{
	"id": "a1509494-f777-4be6-959b-1a319ae66f6e",
	"created_at": "2026-04-06T00:10:17.294547Z",
	"updated_at": "2026-04-10T03:21:58.688946Z",
	"deleted_at": null,
	"sha1_hash": "ab1a7f241f702115275be71c4ebe91ddecef2145",
	"title": "Examining Smokeloader’s Anti Hooking technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 327420,
	"plain_text": "Examining Smokeloader’s Anti Hooking technique\r\nPublished: 2020-05-24 · Archived: 2026-04-05 22:04:57 UTC\r\nHooking is a technique to intercept function calls/messages or events passed between software, or in this case\r\nmalware. The technique can be used for malicious, as well as defensive cases.\r\nRootkits for example can hook API calls to make themselves invisible from analysis tools, while we as defenders\r\ncan use hooking to gain more knowledge of malware or build detection mechanisms to protect customers.\r\nCybersecurity continues to be a game of cat and mouses, and while we try to build protections, blackhats will\r\nalways try to bypass these protection mechanisms. Today I want to show you how SmokeLoader bypasses hooks\r\non ntdll.dll and how Frida can be used to hook library functions.\r\nThe bypass was also already explained in a blog article from Checkpoint[1] written by Israel Gubi. It also covers a\r\nlot more than I do regarding Smokeloader, so it is definitely worth reading too.\r\nHooking with Frida\r\nIf you’ve read my previous blog articles about QBot, you are familiar with the process iteration and AV\r\ndetection[3]. It iterates over processes and compares the process name with entries in a black list containing\r\nprocess names of common AV products. If one process name matches with an entry, QBot quits its execution.\r\nFrida is a Dynamic Instrumentation Toolkit which can be used to write dynamic analysis scripts in high level\r\nlanguages, in this case JavaScript. If you want to know more about this technology, I advice you to read to visit\r\nthis website[4] and read its documentation.\r\nWe can write a small Frida script to hook the lstrcmpiA function in order to investigate which process names are\r\nin the black list.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\ndef main():\r\npid = frida.spawn(sys.argv[ 1 ])\r\nsess = frida.attach(pid)\r\nscript = sess.create_script(\r\n)\r\nscript.load()\r\nfrida.resume(pid)\r\nsys.stdin.read()\r\nhttps://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/\r\nPage 1 of 5\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\nsess.detach()\r\nhttps://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/\r\nPage 2 of 5\n\n35\r\nWe attach to the malicious process and hook the lstrcmpiA function at static address. When analysing malware,\r\nwe have (most of the time) the privilege to control and adjust our environment as much as we want. If you turn off\r\nASLR and use snapshots, using Frida with static pointers is pretty convenient, because most functions will always\r\nhave the same address. However, it’s also possible to calculate the addresses dynamically. lstrcmpiA has 2\r\narguments, which are both pointers of type LPSTR . So we just resolve the pointers, fill 0x30 bytes starting at\r\npointer address into a ByteArray and print it.\r\nResult of Frida Script\r\nSmokeloader’s Anti Hooking technique\r\nSo how does Smokeloader bypass hooks? Well it can do it atleast for the ntdll.dll library. During execution\r\nSmokeloader retrieves the Temp folder path and generates a random name. If a file with the generated name\r\nalready exists in the temp folder, it is deleted with DeleteFileW .\r\nhttps://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/\r\nPage 3 of 5\n\ndrltrace output DeleteFileW call, deleting 9A26.tmp in Temp Folder\r\nNext the original ntdll.dll file is copied from system32 to the temp folder with the exact name it just\r\ngenerated. This leads to a copy of this mentioned library being placed in the temp directory.\r\nMeta data of disguised ntdll.dll\r\nhttps://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/\r\nPage 4 of 5\n\nExport functions of the disguised ntdll file\r\nInstead of loading the real ntdll.dll file, the copy is loaded into memory by calling LdrLoadDll .\r\n9A26.tmp as ntdll.dll\r\nMost AV vendors, as well as analysts probably implemented their hooks on ntdll.dll , so the references to the\r\ncopied ntdll.dll file will be missed.\r\nSmokeloader continues to call functions from this copied DLL, using for example function calls like\r\nNtQueryInformationProcess to detect wether a debugger is attached to it.\r\nFinal Words\r\nWhile analysing SmokeLoader at work, I stumbled across this AntiHook mechanism, which I haven’t seen before,\r\nso I wanted to share it here :-).\r\nI’ve also only scratched on the surface of what Frida is capable of. I might work on something more complex next\r\ntime.\r\nSource: https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/\r\nhttps://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/"
	],
	"report_names": [
		"examining-smokeloaders-anti-hooking-technique"
	],
	"threat_actors": [],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab1a7f241f702115275be71c4ebe91ddecef2145.pdf",
		"text": "https://archive.orkl.eu/ab1a7f241f702115275be71c4ebe91ddecef2145.txt",
		"img": "https://archive.orkl.eu/ab1a7f241f702115275be71c4ebe91ddecef2145.jpg"
	}
}