few tricks used by malwares - alexandre borges | malware ... · few tricks used by malwares ... •...
TRANSCRIPT
Few tricks used by malwares H2HC University 2016
By Alexandre Borges
1
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Profile and TOC
TOC:
• Introduction • DKOM • Process Hollowing • SSDT • Code Injection • Hooking • Finding Registries • Malware and Security Researcher. Consultant,
Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation.
• Instructor at Oracle, (ISC)2 and EC-Council. Ex-instructor at Symantec.
• Member of the CHFI Advisory Board in EC-Council.
• Reviewer member of the The Journal of Digital Forensics, Security and Law
• Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response
• Author of “Oracle Solaris Advanced Administration book”
A
lexa
nd
re B
org
es –
It is
no
t al
low
ed t
o c
op
y n
eith
er r
epro
du
ce t
his
slid
e. .
Introduction
3
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Introduction
• Tools are important, but they are not everything.
• Keep your tools updated (licensed tools).
• Strong knowledge about kernel (Windows, Linux and Mac OS X) and programming (by using APIs) are a must.
• Sandboxes such as Cukoo are useful, but they are not efficient for most complex malwares.
• Classical approach: static x dynamic analysis
• Emulation: an interesting method (IDAEmu and Unicorn).
• Do you use Radare2 or/and Capstone / Keystone (disassembly / assembly engine)?
• Suggested lab: Windows XP SP3 + Windows 7/8 + Linux (Remnux and Kali)
4
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Introduction
5
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Introduction
6
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Introduction
7
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks
8
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM
9
*Idle Thread
*Next Thread
*Current Thread KPROCESS KTHREAD
KPRCB ETHREAD EPROCESS
APC State
FLINK
BLINK }
List Entry {
KPRCB Kernel Processor Control Region Block – It contains information about the processor and it is not at a fixed address anymore (since Win Vista)
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM
flink
101
blink
flink
102
blink
flink
103
blink
flink
103
blink
flink
102
blink
flink
101
blink Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM
C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64> windbg.exe -k com:pipe,port=\\.\pipe\com_1
kd> dt _KPRCB
nt!_KPRCB
+0x000 MxCsr : Uint4B
…..
+0x007 IdleHalt : UChar
+0x008 CurrentThread : Ptr64 _KTHREAD
+0x010 NextThread : Ptr64 _KTHREAD
+0x018 IdleThread : Ptr64 _KTHREAD
+0x020 NestingLevel : UChar
+0x021 PrcbPad00 : [3] UChar
kd> !prcb
PRCB for Processor 0 at fffff80002bf8e80:
Current IRQL -- 13
Threads-- Current fffff80002c06cc0 Next 0000000000000000 Idle fffff80002c06cc0
Processor Index 0 Number (0, 0) GroupSetMember 1
......
11
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM
kd> nt!_ETHREAD +0x000 Tcb : _KTHREAD +0x368 CreateTime : _LARGE_INTEGER +0x370 ExitTime : _LARGE_INTEGER +0x370 KeyedWaitChain : _LIST_ENTRY +0x380 ExitStatus : Int4B …. kd> dt _KTHREAD nt!_KTHREAD +0x000 Header : _DISPATCHER_HEADER +0x018 CycleTime : Uint8B …… +0x04c MiscFlags : Int4B +0x050 ApcState : _KAPC_STATE +0x050 ApcStateFill : [43] UChar +0x07b Priority : Char +0x07c NextProcessor : Uint4B
12
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM
kd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER
+0x170 ExitTime : _LARGE_INTEGER
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : Ptr64 Void
+0x188 ActiveProcessLinks : _LIST_ENTRY
+0x198 ProcessQuotaUsage : [2] Uint8B
+0x1a8 ProcessQuotaPeak : [2] Uint8B
...
kd> dt nt!_LIST_ENTRY
+0x000 Flink : Ptr64 _LIST_ENTRY
+0x008 Blink : Ptr64 _LIST_ENTRY
13
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 89e43830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00334000 ObjectTable: e1000c98 HandleCount: 253. Image: System PROCESS 89b92340 SessionId: none Cid: 0178 Peb: 7ffde000 ParentCid: 0004 DirBase: 10980020 ObjectTable: e15227a8 HandleCount: 19. Image: smss.exe PROCESS 89957020 SessionId: 0 Cid: 025c Peb: 7ffdf000 ParentCid: 0178 DirBase: 10980040 ObjectTable: e15f6858 HandleCount: 356. Image: csrss.exe PROCESS 898e0020 SessionId: 0 Cid: 0280 Peb: 7ffd6000 ParentCid: 0178 DirBase: 10980060 ObjectTable: e143a500 HandleCount: 525. Image: winlogon.exe PROCESS 89ae6020 SessionId: 0 Cid: 02e4 Peb: 7ffdd000 ParentCid: 0280 DirBase: 10980080 ObjectTable: e197c8e8 HandleCount: 262. Image: services.exe ..... 14
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM
kd> dt nt!_EPROCESS 89ae6020 // (base of this _EPROCESS)
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x01d22032`83696cc6
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x000002e4 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x89afee28 - 0x898e00a8 ]
+0x090 QuotaUsage : [3] 0x17d0
+0x09c QuotaPeak : [3] 0x1c88
kd> x nt!psact*
8055a158 nt!PsActiveProcessHead = <no type information>
15
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM kd> dt nt!_LIST_ENTRY 8055a158 [ 0x89e438b8 - 0x897d7b78 ] +0x000 Flink : 0x89e438b8 _LIST_ENTRY [ 0x89b923c8 - 0x8055a158 ] +0x004 Blink : 0x897d7b78 _LIST_ENTRY [ 0x8055a158 - 0x899415e0 ] kd> dt nt!_EPROCESS 0x89e438b8 - 0x088 -l ActiveProcessLinks.Flink -y ImageFileName ActiveProcessLinks.Flink at 0x89e438b8 --------------------------------------------- +0x088 ActiveProcessLinks : [ 0x0 - 0x0 ] +0x174 ImageFileName : [16] "" kd> dt nt!_EPROCESS 0x89e438b8-0x088 -l ActiveProcessLinks.Flink -y ImageFileName ActiveProcessLinks.Flink at 0x89e43830 --------------------------------------------- +0x088 ActiveProcessLinks : [ 0x89b923c8 - 0x8055a158 ] +0x174 ImageFileName : [16] "System" ActiveProcessLinks.Flink at 0x89b92340 --------------------------------------------- +0x088 ActiveProcessLinks : [ 0x899570a8 - 0x89e438b8 ] +0x174 ImageFileName : [16] "smss.exe“
16
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM
• It is possible to perform DKOM from kernel drivers, but it is also feasible to execute it from userland: • It enables the SeDebugPrivilege by using:
• RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &oldpriv);
• NtQuerySystemInformation ( ) it locates the based address of the kernel module (ntoskrnl.exe): • NtQuerySystemInformation(SystemModuleInformation, &infomod,
sizeof(infomod), NULL);
• Extracts the base address of the kernel execute module
(ntoskrnl.exe): • kernelbase = (ULONG)infomod.Modules[0].ImageBase
17
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM
• PsInitialSystemProcess variable it points to _EPROCESS for the System process. Therefore, we have to get the PsInitialProcess address:
• kernelhandle = LoadLibraryA(kernelfilename); // ntoskrnl.exe
• psinitialsys_addr = (ULONG)GetProcAddress(kernelhandle, "PsInitialSystemProcess") – (ULONG)kernelhandle + kernelbase;
• Walk in the linked list searching for a target process to hide (remember about offset 0x88 – ActiveProcessLinks).
• NtSystemDebugControl( ) it reads and writes (DebugSysReadVirtual DebugSysWriteVirtual) 4 bytes to a specific address in kernel memory. Thus, it is possible to overwrite the Flink and Blink pointers.
18
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM
• NtSystemDebugControl( IN SYSDBG_COMMAND Command, //
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength,
OUT PULONG ReturnLength OPTIONAL );
• NtSystemDebugControl(
SysDbgReadVirtual, &dbgmembuff, sizeof(dbgmembuff), NULL, 0, NULL);
•
19
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - DKOM root@kali:~/volatility25# python vol.py --profile=WinXPSP2x86 -f /malwares/malware2.vmem psxview Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- -------- 0x06499b80 svchost.exe 711 True True True True True True True 0x04b5a980 VMwareUser.exe 109 True True True True True True True 0x05f027e0 explorer.exe 216 True True True True True True True 0x010f7588 wuauclt.exe 468 True True True True True True True 0x04c2b310 wscntfy.exe 888 True True True True True True True 0x061ef558 svchost.exe 491 True True True True True True True 0x06015020 services.exe 878 True True True True True True True 0x06384230 vmacthlp.exe 844 True True True True True True True 0x069d5b28 vmtoolsd.exe 537 True True True True True True True 0x06945da0 spoolsv.exe 1432 True True True True True True True 0x05f47020 lsass.exe 688 True True True True True True True 0x0113f648 lass.exe 1336 False True True True True True True 0x04a065d0 svchost.exe 1724 True True True True True True True 0x066f0978 winlogon.exe 831 True True True True True True True …….. 20
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - Hollowing
• Hollowing (or process replacement) is one of most smart tricks used by a malware to become stealth.
• Basically, the malware:
• Starts a new instance of a legitimate process (in SUSPEND STATE) CreateProcess( ) ;
• Opens and reads a malicious code ;
• Gathers the base address of the destination image NtQueryProcessInformation( ) to get the address of the PEB (Process Environment Block);
• Free the memory section in the target process NtUnmapViewOfSection( ) ;
21
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks - Hollowing
• Allocates a new block of memory for holding the malicious code VirtualAllocEx( ) ;
• Copies the source image (malicious PE header and other PE sections) into the new allocated memory WriteProcessMemory( ) ;
• Sets the start address for the first thread (suspended) to point to the entry point of the malicious process GetThreadContext( ) + SetThreadContext ( ) ;
• Resumes the thread ResumeThread( ) ;
22
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks – SSDT
• SSDT (System Service Descriptor Table)
• It holds pointers to kernel functions. Therefore, when an user mode application requests system services (writing a file, for example), the ntdll.dll helps the calling thread to access the kernel land.
• To access the kernel land, two instructions can be used:
• INT2 2E (Windows 2000)
• SYSENTER (XP and up) 23
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks – SSDT
• Path from application (userland) to kernel:
• SYSENTER
• KiSystemService( )
• SSDT 1 (in the call table)
• Native SSDT (service table)
• Functions (function table) from ntktnpa.exe (kernel mode executive)
• There is another SSDT (GUI) and other two unused slots in call table.
• Malware tries overwrite pointers in the SSDT for hooking functions.
• Nowadays, it a bit more complicated because Patch Guard and different system call tables on different cores.
• It is feasible to bypass the Patch Guard. For example, check this: http://phrack.org/issues/69/15.html#article
24
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Tricks – SSDT hooking
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
25
Application WriteFile( )
(from Kernel32.dll)
KiSystemService() (from Ntoskrnl.exe)
NtWriteFile ( ) (from Ntdll.dll)
ç
Reserved
SSDT 1
SSDT 0
Reserved
Service Table
Counter Table
Service Limits
Arguments Table
Rootkit function ( )
NtWriteFile ()
Userland INT 2e / Sysenter
Kernel
Tricks – SSDT
• WinXPSP3 (32 bits): ServiceTableBase array of function pointers
• Win7SP1 (64 bits): ServiceTableBase (KiServiceTable) arrays of 32-bits offsets (relative to KiServiceTable, but left shifted by a nibble): function pointers.
typedef struct _KSERVICE_DESCRIPTOR_TABLE
{ PULONG ServiceTableBase; // The table is exported as KiServiceTable
PULONG ServiceCounterTableBase;
ULONG NumberOfServices; // The number of entries in ServiceTableBase
PUCHAR ParamTableBase; // It point to an array of bytes (SSDP – System Service Dispatch Table). Each byte represents the number of bytes allocated for function arguments.
} KSERVICE_DESCRIPTOR_TABLE,*PKSERVICE_DESCRIPTOR_TABLE;
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
26
Tricks – SSDT
kd> dps nt!KeServiceDescriptorTable 80552fa0 80501b8c nt!KiServiceTable 80552fa4 00000000 80552fa8 0000011c 80552fac 80502000 nt!KiArgumentTable 80552fb0 00000000 80552fb4 00000000 80552fb8 00000000 80552fbc 00000000 80552fc0 00000000 80552fc4 00000000 80552fc8 00000000 80552fcc 00000000 80552fd0 00000000 80552fd4 00000000 ....
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
27
Tricks – SSDT
kd> dps KiServiceTable 80501b8c 80599948 nt!NtAcceptConnectPort 80501b90 805e6db6 nt!NtAccessCheck 80501b94 805ea5fc nt!NtAccessCheckAndAuditAlarm 80501b98 805e6de8 nt!NtAccessCheckByType 80501b9c 805ea636 nt!NtAccessCheckByTypeAndAuditAlarm 80501ba0 805e6e1e nt!NtAccessCheckByTypeResultList 80501ba4 805ea67a nt!NtAccessCheckByTypeResultListAndAuditAlarm 80501ba8 805ea6be nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle 80501bac 8060bdfe nt!NtAddAtom 80501bb0 8060cb50 nt!NtSetBootEntryOrder ........
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
28
Tricks - SSDT kd> dps nt!KeServiceDescriptorTableShadow 80552f60 80501b8c nt!KiServiceTable 80552f64 00000000 80552f68 0000011c 80552f6c 80502000 nt!KiArgumentTable 80552f70 bf999b80 win32k!W32pServiceTable 80552f74 00000000 80552f78 0000029b 80552f7c bf99a890 win32k!W32pArgumentTable 80552f80 00000000 80552f84 00000000 80552f88 00000000 80552f8c 00000000 80552f90 00000000 80552f94 00000000 80552f98 00000000 80552f9c 00000000 80552fa0 80501b8c nt!KiServiceTable 80552fa4 00000000 80552fa8 0000011c 80552fac 80502000 nt!KiArgumentTable 80552fb0 00000000 80552fb4 00000000
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
29
Tricks - SSDT kd> dps win32k!W32pServiceTable bf999b80 bf935f7e win32k!NtGdiAbortDoc bf999b84 bf947b29 win32k!NtGdiAbortPath bf999b88 bf88ca52 win32k!NtGdiAddFontResourceW bf999b8c bf93f6f0 win32k!NtGdiAddRemoteFontToDC bf999b90 bf949140 win32k!NtGdiAddFontMemResourceEx bf999b94 bf936212 win32k!NtGdiRemoveMergeFont bf999b98 bf9362b7 win32k!NtGdiAddRemoteMMInstanceToDC bf999b9c bf83b4cd win32k!NtGdiAlphaBlend bf999ba0 bf948a67 win32k!NtGdiAngleArc bf999ba4 bf934a17 win32k!NtGdiAnyLinkedFonts bf999ba8 bf94905f win32k!NtGdiFontIsLinked bf999bac bf90f2f4 win32k!NtGdiArcInternal bf999bb0 bf902318 win32k!NtGdiBeginPath bf999bb4 bf809fdf win32k!NtGdiBitBlt bf999bb8 bf948f31 win32k!NtGdiCancelDC bf999bbc bf94a72d win32k!NtGdiCheckBitmapBits …..
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
30
Tricks - SSDT
kd> !process 0 0 winlogon.exe
PROCESS 898e0020 SessionId: 0 Cid: 0280 Peb: 7ffd6000 ParentCid: 0178
DirBase: 10980060 ObjectTable: e143a500 HandleCount: 528.
Image: winlogon.exe
kd> .process /p 898e0020
Implicit process is now 898e0020
.cache forcedecodeuser done
kd> .reload
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
31
Tricks - SSDT
kd> dds poi(nt!KeServiceDescriptorTableShadow+10) L poi(nt!KeServiceDescriptorTableShadow+18) .... bf999b80 bf935f7e win32k!NtGdiAbortDoc bf999b84 bf947b29 win32k!NtGdiAbortPath bf999b88 bf88ca52 win32k!NtGdiAddFontResourceW bf999b8c bf93f6f0 win32k!NtGdiAddRemoteFontToDC bf999b90 bf949140 win32k!NtGdiAddFontMemResourceEx bf999b94 bf936212 win32k!NtGdiRemoveMergeFont bf999b98 bf9362b7 win32k!NtGdiAddRemoteMMInstanceToDC bf999b9c bf83b4cd win32k!NtGdiAlphaBlend bf999ba0 bf948a67 win32k!NtGdiAngleArc bf999ba4 bf934a17 win32k!NtGdiAnyLinkedFonts bf999ba8 bf94905f win32k!NtGdiFontIsLinked bf999bac bf90f2f4 win32k!NtGdiArcInternal ...
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
32
Tricks – SSDT
kd> dd /c 1 KiServiceTable fffff800`02ac0800 0418ff00 fffff800`02ac0804 02f86700 fffff800`02ac0808 fff6f400 fffff800`02ac080c 02ea4705 fffff800`02ac0810 031f6406 fffff800`02ac0814 0316a305 fffff800`02ac0818 02baf101 fffff800`02ac081c 02b34400 fffff800`02ac0820 03182140 fffff800`02ac0824 03f21b00 fffff800`02ac0828 02c85700 fffff800`02ac082c 02e99f80 This offset is left-shifted by 4-bits to include an additional data encoded into the least significant nibble. ……
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
33
Tricks – SSDT
kd> .foreach /ps 1 /pS 1 ( aborges {dd /c 1 nt!KiServiceTable L poi(nt!KeServiceDescriptorTable+10)}){ .printf "%y\n", ( aborges >>> 4) + nt!KiServiceTable } nt!NtMapUserPhysicalPagesScatter (fffff800`02ed97f0) nt!NtWaitForSingleObject (fffff800`02db8e70) nt!NtCallbackReturn (fffff800`02ab7740) nt!NtReadFile (fffff800`02daac70) nt!NtDeviceIoControlFile (fffff800`02ddfe40) nt!NtWriteFile (fffff800`02dd7230) nt!NtRemoveIoCompletion (fffff800`02d7b710) nt!NtReleaseSemaphore (fffff800`02d73c40) nt!NtReplyWaitReceivePort (fffff800`02dd8a14) nt!NtReplyPort (fffff800`02eb29b0) ....
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
34
Tricks - SSDT
kd> !dbgkit.st 000: fffff80002ed97f0 nt!NtMapUserPhysicalPagesScatter 001: fffff80002db8e70 nt!NtWaitForSingleObject 002: fffff80002ab7740 nt!NtCallbackReturn 003: fffff80002daac70 nt!NtReadFile 004: fffff80002ddfe40 nt!NtDeviceIoControlFile 005: fffff80002dd7230 nt!NtWriteFile 006: fffff80002d7b710 nt!NtRemoveIoCompletion 007: fffff80002d73c40 nt!NtReleaseSemaphore 008: fffff80002dd8a14 nt!NtReplyWaitReceivePort 009: fffff80002eb29b0 nt!NtReplyPort 00a: fffff80002d88d70 nt!NtSetInformationThread 00b: fffff80002daa1f8 nt!NtSetEvent 00c: fffff80002dba230 nt!NtClose 00d: fffff80002da1990 nt!NtQueryObject 00e: fffff80002d9e120 nt!NtQueryInformationFile .....(snip)....
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
35
Tricks - SSDT
kd> dd dwo(KeServiceDescriptorTable) L100 (remember returns double word value from the specified address) …… 80501d5c 8056f39a 8056dd32 805cba0e 8061b658 80501d6c 8060d896 805ea704 805c1296 805e39fc 80501d7c 805e3660 8059f722 8060b254 805b977a 80501d8c 805c1522 805e3a1a 805e37d0 8060d1b0 80501d9c 8063bc78 805bf346 805eddce 805e9a16 80501dac 805e9c02 805ada08 806052dc 8056c0ce 80501dbc 8060cb50 8060cb50 8053c02e 80606e68 80501dcc 80607ac8 baadc0de 805b3de0 8056f3ca 80501ddc 806053a4 8056c222 8060c2dc 8056fc46 80501dec 805cbee0 8059a6fc 805c2bfc 805c17c8 80501dfc 805e3afa 80607266 8060e060 8056ddda 80501e0c 8061b97e 806193d4 8060d93e 805bb04c 80501e1c 80619a80 8060e0ee 80570af2 805adbca
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
36
Tricks - SSDT
kd> dd dwo(KeServiceDescriptorTable) L100 .... 80501d5c 8056f39a 8056dd32 805cba0e 8061b658 80501d6c 8060d896 805ea704 805c1296 805e39fc 80501d7c 805e3660 8059f722 8060b254 805b977a 80501d8c 805c1522 805e3a1a 805e37d0 8060d1b0 80501d9c 8063bc78 805bf346 805eddce 805e9a16 80501dac 805e9c02 805ada08 806052dc 8056c0ce 80501dbc 8060cb50 8060cb50 8053c02e 80606e68 80501dcc 80607ac8 8056f074 805b3de0 8056f3ca 80501ddc 806053a4 8056c222 8060c2dc 8056fc46 80501dec 805cbee0 8059a6fc 805c2bfc 805c17c8 80501dfc 805e3afa 80607266 8060e060 8056ddda 80501e0c 8061b97e 806193d4 8060d93e 805bb04c .....
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
37
Tricks SSDT
kd> uf 8056f074 nt!NtQueryDirectoryFile: 8056f074 8bff mov edi,edi 8056f076 55 push ebp 8056f077 8bec mov ebp,esp 8056f079 8d452c lea eax,[ebp+2Ch] 8056f07c 50 push eax 8056f07d 8d4528 lea eax,[ebp+28h] 8056f080 50 push eax 8056f081 8d4524 lea eax,[ebp+24h] 8056f084 50 push eax 8056f085 8d4520 lea eax,[ebp+20h] 8056f088 50 push eax This function is used to enumerate entries (files or directories) placed into file container object (directory). Win32 API use it in FindFirstFile-FindNextFile routines.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
38
Tricks - SSDT
Usually, !chkimg extension is able to detect any corruption in the images of executable files by comparing them to the copy on a symbol store or other file repository:
kd> !chkimg nt -d
0 errors : nt
It is even possible to restore a hooked SSDT table by executing the following command:
kd> !chkimg nt -f
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
39
Tricks - SSDT root@kali:~ # python /root/volatility25/vol.py -f ./malware5.vmem ssdt | egrep -v '(win32k|ntoskrnl)' Volatility Foundation Volatility Framework 2.5 [x86] Gathering all referenced SSDTs from KTHREADs... Finding appropriate address space for tables... SSDT[0] at ff3aab90 with 284 entries Entry 0x0080: 0xff0d1f0b (NtOpenThread) owned by 00004A2A Entry 0x0089: 0xff0d2617 (NtProtectVirtualMemory) owned by 00004A2A Entry 0x00ad: 0xff0d1da0 (NtQuerySystemInformation) owned by 00004A2A Entry 0x00ba: 0xff0d256b (NtReadVirtualMemory) owned by 00004A2A Entry 0x00d5: 0xff0d2070 (NtSetContextThread) owned by 00004A2A Entry 0x00f7: 0xff0d2397 (NtSetValueKey) owned by 00004A2A Entry 0x00fe: 0xff0d201d (NtSuspendThread) owned by 00004A2A Entry 0x0102: 0xff0d1fca (NtTerminateThread) owned by 00004A2A Entry 0x0115: 0xff0d25c1 (NtWriteVirtualMemory) owned by 00004A2A Entry 0x0041: 0xff0d2487 (NtDeleteValueKey) owned by 00004A2A Entry 0x0047: 0xff0d216b (NtEnumerateKey) owned by 00004A2A Entry 0x0049: 0xff0d2267 (NtEnumerateValueKey) owned by 00004A2A Entry 0x0077: 0xff0d20c3 (NtOpenKey) owned by 00004A2A Entry 0x007a: 0xff0d1e93 (NtOpenProcess) owned by 00004A2A
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
40
Code Injection
• What’s code injection?
• Why do malwares use code injection?
• What’s the most common functions involved with code injection?
• Most usual types of code injection: DLL and Direct Injection.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
41
Trojan
Target Process
Trojan
Malicious DLL
Target Process Malicious DLL
Launcher / Trojan
Target Process
Malicious DLL
Launcher / Trojan
Target Process Malicious DLL
Tricks - Code Injection
• Find the target process CreateToolhelp32Snapshot( ), Process32First( ), Process32Next( ) and EnumProcessModules( );
• Get the handle of the target process OpenProcess( ) • Allocate space in the remote thread VirtuallAllocEx( ) • Write the malicious library name string (DLL name)
WriteProcessMemory( ) • Get the handle for kernel32.dll GetModuleHandle(“kernel32.dll”) • Get the address of the LoadLibraryA function inside the kernel32.dll
GetProcessAddress (....,“LoadLibraryA”) • Create and execute a new thread in the remote process:
CreateRemoteThread( ) • Wait until the remote thread (the DLLMain( )) terminates
WaitForSingleObject( ) • Retrieve the exit code of the remote thread GetExitCodeThread() • Free the allocated memory VirtualFreeEx( ) • Unload the DLL from the remote process CreateRemoteThread( ) +
FreeLibrary( )
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
42
Tricks – Code Injection
.text:00411260 call ds:OpenProcess
.text:00411266 mov [ebp+hProcess], eax
.text:0041126C cmp [ebp+hProcess], 0FFFFFFFFh
.text:00411273 jnz short loc_41127D
.text:00411275 or eax, 0FFFFFFFFh
.text:00411278 jmp loc_411342 ……. .text:00411298 push 0 ; lpAddress .text:0041129A mov edx, [ebp+hProcess] .text:004112A0 push edx ; hProcess .text:004112A1 call ds:VirtualAllocEx .text:004112A7 mov [ebp+lpBaseAddress], eax .text:004112AD cmp [ebp+lpBaseAddress], 0 .text:004112B4 jnz short loc_4112BE …….
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
43
Tricks – Code Injection ….. .text:004112D2 push ecx ; lpBaseAddress .text:004112D3 mov edx, [ebp+hProcess] .text:004112D9 push edx ; hProcess .text:004112DA call ds:WriteProcessMemory .text:004112E0 push offset ModuleName ; "kernel32.dll" .text:004112E5 call ds:GetModuleHandleA .text:004112EB mov [ebp+hModule], eax .text:004112F1 push offset aLoadlibrarya ; "LoadLibraryA" .text:004112F6 mov eax, [ebp+hModule] .text:004112FC push eax ; hModule .text:004112FD call ds:GetProcAddress .text:00411303 mov [ebp+lpStartAddress], eax .text:00411309 push 0 ; lpThreadId ……. .text:0041131F mov eax, [ebp+hProcess] .text:00411325 push eax ; hProcess .text:00411326 call ds:CreateRemoteThread .text:0041132C mov [ebp+var_1180], eax .....
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
44
Tricks – Code Injection
Useless for DLL injection:
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
45
Tricks – Code Injection kd> lm n start end module name 01000000 01062000 kd kd.exe 01d00000 01d48000 symsrv symsrv.dll 02000000 0239b000 dbgeng dbgeng.dll 03000000 03141000 dbghelp dbghelp.dll 77c00000 77c08000 VERSION VERSION.dll 77c10000 77c68000 msvcrt msvcrt.dll 77dd0000 77e6b000 ADVAPI32 ADVAPI32.dll 77e70000 77f02000 RPCRT4 RPCRT4.dll 77fe0000 77ff1000 Secur32 Secur32.dll 7c800000 7c8f6000 kernel32 kernel32.dll 7c900000 7c9af000 ntdll ntdll.dll 804d7000 806cf580 nt ntkrnlpa.exe 806d0000 806f0300 hal halaacpi.dll b1052000 b1075180 Fastfat Fastfat.SYS b13c1000 b1401a80 HTTP HTTP.sys b16fa000 b174bc00 srv srv.sys .......
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
46
Tricks – Code Injection kd> lmf start end module name 01000000 01062000 kd C:\program files\Debugging Tools for Windows (x86)\kd.exe 01d00000 01d48000 symsrv C:\program files\Debugging Tools for Windows (x86)\symsrv.dll 02000000 0239b000 dbgeng C:\program files\Debugging Tools for Windows (x86)\dbgeng.dll 03000000 03141000 dbghelp C:\program files\Debugging Tools for Windows (x86)\dbghelp.dll 77c00000 77c08000 VERSION C:\WINDOWS\system32\VERSION.dll 77c10000 77c68000 msvcrt C:\WINDOWS\system32\msvcrt.dll 77dd0000 77e6b000 ADVAPI32 C:\WINDOWS\system32\ADVAPI32.dll 77e70000 77f02000 RPCRT4 C:\WINDOWS\system32\RPCRT4.dll 77fe0000 77ff1000 Secur32 C:\WINDOWS\system32\Secur32.dll 7c800000 7c8f6000 kernel32 C:\WINDOWS\system32\kernel32.dll 7c900000 7c9af000 ntdll C:\WINDOWS\system32\ntdll.dll 804d7000 806cf580 nt ntkrnlpa.exe 806d0000 806f0300 hal halaacpi.dll b1052000 b1075180 Fastfat \SystemRoot\System32\Drivers\Fastfat.SYS b13c1000 b1401a80 HTTP \SystemRoot\System32\Drivers\HTTP.sys b16fa000 b174bc00 srv \SystemRoot\system32\DRIVERS\srv.sys b179c000 b17a8000 LiveKdD \??\C:\WINDOWS\system32\Drivers\LiveKdD.SYS b183c000 b1868180 mrxdav \SystemRoot\system32\DRIVERS\mrxdav.sys .......
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
47
Tricks – Code Injection kd> s -d 0x0 L?0xffffffff 0x00905a4d 0006e3a4 00905a4d 02338082 023380c2 00000000 MZ....3...3..... 008cc480 00905a4d 00000000 0006e5f8 00000000 MZ.............. 01000000 00905a4d 00000003 00000004 0000ffff MZ.............. 010540a0 00905a4d 00000003 00000004 0000ffff MZ.............. 01d00000 00905a4d 00000003 00000004 0000ffff MZ.............. 02000000 00905a4d 00000003 00000004 0000ffff MZ.............. 0234fc98 00905a4d 00000000 008c9e98 00000000 MZ.............. 02351918 00905a4d 00000000 02037788 00275e30 MZ.......w..0^'. 03000000 00905a4d 00000003 00000004 0000ffff MZ.............. 77c00000 00905a4d 00000003 00000004 0000ffff MZ.............. 77c10000 00905a4d 00000003 00000004 0000ffff MZ.............. 77dd0000 00905a4d 00000003 00000004 0000ffff MZ.............. 77e70000 00905a4d 00000003 00000004 0000ffff MZ.............. 77fe0000 00905a4d 00000003 00000004 0000ffff MZ.............. 7c800000 00905a4d 00000003 00000004 0000ffff MZ.............. 7c900000 00905a4d 00000003 00000004 0000ffff MZ.............. 80172000 00905a4d 00000003 00000004 0000ffff MZ.............. …….
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
48
Tricks – Code Injection kd> .foreach ( aborges {s -[1]d 0x0 L?0xffffffff 0x00905a4d} ) {.echo "****H2HC UNIVERSITY****"; !lmi aborges} ****H2HC UNIVERSITY**** Loaded Module Info: [load] Module: ACPI Base Address: ba779000 Image Name: ACPI.sys Machine Type: 332 (I386) Time Stamp: 480252b1 Sun Apr 13 15:36:33 2008 Size: 2dd80 CheckSum: 38955 Characteristics: 10e Debug Data Dirs: Type Size VA Pointer CODEVIEW 21, 1bc78, 1bc78 RSDS - GUID: {3E23085E-EF9C-4EB5-AC40-C386278F6D7E} Age: 1, Pdb: acpi.pdb Image Type: MEMORY - Image read successfully from loaded memory. Symbol Type: PDB - Symbols loaded successfully from symbol server. c:\symbols\acpi.pdb\3E23085EEF9C4EB5AC40C386278F6D7E1\acpi.pdb Load Report: public symbols , not source indexed c:\symbols\acpi.pdb\3E23085EEF9C4EB5AC40C386278F6D7E1\acpi.pdb ...
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
49
Tricks – Code Injection
0:000> lm start end module name 01000000 01014000 notepad (deferred) 73000000 73026000 WINSPOOL (deferred) 763b0000 763f9000 comdlg32 (deferred) 773d0000 774d3000 COMCTL32 (deferred) 77c10000 77c68000 msvcrt (deferred) 77dd0000 77e6b000 ADVAPI32 (deferred) 77e70000 77f02000 RPCRT4 (deferred) 77f10000 77f59000 GDI32 (deferred) 77f60000 77fd6000 SHLWAPI (deferred) 77fe0000 77ff1000 Secur32 (deferred) 7c800000 7c8f6000 kernel32 (deferred) 7c900000 7c9af000 ntdll (export symbols) C:\WINDOWS\system32\ntdll.dll 7c9c0000 7d1d7000 SHELL32 (deferred) 7e410000 7e4a1000 USER32 (deferred)
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
50
Tricks – Code Injection
0:000> .dvalloc /b 42420000 1024 Allocated 2000 bytes starting at 42420000 0:000> .readmem "c:\\windows\\system32\\calc.exe" 42420000 42420000+1024 0:000> dc 42420000 42420000 00905a4d 00000003 00000004 0000ffff MZ.............. 42420010 000000b8 00000000 00000040 00000000 ........@....... 42420020 00000000 00000000 00000000 00000000 ................ 42420030 00000000 00000000 00000000 000000f0 ................ 42420040 0eba1f0e cd09b400 4c01b821 685421cd ........!..L.!Th 42420050 70207369 72676f72 63206d61 6f6e6e61 is program canno 42420060 65622074 6e757220 206e6920 20534f44 t be run in DOS 42420070 65646f6d 0a0d0d2e 00000024 00000000 mode....$.......
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
51
Tricks - Code Injection
0:000> s -d 0x0 L?0xffffffff 0x00905a4d 01000000 00905a4d 00000003 00000004 0000ffff MZ.............. 42420000 00905a4d 00000003 00000004 0000ffff MZ.............. 73000000 00905a4d 00000003 00000004 0000ffff MZ.............. 763b0000 00905a4d 00000003 00000004 0000ffff MZ.............. 773d0000 00905a4d 00000003 00000004 0000ffff MZ.............. 77c10000 00905a4d 00000003 00000004 0000ffff MZ.............. 77dd0000 00905a4d 00000003 00000004 0000ffff MZ.............. 77e70000 00905a4d 00000003 00000004 0000ffff MZ.............. 77f10000 00905a4d 00000003 00000004 0000ffff MZ.............. 77f60000 00905a4d 00000003 00000004 0000ffff MZ.............. 77fe0000 00905a4d 00000003 00000004 0000ffff MZ.............. 7c800000 00905a4d 00000003 00000004 0000ffff MZ.............. 7c900000 00905a4d 00000003 00000004 0000ffff MZ.............. 7c9c0000 00905a4d 00000003 00000004 0000ffff MZ.............. 7e410000 00905a4d 00000003 00000004 0000ffff MZ..............
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
52
Tricks – Code Injection 0:000> dc 42420000+140 L1 //IMAGE_OPTIONAL_HEADER dwSizeOfImage (size of image loaded into the memory – 140 bytes from base of PE file) 42420140 0001f000 0:000> .formats 0001f000 Evaluate expression: Hex: 0001f000 Decimal: 126976 Octal: 00000370000 Binary: 00000000 00000001 11110000 00000000 Chars: .... Time: Fri Jan 02 09:16:16 1970 Float: low 1.77931e-040 high 0 Double: 6.27345e-319 0:000> .dvalloc /b 43430000 1f000 Allocated 1f000 bytes starting at 43430000 0:000> .readmem "c:\\windows\\system32\\calc.exe" 43430000 43430000+1f000 Reading 1f001 bytes........................................................ Unable to read data for 4344c000, load is incomplete
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
53
Tricks – Code Injection
kd> !dh 43430000 File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (i386) 3 number of sections 3B7D8410 time date stamp Fri Aug 17 17:52:32 2001 0 file pointer to symbol table 0 number of symbols E0 size of optional header 10F characteristics Relocations stripped Executable Line numbers stripped Symbols stripped 32 bit word machine ......
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
54
Tricks – Code Injection
0:000> dc 4344b800 4344b800 00410043 0043004c 00000000 002e0080 C.A.L.C......... 4344b810 004c0001 00670065 006c0061 006f0043 ..L.e.g.a.l.C.o. 4344b820 00790070 00690072 00680067 00000074 p.y.r.i.g.h.t... 4344b830 002000a9 0069004d 00720063 0073006f .. .M.i.c.r.o.s. 4344b840 0066006f 00200074 006f0043 00700072 o.f.t. .C.o.r.p. 4344b850 0072006f 00740061 006f0069 002e006e o.r.a.t.i.o.n... 4344b860 00410020 006c006c 00720020 00670069 .A.l.l. .r.i.g. 4344b870 00740068 00200073 00650072 00650073 h.t.s. .r.e.s.e. 0:000> .writemem "c:\\windows\\system32\\calc_test.exe" 43430000 43430000+1f000 Writing 1f001 bytes.............................................................. Unable to read memory at 4344f000, file is incomplete
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
55
Tricks – Code Injection
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
56
Tricks – Code Injection root@kali:~/volatility25# python vol.py --profile=WinXPSP3x86 -f /malwares/“malware6.vmem" malfind Process: notepad.exe Pid: 2060 Address: 0x43430000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 31, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x43430000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x43430010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x43430020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x43430030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................ 0x43430000 4d DEC EBP 0x43430001 5a POP EDX 0x43430002 90 NOP 0x43430003 0003 ADD [EBX], AL 0x43430005 0000 ADD [EAX], AL 0x43430007 000400 ADD [EAX+EAX], AL 0x4343000a 0000 ADD [EAX], AL 0x4343000c ff DB 0xff 0x4343000d ff00 INC DWORD [EAX] 0x4343000f 00b800000000 ADD [EAX+0x0], BH 0x43430015 0000 ADD [EAX], AL 0x43430017 004000 ADD [EAX+0x0], AL 0x4343001a 0000 ADD [EAX], AL
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
57
Tricks – Code Injection 0:000> s -[l8]sa 43430000 L1f000 4343004d "!This program cannot be run in D" 4343006d "OS mode." 434300a9 "$y7D$x79" 43430298 "SHELL32.dll" 434302a4 "msvcrt.dll" 434302af "ADVAPI32.dll" 434302bc "KERNEL32.dll" 434302c9 "GDI32.dll" 434302d3 "USER32.dll" 43430990 "hhctrl.ocx" 434309a0 "CLSID\{ADB880A6-D8FF-11CF-9377-0" 434309c0 "0AA003B7A11}\InprocServer32" 43430a1c "calc.pdb" 43434609 "t<It5It+It!" 43437403 "+tKIItGIt:IIt," 43442236 "ShellAboutW" 43442242 "SHELL32.dll" 43442250 "__CxxFrameHandler" …….
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
58
Tricks – Code Injection kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 89e43830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00334000 ObjectTable: e1000c98 HandleCount: 266. Image: System PROCESS 89c99a80 SessionId: 0 Cid: 06f4 Peb: 7ffd7000 ParentCid: 06cc DirBase: 10e80200 ObjectTable: e1d4f188 HandleCount: 693. Image: explorer.exe .... PROCESS 897d1da0 SessionId: 0 Cid: 0cc4 Peb: 7ffdf000 ParentCid: 06f4 DirBase: 10e80280 ObjectTable: e21972c0 HandleCount: 55. Image: cmd.exe PROCESS 896d77a8 SessionId: 0 Cid: 09a0 Peb: 7ffdc000 ParentCid: 0cc4 DirBase: 10e80240 ObjectTable: e1d465b8 HandleCount: 80. Image: windbg.exe PROCESS 891a8690 SessionId: 0 Cid: 080c Peb: 7ffdf000 ParentCid: 09a0 DirBase: 10e802c0 ObjectTable: e5883c08 HandleCount: 6. Image: notepad.exe
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
59
Tricks – Code Injection kd> !process 891a8690 1 PROCESS 891a8690 SessionId: 0 Cid: 080c Peb: 7ffdf000 ParentCid: 09a0 DirBase: 10e802c0 ObjectTable: e5883c08 HandleCount: 6. Image: notepad.exe VadRoot 891cb1b0 Vads 37 Clone 0 Private 199. Modified 0. Locked 0. DeviceMap e1c3e150 Token e305a970 ElapsedTime 02:46:57.484 UserTime 00:00:00.015 KernelTime 00:00:12.140 QuotaPoolUsage[PagedPool] 36940 QuotaPoolUsage[NonPagedPool] 1480 Working Set Sizes (now,min,max) (4025, 50, 345) (16100KB, 200KB, 1380KB) PeakWorkingSetSize 4025 VirtualSize 18 Mb PeakVirtualSize 18 Mb PageFaultCount 4014 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 320 DebugPort 896f4ad8
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
60
Tricks – Code Injection
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
61
Tricks – Code Injection kd> .process /p 891a8690 Implicit process is now 891a8690 .cache forcedecodeuser done kd> .reload Connected to Windows XP 2600 x86 compatible target at (Fri Oct 14 01:41:27.977 2016 (UTC - 3:00)), ptr64 FALSE Loading Kernel Symbols ….. kd> dc 43430000 43430000 00905a4d 00000003 00000004 0000ffff MZ.............. 43430010 000000b8 00000000 00000040 00000000 ........@....... 43430020 00000000 00000000 00000000 00000000 ................ 43430030 00000000 00000000 00000000 000000f0 ................ 43430040 0eba1f0e cd09b400 4c01b821 685421cd ........!..L.!Th 43430050 70207369 72676f72 63206d61 6f6e6e61 is program canno 43430060 65622074 6e757220 206e6920 20534f44 t be run in DOS 43430070 65646f6d 0a0d0d2e 00000024 00000000 mode....$....... kd> lm vt a 434300000 start end module name
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
62
Tricks – Code Injection kd> lm vt a 7c800000 start end module name 7c800000 7c8f6000 kernel32 Image path: C:\WINDOWS\system32\kernel32.dll Image name: kernel32.dll Timestamp: Sun Apr 13 21:11:24 2008 (4802A12C) CheckSum: 000F44A2 ImageSize: 000F6000 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: kernel32 OriginalFilename: kernel32 ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2111) FileDescription: Windows NT BASE API Client DLL LegalCopyright: © Microsoft Corporation. All rights reserved.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
63
Tricks - Hooking
• What is hooking?
• Why do we use hooking?
• What are the types and targets of hooking?
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
64
push ebp mov esp, ebp ...good things.. ret
..... push param3 push param2 push param1 call good_function mov ebx, eax ....
• SSDT • IAT • EAT
• IDT • Inline • Detour • IRP
Usual function call – no hooking
Tricks - Hooking
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
65
..... push param3 push param2 push param1 call bad_function mov ebx, eax ....
push ebp mov esp, ebp .....bad things.... ..... ret
push ebp mov esp, ebp ...good things... ret
The original function is never
called.
Tricks - Hooking
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
66
..... push param3 push param2 push param1 call bad_function mov ebx, eax ....
push ebp mov esp, ebp .....bad things.... call good_function .... ret
push ebp mov esp, ebp ...good things... ret
The original function is called.
Tricks - Hooking
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
67
..... push param3 push param2 push param1 call good_function mov ebx, eax ....
push ebp mov esp, ebp ...good things... call bad_function .... ret
push ebp mov esp, ebp ...bad things... ret
Tricks - Hooking
• Of course, it is impossible to explain how to coding the hook during this presentation (tight time). However, take care while coding a hook:
• function_1_addr: 0x42420090
• function_2_addr: 0x42420490
• It is so common to hear from professionals the following wrong statement during the hooking programming:
• function_2_addr = function_1_addr + offset (0x400).
• However, it is wrong. Why?
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
68
Tricks - Hooking
• function_1_addr: 0x42420000
• function_2_addr: 0x42420500
• function_2_addr = function_1_addr + offset (0x400) + 5
• offset = function_2_addr – function_1_addr – 5
• function_1:
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
69
0x42420090: push ebp 0x42420091: mov ebp, esp 0x42420093: sub esp, 0x20 0x42420096: push ecx 0x42420097: mov ecx, eax
0x42420090: jmp function_2_addr 0x42420095: nop 0x42420096: push ecx 0x42420097: mov ecx, eax
Tricks - Hooking Example 1: 0x010f0000 bdbcd47705 MOV EBP, 0x577d4bc 0x010f0005 8bff MOV EDI, EDI 0x010f0007 55 PUSH EBP 0x010f0008 8bec MOV EBP, ESP 0x010f000a e9b3bcc576 JMP 0x77d4bcc2 0x010f000f 0000 ADD [EAX], AL 0x010f0011 0000 ADD [EAX], AL Example2: 0x010e0000 58 POP EAX 0x010e0001 6805000f01 PUSH DWORD 0x10f0005 0x010e0006 6800000000 PUSH DWORD 0x0 0x010e000b 680000807c PUSH DWORD 0x7c800000 0x010e0010 6828180310 PUSH DWORD 0x10031828 0x010e0015 50 PUSH EAX 0x010e0016 68619f0210 PUSH DWORD 0x10029f61 0x010e001b c3 RET 0x010e001c 0000 ADD [EAX], AL
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
70
Tricks - Hooking Example 3: 0x01410000 MOV EAX, 0x35 0x01410005 JMP 0x7c90d7d7 0x0141000a MOV EAX, 0x7c90df63 0x0141000f JMP EAX 0x01410014 MOV EDI, EDI 0x01410016 PUSH EBP 0x01410017 MOV EBP, ESP Example 4: 0x7c900056 eb04 JMP 0x7c90005c 0x7c900058 b205 MOV DL, 0x5 0x7c90005a eb00 JMP 0x7c90005c 0x7c90005c 52 PUSH EDX 0x7c90005d e804000000 CALL 0x7c900066 0x7c900062 f20094005aff2269 ADD [EAX+EAX+0x6922ff5a], DL 0x7c90006a 6e OUTS DX, BYTE [ESI] 0x7c900066 5a POP EDX 0x7c900067 ff22 JMP DWORD [EDX]
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
71
Tricks - Hooking
• Import Address Table:
• Remember that the import table of a PE file holds:
• pointers to names of API functions that a process uses in run time.
• name of DLLs that contain each function.
• addresses of API functions used by the process.
• How can hook an IAT entry?
• Inject an DLL into the process address space.
• The DLL examines the PE header to find where the pointer to function is stored.
• The DLL overwrites the pointer for pointing to a bad function.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
72
Tricks - Hooking
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
73
good_dll.dll
function_1 .text section
Section Table
PE Header
DOS Header
.data section
function_4
function_2
function_3
Application 1
Import Address Table
IAT hooking
bad_dll.dll
Tricks - Hooking
• Export Address Table: • It holds names of functions exported by a DLL.
• Additionally, it holds the RVA (Relative Virtual Address) to the base address of the DLL that is loaded in the memory.
• Remember that a RVA is the address relative to the base address of a DLL (for example). Therefore, a VA = Base Address + RVA.
• Detecting EAT hooks is easy: • We should enumerate each active process (from EPROCESS structures).
• List all DLLs loaded from each process (this information comes from PEB and/or VAD).
• From each DLL in the list, gather DLL name, base address and its respective size.
• Dump the .exe and rebuild the PE structure.
• Locate the IAT.
• For each function, add its RVA to the DLL base address. Check if the result address fall outside of the memory range of DLL address.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
74
Tricks - Hooking
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
75
function_1 .text section
Section Table
PE Header
DOS Header
.data section
function_4
function_2
function_3
DLL 1
Export Address Table
EAT hooking
bad_dll.dll
Tricks - Hooking
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
76
0x771d325f JMP 0x8e7415 0x771d3264 SUB ESP, 0x10 0x771d3267 PUSH EBX 0x771d3268 XOR EBX, EBX 0x771d326a CMP [0x77239850], EBX
function_1
.text section
Section Table
PE Header
DOS Header
function_4
function_2
function_3
DLL 1
Export Address Table
Inline hooking
bad_dll.dll
Tricks - Hooking root@kali:~ # python /root/volatility25/vol.py -f ./malware4.vmem apihooks Volatility Foundation Volatility Framework 2.5 ************************************************************************ Hook mode: Usermode Hook type: Inline/Trampoline Process: 676 (services.exe) Victim module: ntdll.dll (0x7c900000 - 0x7c9b0000) Function: ntdll.dll!NtCreateThread at 0x7c90d7d2 Hook address: 0x7e3b47 Hooking module: <unknown> Disassembly(0): 0x7c90d7d2 e97063ed83 JMP 0x7e3b47 0x7c90d7d7 ba0003fe7f MOV EDX, 0x7ffe0300 0x7c90d7dc ff12 CALL DWORD [EDX] 0x7c90d7de c22000 RET 0x20 0x7c90d7e1 90 NOP 0x7c90d7e2 90 NOP ……
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
77
Tricks - Hooking
• If you want to try a brutal force check for any kind of hooking, it is possible to try:
kd> .sympath+ SRV*C:\symbols*http://msdl.microsoft.com/download/symbols
kd> .reload
kd> !for_each_module “!chkimg @#ModuleName”
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
78
Finding Registries
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
79
Finding Registries Index 34d: 6271c075 kcb=e15bb508 cell=00137170 f=00200004 \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\HTTP
kd> !reg cellindex e1018370 00137170
Map = e101e000 Type = 0 Table = 0 Block = 137 Offset = 170
MapTable = e101f000
BlockAddress = d9638000
pcell: d9638174 KeyNodeAddress
kd> !reg valuelist e1018370 d9638174
Dumping ValueList of Key <HTTP> :
[Idx] [ValAddr] [ValueName]
[ 0] d96381cc DisplayName
[ 1] d963820c Description
[ 2] d9638384 ErrorControl
[ 3] d96383ac ImagePath
[ 4] d9638424 Start
[ 5] d9638444 Type
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
80
Finding Registries kd> !reg kvalue d96383ac Signature: CM_KEY_VALUE_SIGNATURE (kv) Name : ImagePath {compressed} DataLength: 34 Data : 1373d0 [cell index] Type : 2 kd> !reg cellindex e1018370 1373d0 Map = e101e000 Type = 0 Table = 0 Block = 137 Offset = 3d0 MapTable = e101f000 BlockAddress = d9638000 pcell: d96383d4 kd> dc d96383d4 d96383d4 00790053 00740073 006d0065 00320033 S.y.s.t.e.m.3.2. d96383e4 0044005c 00690072 00650076 00730072 \.D.r.i.v.e.r.s. d96383f4 0048005c 00540054 002e0050 00790073 \.H.T.T.P...s.y. d9638404 00000073 fffffff8 00137670 fffffff0 s.......pv...... d9638414 00300032 00000031 00000000 ffffffe0 2.0.1........... d9638424 00056b76 80000004 00000003 00000004 vk.............. d9638434 00000001 72617453 00000074 ffffffe0 ....Start....... d9638444 00046b76 80000004 00000001 00000004 vk..............
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
81
Thank you for attending my lecture!
LinkedIn: http://www.linkedin.com/in/aleborges Twitter: @ale_sp_brazil Blog: http://alexandreborges.org E-mail: [email protected] • Malware and Security Researcher. Consultant,
Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation.
• Instructor at Oracle, (ISC)2 and EC-Council. Ex-instructor at Symantec.
• Member of the CHFI Advisory Board in EC-Council.
• Reviewer member of the The Journal of Digital Forensics, Security and Law
• Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response
• Author of “Oracle Solaris Advanced Administration book”