The technique presented in the research can be used to better monitor WoW64 processes, making detection harder to bypass. The research is the basis for some new SentinelOne detection capabilities, for example detecting the notorious “Heaven‘s Gate” bypass technique.

As a reminder, here are the links to this series of blog posts:

Following its publication, the research drew a lot of interest from the community. The researchers were invited to various cyber security conferences to share their insights.

For those of you who are intrigued by WOW64 applications and how to protect them, here is their talk from BSidesTLV. You can also meet them on August 30, at the HITB GSEC 2018 Conference.


Like this article? Follow us on LinkedInTwitterYouTube or Facebook to see the content we post.
Want to see how SentinelOne can help improve your security? Get a Demo Now