thisslide. to copy neither reproduce reproduce neither copy to
Few tricks used by allowed
It It is not
malwares –
H2HC University 2016 Borges Alexandre By Alexandre Borges
1
. . Profile and TOC slide.
TOC:
• Introduction • DKOM • Process Hollowing • SSDT
• this reproduce neither It copy to is notallowed Code Injection • Hooking –
• Malware and Security Researcher. Consultant, • Finding Registries Borges Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation. • Instructor at Oracle, (ISC)2 and EC-Council. Ex- Alexandre instructor at Symantec. • Member of the CHFI Advisory Board in EC- Council. • Reviewer member of the The Journal of Digital Forensics, Security and Law • Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response • Author of “Oracle Solaris Advanced Administration book”
thisslide.
to copy neither reproduce reproduce neither copy to
allowed allowed
It It is not
Introduction – Alexandre Borges Borges Alexandre
3
Introduction
• Tools are important, but they are not everything. • Keep your tools updated (licensed tools). • Strong knowledge about kernel (Windows, Linux and Mac OS X) and programming (by using APIs) are a must.
• Sandboxes such as Cukoo are useful, but they are not efficient It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
for most complex malwares. – • Classical approach: static x dynamic analysis • Emulation: an interesting method (IDAEmu and Unicorn).
• Do you use Radare2 or/and Capstone / Keystone (disassembly Borges Alexandre / assembly engine)? • Suggested lab: Windows XP SP3 + Windows 7/8 + Linux (Remnux and Kali) 4
Introduction
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
– Alexandre Borges Borges Alexandre
5
Introduction
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
– Alexandre Borges Borges Alexandre
6 Introduction
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
– Alexandre Borges Borges Alexandre
7
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
Tricks – Alexandre Borges Borges Alexandre
8 Tricks - DKOM
KPRCB ETHREAD EPROCESS
*Current Thread KTHREAD KPROCESS *Next Thread
APC State List Entry { It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed *Idle Thread FLINK –
BLINK } Alexandre Borges Borges Alexandre
KPRCB Kernel Processor Control Region Block – It contains information 9 about the processor and it is not at a fixed address anymore (since Win Vista) Tricks - DKOM
flink flink flink 101 102 103
blink blink blink
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
flink flink flink – 101 102 103
blink blink blink Borges Alexandre
Tricks - DKOM
C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64> windbg.exe -k com:pipe,port=\\.\pipe\com_1
kd> dt _KPRCB
nt!_KPRCB +0x000 MxCsr : Uint4B ….. +0x007 IdleHalt : UChar
+0x008 CurrentThread : Ptr64 _KTHREAD thisslide. reproduce neither It copy to is notallowed
+0x010 NextThread : Ptr64 _KTHREAD – +0x018 IdleThread : Ptr64 _KTHREAD +0x020 NestingLevel : UChar +0x021 PrcbPad00 : [3] UChar
kd> !prcb Borges Alexandre
PRCB for Processor 0 at fffff80002bf8e80: Current IRQL -- 13 Threads-- Current fffff80002c06cc0 Next 0000000000000000 Idle fffff80002c06cc0 11 Processor Index 0 Number (0, 0) GroupSetMember 1 ...... Tricks - DKOM
kd> nt!_ETHREAD
+0x000 Tcb : _KTHREAD +0x368 CreateTime : _LARGE_INTEGER +0x370 ExitTime : _LARGE_INTEGER +0x370 KeyedWaitChain : _LIST_ENTRY +0x380 ExitStatus : Int4B ….
kd> dt _KTHREAD
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
nt!_KTHREAD – +0x000 Header : _DISPATCHER_HEADER +0x018 CycleTime : Uint8B ……
+0x04c MiscFlags : Int4B Borges Alexandre +0x050 ApcState : _KAPC_STATE +0x050 ApcStateFill : [43] UChar +0x07b Priority : Char 12 +0x07c NextProcessor : Uint4B
Tricks - DKOM
kd> dt nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x160 ProcessLock : _EX_PUSH_LOCK +0x168 CreateTime : _LARGE_INTEGER +0x170 ExitTime : _LARGE_INTEGER
+0x178 RundownProtect : _EX_RUNDOWN_REF It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
+0x180 UniqueProcessId : Ptr64 Void – +0x188 ActiveProcessLinks : _LIST_ENTRY +0x198 ProcessQuotaUsage : [2] Uint8B +0x1a8 ProcessQuotaPeak : [2] Uint8B ... Borges Alexandre kd> dt nt!_LIST_ENTRY +0x000 Flink : Ptr64 _LIST_ENTRY 13 +0x008 Blink : Ptr64 _LIST_ENTRY
Tricks - DKOM
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP **** PROCESS 89e43830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00334000 ObjectTable: e1000c98 HandleCount: 253. Image: System
PROCESS 89b92340 SessionId: none Cid: 0178 Peb: 7ffde000 ParentCid: 0004 DirBase: 10980020 ObjectTable: e15227a8 HandleCount: 19. Image: smss.exe
PROCESS 89957020 SessionId: 0 Cid: 025c Peb: 7ffdf000 ParentCid: 0178
DirBase: 10980040 ObjectTable: e15f6858 HandleCount: 356. thisslide. reproduce neither It copy to is notallowed
Image: csrss.exe –
PROCESS 898e0020 SessionId: 0 Cid: 0280 Peb: 7ffd6000 ParentCid: 0178 DirBase: 10980060 ObjectTable: e143a500 HandleCount: 525. Image: winlogon.exe
PROCESS 89ae6020 SessionId: 0 Cid: 02e4 Peb: 7ffdd000 ParentCid: 0280 Borges Alexandre DirBase: 10980080 ObjectTable: e197c8e8 HandleCount: 262. Image: services.exe ..... 14
Tricks - DKOM
kd> dt nt!_EPROCESS 89ae6020 // (base of this _EPROCESS) +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER 0x01d22032`83696cc6 +0x078 ExitTime : _LARGE_INTEGER 0x0 +0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x000002e4 Void thisslide. reproduce neither It copy to is notallowed
– +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x89afee28 - 0x898e00a8 ] +0x090 QuotaUsage : [3] 0x17d0
+0x09c QuotaPeak : [3] 0x1c88 Borges Alexandre
kd> x nt!psact* 15 8055a158 nt!PsActiveProcessHead =
Tricks - DKOM
kd> dt nt!_LIST_ENTRY 8055a158 [ 0x89e438b8 - 0x897d7b78 ] +0x000 Flink : 0x89e438b8 _LIST_ENTRY [ 0x89b923c8 - 0x8055a158 ] +0x004 Blink : 0x897d7b78 _LIST_ENTRY [ 0x8055a158 - 0x899415e0 ]
kd> dt nt!_EPROCESS 0x89e438b8 - 0x088 -l ActiveProcessLinks.Flink -y ImageFileName ActiveProcessLinks.Flink at 0x89e438b8 ------+0x088 ActiveProcessLinks : [ 0x0 - 0x0 ]
+0x174 ImageFileName : [16] ""
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
kd> dt nt!_EPROCESS 0x89e438b8-0x088 -l ActiveProcessLinks.Flink -y ImageFileName – ActiveProcessLinks.Flink at 0x89e43830 ------+0x088 ActiveProcessLinks : [ 0x89b923c8 - 0x8055a158 ] +0x174 ImageFileName : [16] "System" Borges Alexandre ActiveProcessLinks.Flink at 0x89b92340 ------+0x088 ActiveProcessLinks : [ 0x899570a8 - 0x89e438b8 ] 16 +0x174 ImageFileName : [16] "smss.exe“
Tricks - DKOM
• It is possible to perform DKOM from kernel drivers, but it is also feasible to execute it from userland:
• It enables the SeDebugPrivilege by using:
• RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &oldpriv);
• NtQuerySystemInformation ( ) it locates the based address of the It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
kernel module (ntoskrnl.exe): –
• NtQuerySystemInformation(SystemModuleInformation, &infomod, sizeof(infomod), NULL);
• Extracts the base address of the kernel execute module Borges Alexandre (ntoskrnl.exe): 17 • kernelbase = (ULONG)infomod.Modules[0].ImageBase
Tricks - DKOM
• PsInitialSystemProcess variable it points to _EPROCESS for the System process. Therefore, we have to get the PsInitialProcess address:
• kernelhandle = LoadLibraryA(kernelfilename); // ntoskrnl.exe • psinitialsys_addr = (ULONG)GetProcAddress(kernelhandle, "PsInitialSystemProcess") – (ULONG)kernelhandle + kernelbase;
thisslide. reproduce neither It copy to is notallowed
• Walk in the linked list searching for a target process to hide – (remember about offset 0x88 – ActiveProcessLinks).
• NtSystemDebugControl( ) it reads and writes Borges Alexandre (DebugSysReadVirtual DebugSysWriteVirtual) 4 bytes to a specific address in kernel memory. Thus, it is possible to overwrite the Flink and Blink pointers. 18
Tricks - DKOM
• NtSystemDebugControl( IN SYSDBG_COMMAND Command, // IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength,
OUT PULONG ReturnLength OPTIONAL );
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
– • NtSystemDebugControl( SysDbgReadVirtual,
&dbgmembuff, Alexandre Borges Borges Alexandre sizeof(dbgmembuff), NULL, 0, 19 NULL);
• Tricks - DKOM
root@kali:~/volatility25# python vol.py --profile=WinXPSP2x86 -f /malwares/malware2.vmem psxview
Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime ------0x06499b80 svchost.exe 711 True True True True True True True 0x04b5a980 VMwareUser.exe 109 True True True True True True True 0x05f027e0 explorer.exe 216 True True True True True True True 0x010f7588 wuauclt.exe 468 True True True True True True True
0x04c2b310 wscntfy.exe 888 True True True True True True True
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
0x061ef558 svchost.exe 491 True True True True True True True – 0x06015020 services.exe 878 True True True True True True True 0x06384230 vmacthlp.exe 844 True True True True True True True 0x069d5b28 vmtoolsd.exe 537 True True True True True True True 0x06945da0 spoolsv.exe 1432 True True True True True True True
0x05f47020 lsass.exe 688 True True True True True True True Borges Alexandre 0x0113f648 lass.exe 1336 False True True True True True True 0x04a065d0 svchost.exe 1724 True True True True True True True 0x066f0978 winlogon.exe 831 True True True True True True True …….. 20 Tricks - Hollowing
• Hollowing (or process replacement) is one of most smart tricks used by a malware to become stealth. • Basically, the malware:
• Starts a new instance of a legitimate process (in SUSPEND STATE)
CreateProcess( ) ;
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
• Opens and reads a malicious code ; – • Gathers the base address of the destination image NtQueryProcessInformation( ) to get the address of the PEB
(Process Environment Block); Alexandre Borges Borges Alexandre • Free the memory section in the target process NtUnmapViewOfSection( ) ; 21
Tricks - Hollowing
• Allocates a new block of memory for holding the malicious code VirtualAllocEx( ) ;
• Copies the source image (malicious PE header and other PE sections) into the new allocated memory
WriteProcessMemory( ) ;
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
– • Sets the start address for the first thread (suspended) to point to the entry point of the malicious process
GetThreadContext( ) + SetThreadContext ( ) ; Borges Alexandre
• Resumes the thread ResumeThread( ) ; 22
Tricks – SSDT
• SSDT (System Service Descriptor Table)
• It holds pointers to kernel functions. Therefore, when an user mode application requests system services (writing a file, for example), the ntdll.dll helps the calling thread to
access the kernel land.
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
– • To access the kernel land, two instructions can be used:
Alexandre Borges Borges Alexandre • INT2 2E (Windows 2000) • SYSENTER (XP and up) 23 Tricks – SSDT
• Path from application (userland) to kernel:
• SYSENTER • KiSystemService( ) • SSDT 1 (in the call table) • Native SSDT (service table)
• Functions (function table) from ntktnpa.exe (kernel mode
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
executive) –
• There is another SSDT (GUI) and other two unused slots in call table. • Malware tries overwrite pointers in the SSDT for hooking functions. • Nowadays, it a bit more complicated because Patch Guard and Borges Alexandre different system call tables on different cores. • It is feasible to bypass the Patch Guard. For example, check this: 24 http://phrack.org/issues/69/15.html#article
Tricks – SSDT hooking
WriteFile( ) NtWriteFile ( ) Application (from (from Ntdll.dll) Kernel32.dll) Userland INT 2e / Sysenter Kernel ç
Service Table thisslide. reproduce neither It copy to is notallowed
SSDT 0
KiSystemService() – (from Ntoskrnl.exe) Counter Table SSDT 1
Service Limits Reserved
Arguments Borges Alexandre Table Reserved
25 Rootkit NtWriteFile () function ( ) Tricks – SSDT
• WinXPSP3 (32 bits): ServiceTableBase array of function pointers
• Win7SP1 (64 bits): ServiceTableBase (KiServiceTable) arrays of 32-bits offsets (relative to KiServiceTable, but left shifted by a nibble): function pointers.
typedef struct _KSERVICE_DESCRIPTOR_TABLE
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
– { PULONG ServiceTableBase; // The table is exported as KiServiceTable PULONG ServiceCounterTableBase; ULONG NumberOfServices; // The number of entries in ServiceTableBase PUCHAR ParamTableBase; // It point to an array of bytes (SSDP – System Borges Alexandre Service Dispatch Table). Each byte represents the number of bytes allocated for function arguments. 26 } KSERVICE_DESCRIPTOR_TABLE,*PKSERVICE_DESCRIPTOR_TABLE;
Tricks – SSDT
kd> dps nt!KeServiceDescriptorTable
80552fa0 80501b8c nt!KiServiceTable 80552fa4 00000000 80552fa8 0000011c 80552fac 80502000 nt!KiArgumentTable 80552fb0 00000000 80552fb4 00000000
80552fb8 00000000
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
80552fbc 00000000 – 80552fc0 00000000 80552fc4 00000000 80552fc8 00000000
80552fcc 00000000 Alexandre Borges Borges Alexandre 80552fd0 00000000 80552fd4 00000000 .... 27 Tricks – SSDT
kd> dps KiServiceTable
80501b8c 80599948 nt!NtAcceptConnectPort 80501b90 805e6db6 nt!NtAccessCheck 80501b94 805ea5fc nt!NtAccessCheckAndAuditAlarm 80501b98 805e6de8 nt!NtAccessCheckByType
80501b9c 805ea636 nt!NtAccessCheckByTypeAndAuditAlarm It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
80501ba0 805e6e1e nt!NtAccessCheckByTypeResultList 80501ba4 805ea67a – nt!NtAccessCheckByTypeResultListAndAuditAlarm 80501ba8 805ea6be nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle 80501bac 8060bdfe nt!NtAddAtom Borges Alexandre 80501bb0 8060cb50 nt!NtSetBootEntryOrder ...... 28
Tricks - SSDT
kd> dps nt!KeServiceDescriptorTableShadow
80552f60 80501b8c nt!KiServiceTable 80552f64 00000000 80552f68 0000011c 80552f6c 80502000 nt!KiArgumentTable 80552f70 bf999b80 win32k!W32pServiceTable 80552f74 00000000 80552f78 0000029b 80552f7c bf99a890 win32k!W32pArgumentTable 80552f80 00000000
80552f84 00000000
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
80552f88 00000000 – 80552f8c 00000000 80552f90 00000000 80552f94 00000000 80552f98 00000000 80552f9c 00000000
80552fa0 80501b8c nt!KiServiceTable Borges Alexandre 80552fa4 00000000 80552fa8 0000011c 80552fac 80502000 nt!KiArgumentTable 80552fb0 00000000 80552fb4 00000000 29
Tricks - SSDT
kd> dps win32k!W32pServiceTable
bf999b80 bf935f7e win32k!NtGdiAbortDoc bf999b84 bf947b29 win32k!NtGdiAbortPath bf999b88 bf88ca52 win32k!NtGdiAddFontResourceW bf999b8c bf93f6f0 win32k!NtGdiAddRemoteFontToDC bf999b90 bf949140 win32k!NtGdiAddFontMemResourceEx bf999b94 bf936212 win32k!NtGdiRemoveMergeFont
bf999b98 bf9362b7 win32k!NtGdiAddRemoteMMInstanceToDC
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
bf999b9c bf83b4cd win32k!NtGdiAlphaBlend – bf999ba0 bf948a67 win32k!NtGdiAngleArc bf999ba4 bf934a17 win32k!NtGdiAnyLinkedFonts bf999ba8 bf94905f win32k!NtGdiFontIsLinked bf999bac bf90f2f4 win32k!NtGdiArcInternal
bf999bb0 bf902318 win32k!NtGdiBeginPath Borges Alexandre bf999bb4 bf809fdf win32k!NtGdiBitBlt bf999bb8 bf948f31 win32k!NtGdiCancelDC bf999bbc bf94a72d win32k!NtGdiCheckBitmapBits ….. 30 Tricks - SSDT
kd> !process 0 0 winlogon.exe PROCESS 898e0020 SessionId: 0 Cid: 0280 Peb: 7ffd6000 ParentCid: 0178 DirBase: 10980060 ObjectTable: e143a500 HandleCount: 528. Image: winlogon.exe
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
kd> .process /p 898e0020 – Implicit process is now 898e0020 .cache forcedecodeuser done
Alexandre Borges Borges Alexandre kd> .reload 31 Tricks - SSDT
kd> dds poi(nt!KeServiceDescriptorTableShadow+10) L poi(nt!KeServiceDescriptorTableShadow+18) .... bf999b80 bf935f7e win32k!NtGdiAbortDoc bf999b84 bf947b29 win32k!NtGdiAbortPath bf999b88 bf88ca52 win32k!NtGdiAddFontResourceW bf999b8c bf93f6f0 win32k!NtGdiAddRemoteFontToDC
bf999b90 bf949140 win32k!NtGdiAddFontMemResourceEx
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
bf999b94 bf936212 win32k!NtGdiRemoveMergeFont – bf999b98 bf9362b7 win32k!NtGdiAddRemoteMMInstanceToDC bf999b9c bf83b4cd win32k!NtGdiAlphaBlend bf999ba0 bf948a67 win32k!NtGdiAngleArc
bf999ba4 bf934a17 win32k!NtGdiAnyLinkedFonts Borges Alexandre bf999ba8 bf94905f win32k!NtGdiFontIsLinked bf999bac bf90f2f4 win32k!NtGdiArcInternal 32 ... Tricks – SSDT
kd> dd /c 1 KiServiceTable
fffff800`02ac0800 0418ff00 fffff800`02ac0804 02f86700 fffff800`02ac0808 fff6f400 fffff800`02ac080c 02ea4705 fffff800`02ac0810 031f6406
fffff800`02ac0814 0316a305
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
fffff800`02ac0818 02baf101 – fffff800`02ac081c 02b34400 fffff800`02ac0820 03182140 fffff800`02ac0824 03f21b00 fffff800`02ac0828 02c85700 Borges Alexandre fffff800`02ac082c 02e99f80 This offset is left-shifted by 4-bits to include an additional data encoded into the least significant nibble. 33 …… Tricks – SSDT
kd> .foreach /ps 1 /pS 1 ( aborges {dd /c 1 nt!KiServiceTable L poi(nt!KeServiceDescriptorTable+10)}){ .printf "%y\n", ( aborges >>> 4) + nt!KiServiceTable }
nt!NtMapUserPhysicalPagesScatter (fffff800`02ed97f0) nt!NtWaitForSingleObject (fffff800`02db8e70) nt!NtCallbackReturn (fffff800`02ab7740)
nt!NtReadFile (fffff800`02daac70)
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
nt!NtDeviceIoControlFile (fffff800`02ddfe40) – nt!NtWriteFile (fffff800`02dd7230) nt!NtRemoveIoCompletion (fffff800`02d7b710) nt!NtReleaseSemaphore (fffff800`02d73c40) nt!NtReplyWaitReceivePort (fffff800`02dd8a14) Borges Alexandre nt!NtReplyPort (fffff800`02eb29b0) .... 34
Tricks - SSDT
kd> !dbgkit.st
000: fffff80002ed97f0 nt!NtMapUserPhysicalPagesScatter 001: fffff80002db8e70 nt!NtWaitForSingleObject 002: fffff80002ab7740 nt!NtCallbackReturn 003: fffff80002daac70 nt!NtReadFile 004: fffff80002ddfe40 nt!NtDeviceIoControlFile 005: fffff80002dd7230 nt!NtWriteFile
006: fffff80002d7b710 nt!NtRemoveIoCompletion
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
007: fffff80002d73c40 nt!NtReleaseSemaphore – 008: fffff80002dd8a14 nt!NtReplyWaitReceivePort 009: fffff80002eb29b0 nt!NtReplyPort 00a: fffff80002d88d70 nt!NtSetInformationThread
00b: fffff80002daa1f8 nt!NtSetEvent Borges Alexandre 00c: fffff80002dba230 nt!NtClose 00d: fffff80002da1990 nt!NtQueryObject 00e: fffff80002d9e120 nt!NtQueryInformationFile 35 .....(snip).... Tricks - SSDT
kd> dd dwo(KeServiceDescriptorTable) L100 (remember returns double word value from the specified address) …… 80501d5c 8056f39a 8056dd32 805cba0e 8061b658 80501d6c 8060d896 805ea704 805c1296 805e39fc 80501d7c 805e3660 8059f722 8060b254 805b977a 80501d8c 805c1522 805e3a1a 805e37d0 8060d1b0 80501d9c 8063bc78 805bf346 805eddce 805e9a16
80501dac 805e9c02 805ada08 806052dc 8056c0ce It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
80501dbc 8060cb50 8060cb50 8053c02e 80606e68 – 80501dcc 80607ac8 baadc0de 805b3de0 8056f3ca 80501ddc 806053a4 8056c222 8060c2dc 8056fc46 80501dec 805cbee0 8059a6fc 805c2bfc 805c17c8 80501dfc 805e3afa 80607266 8060e060 8056ddda 80501e0c 8061b97e 806193d4 8060d93e 805bb04c Borges Alexandre 80501e1c 80619a80 8060e0ee 80570af2 805adbca 36
Tricks - SSDT
kd> dd dwo(KeServiceDescriptorTable) L100
.... 80501d5c 8056f39a 8056dd32 805cba0e 8061b658 80501d6c 8060d896 805ea704 805c1296 805e39fc 80501d7c 805e3660 8059f722 8060b254 805b977a 80501d8c 805c1522 805e3a1a 805e37d0 8060d1b0
80501d9c 8063bc78 805bf346 805eddce 805e9a16 thisslide. reproduce neither It copy to is notallowed
80501dac 805e9c02 805ada08 806052dc 8056c0ce – 80501dbc 8060cb50 8060cb50 8053c02e 80606e68 80501dcc 80607ac8 8056f074 805b3de0 8056f3ca 80501ddc 806053a4 8056c222 8060c2dc 8056fc46 80501dec 805cbee0 8059a6fc 805c2bfc 805c17c8 Borges Alexandre 80501dfc 805e3afa 80607266 8060e060 8056ddda 80501e0c 8061b97e 806193d4 8060d93e 805bb04c 37 .....
Tricks SSDT
kd> uf 8056f074
nt!NtQueryDirectoryFile: 8056f074 8bff mov edi,edi 8056f076 55 push ebp 8056f077 8bec mov ebp,esp 8056f079 8d452c lea eax,[ebp+2Ch] 8056f07c 50 push eax
8056f07d 8d4528 lea eax,[ebp+28h]
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
8056f080 50 push eax – 8056f081 8d4524 lea eax,[ebp+24h] 8056f084 50 push eax 8056f085 8d4520 lea eax,[ebp+20h]
8056f088 50 push eax Alexandre Borges Borges Alexandre
This function is used to enumerate entries (files or directories) placed into file container object (directory). Win32 API use it in FindFirstFile-FindNextFile routines. 38
Tricks - SSDT
Usually, !chkimg extension is able to detect any corruption in the images of executable files by comparing them to the copy on a symbol store or other file repository:
kd> !chkimg nt -d
0 errors : nt
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
– It is even possible to restore a hooked SSDT table by executing the following command:
Borges Alexandre kd> !chkimg nt -f 39
Tricks - SSDT
root@kali:~ # python /root/volatility25/vol.py -f ./malware5.vmem ssdt | egrep -v '(win32k|ntoskrnl)'
Volatility Foundation Volatility Framework 2.5 [x86] Gathering all referenced SSDTs from KTHREADs... Finding appropriate address space for tables...
SSDT[0] at ff3aab90 with 284 entries Entry 0x0080: 0xff0d1f0b (NtOpenThread) owned by 00004A2A Entry 0x0089: 0xff0d2617 (NtProtectVirtualMemory) owned by 00004A2A
Entry 0x00ad: 0xff0d1da0 (NtQuerySystemInformation) owned by 00004A2A It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
Entry 0x00ba: 0xff0d256b (NtReadVirtualMemory) owned by 00004A2A – Entry 0x00d5: 0xff0d2070 (NtSetContextThread) owned by 00004A2A Entry 0x00f7: 0xff0d2397 (NtSetValueKey) owned by 00004A2A Entry 0x00fe: 0xff0d201d (NtSuspendThread) owned by 00004A2A Entry 0x0102: 0xff0d1fca (NtTerminateThread) owned by 00004A2A Entry 0x0115: 0xff0d25c1 (NtWriteVirtualMemory) owned by 00004A2A Entry 0x0041: 0xff0d2487 (NtDeleteValueKey) owned by 00004A2A Borges Alexandre Entry 0x0047: 0xff0d216b (NtEnumerateKey) owned by 00004A2A Entry 0x0049: 0xff0d2267 (NtEnumerateValueKey) owned by 00004A2A Entry 0x0077: 0xff0d20c3 (NtOpenKey) owned by 00004A2A 40 Entry 0x007a: 0xff0d1e93 (NtOpenProcess) owned by 00004A2A Code Injection
• What’s code injection? • Why do malwares use code injection? • What’s the most common functions involved with code injection?
• Most usual types of code injection: DLL and Direct Injection.
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
–
Launcher / Launcher / Trojan TrojanTrojan Trojan
Target Process Target Process Borges Alexandre Target Process Target Process Malicious DLL Malicious DLL Malicious DLL Malicious DLL 41 Tricks - Code Injection
• Find the target process CreateToolhelp32Snapshot( ), Process32First( ), Process32Next( ) and EnumProcessModules( ); • Get the handle of the target process OpenProcess( ) • Allocate space in the remote thread VirtuallAllocEx( ) • Write the malicious library name string (DLL name) WriteProcessMemory( ) • Get the handle for kernel32.dll GetModuleHandle(“kernel32.dll”)
• Get the address of the LoadLibraryA function inside the kernel32.dll It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
GetProcessAddress (....,“LoadLibraryA”) • Create and execute a new thread in the remote process: – CreateRemoteThread( ) • Wait until the remote thread (the DLLMain( )) terminates WaitForSingleObject( ) • Retrieve the exit code of the remote thread GetExitCodeThread() Borges Alexandre • Free the allocated memory VirtualFreeEx( ) • Unload the DLL from the remote process CreateRemoteThread( ) + 42 FreeLibrary( )
Tricks – Code Injection
.text:00411260 call ds:OpenProcess .text:00411266 mov [ebp+hProcess], eax .text:0041126C cmp [ebp+hProcess], 0FFFFFFFFh .text:00411273 jnz short loc_41127D .text:00411275 or eax, 0FFFFFFFFh .text:00411278 jmp loc_411342 …….
.text:00411298 push 0 ; lpAddress
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
.text:0041129A mov edx, [ebp+hProcess] – .text:004112A0 push edx ; hProcess .text:004112A1 call ds:VirtualAllocEx .text:004112A7 mov [ebp+lpBaseAddress], eax .text:004112AD cmp [ebp+lpBaseAddress], 0 Borges Alexandre .text:004112B4 jnz short loc_4112BE ……. 43 Tricks – Code Injection
….. .text:004112D2 push ecx ; lpBaseAddress .text:004112D3 mov edx, [ebp+hProcess] .text:004112D9 push edx ; hProcess .text:004112DA call ds:WriteProcessMemory .text:004112E0 push offset ModuleName ; "kernel32.dll" .text:004112E5 call ds:GetModuleHandleA .text:004112EB mov [ebp+hModule], eax .text:004112F1 push offset aLoadlibrarya ; "LoadLibraryA"
.text:004112F6 mov eax, [ebp+hModule]
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
.text:004112FC push eax ; hModule – .text:004112FD call ds:GetProcAddress .text:00411303 mov [ebp+lpStartAddress], eax .text:00411309 push 0 ; lpThreadId …….
.text:0041131F mov eax, [ebp+hProcess] Borges Alexandre .text:00411325 push eax ; hProcess .text:00411326 call ds:CreateRemoteThread .text:0041132C mov [ebp+var_1180], eax 44 ..... Tricks – Code Injection
Useless for DLL injection:
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
– Alexandre Borges Borges Alexandre
45
Tricks – Code Injection
kd> lm n
start end module name 01000000 01062000 kd kd.exe 01d00000 01d48000 symsrv symsrv.dll 02000000 0239b000 dbgeng dbgeng.dll 03000000 03141000 dbghelp dbghelp.dll 77c00000 77c08000 VERSION VERSION.dll 77c10000 77c68000 msvcrt msvcrt.dll
77dd0000 77e6b000 ADVAPI32 ADVAPI32.dll
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
77e70000 77f02000 RPCRT4 RPCRT4.dll – 77fe0000 77ff1000 Secur32 Secur32.dll 7c800000 7c8f6000 kernel32 kernel32.dll 7c900000 7c9af000 ntdll ntdll.dll 804d7000 806cf580 nt ntkrnlpa.exe 806d0000 806f0300 hal halaacpi.dll Borges Alexandre b1052000 b1075180 Fastfat Fastfat.SYS b13c1000 b1401a80 HTTP HTTP.sys b16fa000 b174bc00 srv srv.sys 46 ...... Tricks – Code Injection
kd> lmf
start end module name 01000000 01062000 kd C:\program files\Debugging Tools for Windows (x86)\kd.exe 01d00000 01d48000 symsrv C:\program files\Debugging Tools for Windows (x86)\symsrv.dll 02000000 0239b000 dbgeng C:\program files\Debugging Tools for Windows (x86)\dbgeng.dll 03000000 03141000 dbghelp C:\program files\Debugging Tools for Windows (x86)\dbghelp.dll 77c00000 77c08000 VERSION C:\WINDOWS\system32\VERSION.dll 77c10000 77c68000 msvcrt C:\WINDOWS\system32\msvcrt.dll 77dd0000 77e6b000 ADVAPI32 C:\WINDOWS\system32\ADVAPI32.dll
77e70000 77f02000 RPCRT4 C:\WINDOWS\system32\RPCRT4.dll
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
77fe0000 77ff1000 Secur32 C:\WINDOWS\system32\Secur32.dll – 7c800000 7c8f6000 kernel32 C:\WINDOWS\system32\kernel32.dll 7c900000 7c9af000 ntdll C:\WINDOWS\system32\ntdll.dll 804d7000 806cf580 nt ntkrnlpa.exe 806d0000 806f0300 hal halaacpi.dll
b1052000 b1075180 Fastfat \SystemRoot\System32\Drivers\Fastfat.SYS Alexandre Borges Borges Alexandre b13c1000 b1401a80 HTTP \SystemRoot\System32\Drivers\HTTP.sys b16fa000 b174bc00 srv \SystemRoot\system32\DRIVERS\srv.sys b179c000 b17a8000 LiveKdD \??\C:\WINDOWS\system32\Drivers\LiveKdD.SYS 47 b183c000 b1868180 mrxdav \SystemRoot\system32\DRIVERS\mrxdav.sys ......
Tricks – Code Injection
kd> s -d 0x0 L?0xffffffff 0x00905a4d
0006e3a4 00905a4d 02338082 023380c2 00000000 MZ....3...3..... 008cc480 00905a4d 00000000 0006e5f8 00000000 MZ...... 01000000 00905a4d 00000003 00000004 0000ffff MZ...... 010540a0 00905a4d 00000003 00000004 0000ffff MZ...... 01d00000 00905a4d 00000003 00000004 0000ffff MZ...... 02000000 00905a4d 00000003 00000004 0000ffff MZ...... 0234fc98 00905a4d 00000000 008c9e98 00000000 MZ......
02351918 00905a4d 00000000 02037788 00275e30 MZ...... w..0^'.
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
03000000 00905a4d 00000003 00000004 0000ffff MZ...... – 77c00000 00905a4d 00000003 00000004 0000ffff MZ...... 77c10000 00905a4d 00000003 00000004 0000ffff MZ...... 77dd0000 00905a4d 00000003 00000004 0000ffff MZ...... 77e70000 00905a4d 00000003 00000004 0000ffff MZ...... 77fe0000 00905a4d 00000003 00000004 0000ffff MZ...... Borges Alexandre 7c800000 00905a4d 00000003 00000004 0000ffff MZ...... 7c900000 00905a4d 00000003 00000004 0000ffff MZ...... 80172000 00905a4d 00000003 00000004 0000ffff MZ...... 48 …….
Tricks – Code Injection
kd> .foreach ( aborges {s -[1]d 0x0 L?0xffffffff 0x00905a4d} ) {.echo "****H2HC UNIVERSITY****"; !lmi aborges}
****H2HC UNIVERSITY**** Loaded Module Info: [load] Module: ACPI Base Address: ba779000 Image Name: ACPI.sys Machine Type: 332 (I386) Time Stamp: 480252b1 Sun Apr 13 15:36:33 2008 Size: 2dd80
CheckSum: 38955 It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
Characteristics: 10e – Debug Data Dirs: Type Size VA Pointer CODEVIEW 21, 1bc78, 1bc78 RSDS - GUID: {3E23085E-EF9C-4EB5-AC40-C386278F6D7E} Age: 1, Pdb: acpi.pdb Image Type: MEMORY - Image read successfully from loaded memory. Symbol Type: PDB - Symbols loaded successfully from symbol server.
c:\symbols\acpi.pdb\3E23085EEF9C4EB5AC40C386278F6D7E1\acpi.pdb Alexandre Borges Borges Alexandre Load Report: public symbols , not source indexed c:\symbols\acpi.pdb\3E23085EEF9C4EB5AC40C386278F6D7E1\acpi.pdb
... 49 Tricks – Code Injection
0:000> lm
start end module name 01000000 01014000 notepad (deferred) 73000000 73026000 WINSPOOL (deferred) 763b0000 763f9000 comdlg32 (deferred) 773d0000 774d3000 COMCTL32 (deferred) 77c10000 77c68000 msvcrt (deferred)
77dd0000 77e6b000 ADVAPI32 (deferred)
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
77e70000 77f02000 RPCRT4 (deferred) – 77f10000 77f59000 GDI32 (deferred) 77f60000 77fd6000 SHLWAPI (deferred) 77fe0000 77ff1000 Secur32 (deferred)
7c800000 7c8f6000 kernel32 (deferred) Borges Alexandre 7c900000 7c9af000 ntdll (export symbols) C:\WINDOWS\system32\ntdll.dll 7c9c0000 7d1d7000 SHELL32 (deferred) 7e410000 7e4a1000 USER32 (deferred) 50 Tricks – Code Injection
0:000> .dvalloc /b 42420000 1024 Allocated 2000 bytes starting at 42420000
0:000> .readmem "c:\\windows\\system32\\calc.exe" 42420000 42420000+1024
0:000> dc 42420000
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
42420000 00905a4d 00000003 00000004 0000ffff MZ...... – 42420010 000000b8 00000000 00000040 00000000 ...... @...... 42420020 00000000 00000000 00000000 00000000 ...... 42420030 00000000 00000000 00000000 000000f0 ......
42420040 0eba1f0e cd09b400 4c01b821 685421cd ...... !..L.!Th Borges Alexandre 42420050 70207369 72676f72 63206d61 6f6e6e61 is program canno 42420060 65622074 6e757220 206e6920 20534f44 t be run in DOS 51 42420070 65646f6d 0a0d0d2e 00000024 00000000 mode....$......
Tricks - Code Injection
0:000> s -d 0x0 L?0xffffffff 0x00905a4d
01000000 00905a4d 00000003 00000004 0000ffff MZ...... 42420000 00905a4d 00000003 00000004 0000ffff MZ...... 73000000 00905a4d 00000003 00000004 0000ffff MZ...... 763b0000 00905a4d 00000003 00000004 0000ffff MZ...... 773d0000 00905a4d 00000003 00000004 0000ffff MZ...... 77c10000 00905a4d 00000003 00000004 0000ffff MZ......
77dd0000 00905a4d 00000003 00000004 0000ffff MZ......
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
77e70000 00905a4d 00000003 00000004 0000ffff MZ...... – 77f10000 00905a4d 00000003 00000004 0000ffff MZ...... 77f60000 00905a4d 00000003 00000004 0000ffff MZ...... 77fe0000 00905a4d 00000003 00000004 0000ffff MZ......
7c800000 00905a4d 00000003 00000004 0000ffff MZ...... Borges Alexandre 7c900000 00905a4d 00000003 00000004 0000ffff MZ...... 7c9c0000 00905a4d 00000003 00000004 0000ffff MZ...... 7e410000 00905a4d 00000003 00000004 0000ffff MZ...... 52
Tricks – Code Injection
0:000> dc 42420000+140 L1 //IMAGE_OPTIONAL_HEADER dwSizeOfImage (size of image loaded into the memory – 140 bytes from base of PE file) 42420140 0001f000
0:000> .formats 0001f000 Evaluate expression: Hex: 0001f000 Decimal: 126976 Octal: 00000370000
Binary: 00000000 00000001 11110000 00000000
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
Chars: .... – Time: Fri Jan 02 09:16:16 1970 Float: low 1.77931e-040 high 0 Double: 6.27345e-319
0:000> .dvalloc /b 43430000 1f000 Borges Alexandre Allocated 1f000 bytes starting at 43430000
0:000> .readmem "c:\\windows\\system32\\calc.exe" 43430000 43430000+1f000 Reading 1f001 bytes...... Unable to read data for 4344c000, load is incomplete 53
Tricks – Code Injection
kd> !dh 43430000
File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (i386) 3 number of sections 3B7D8410 time date stamp Fri Aug 17 17:52:32 2001
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
0 file pointer to symbol table – 0 number of symbols E0 size of optional header 10F characteristics Relocations stripped Executable Borges Alexandre Line numbers stripped Symbols stripped 32 bit word machine 54 ......
Tricks – Code Injection
0:000> dc 4344b800
4344b800 00410043 0043004c 00000000 002e0080 C.A.L.C...... 4344b810 004c0001 00670065 006c0061 006f0043 ..L.e.g.a.l.C.o. 4344b820 00790070 00690072 00680067 00000074 p.y.r.i.g.h.t... 4344b830 002000a9 0069004d 00720063 0073006f .. .M.i.c.r.o.s.
4344b840 0066006f 00200074 006f0043 00700072 o.f.t. .C.o.r.p. It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
4344b850 0072006f 00740061 006f0069 002e006e o.r.a.t.i.o.n... – 4344b860 00410020 006c006c 00720020 00670069 .A.l.l. .r.i.g. 4344b870 00740068 00200073 00650072 00650073 h.t.s. .r.e.s.e.
0:000> .writemem "c:\\windows\\system32\\calc_test.exe" 43430000 Borges Alexandre 43430000+1f000
Writing 1f001 bytes...... 55 Unable to read memory at 4344f000, file is incomplete
Tricks – Code Injection
It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
– Alexandre Borges Borges Alexandre
56
Tricks – Code Injection
root@kali:~/volatility25# python vol.py --profile=WinXPSP3x86 -f /malwares/“malware6.vmem" malfind
Process: notepad.exe Pid: 2060 Address: 0x43430000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 31, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x43430000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ...... 0x43430010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ...... @...... 0x43430020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...... 0x43430030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ......
0x43430000 4d DEC EBP It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
0x43430001 5a POP EDX – 0x43430002 90 NOP 0x43430003 0003 ADD [EBX], AL 0x43430005 0000 ADD [EAX], AL 0x43430007 000400 ADD [EAX+EAX], AL 0x4343000a 0000 ADD [EAX], AL 0x4343000c ff DB 0xff 0x4343000d ff00 INC DWORD [EAX] Borges Alexandre 0x4343000f 00b800000000 ADD [EAX+0x0], BH 0x43430015 0000 ADD [EAX], AL 0x43430017 004000 ADD [EAX+0x0], AL 0x4343001a 0000 ADD [EAX], AL 57
Tricks – Code Injection
0:000> s -[l8]sa 43430000 L1f000
4343004d "!This program cannot be run in D" 4343006d "OS mode." 434300a9 "$y7D$x79" 43430298 "SHELL32.dll" 434302a4 "msvcrt.dll" 434302af "ADVAPI32.dll" 434302bc "KERNEL32.dll"
434302c9 "GDI32.dll" It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed
434302d3 "USER32.dll" 43430990 "hhctrl.ocx" – 434309a0 "CLSID\{ADB880A6-D8FF-11CF-9377-0" 434309c0 "0AA003B7A11}\InprocServer32" 43430a1c "calc.pdb" 43434609 "t kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 89e43830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00334000 ObjectTable: e1000c98 HandleCount: 266. Image: System PROCESS 89c99a80 SessionId: 0 Cid: 06f4 Peb: 7ffd7000 ParentCid: 06cc DirBase: 10e80200 ObjectTable: e1d4f188 HandleCount: 693. Image: explorer.exe .... PROCESS 897d1da0 SessionId: 0 Cid: 0cc4 Peb: 7ffdf000 ParentCid: 06f4 It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed DirBase: 10e80280 ObjectTable: e21972c0 HandleCount: 55. – Image: cmd.exe PROCESS 896d77a8 SessionId: 0 Cid: 09a0 Peb: 7ffdc000 ParentCid: 0cc4 DirBase: 10e80240 ObjectTable: e1d465b8 HandleCount: 80. Image: windbg.exe Borges Alexandre PROCESS 891a8690 SessionId: 0 Cid: 080c Peb: 7ffdf000 ParentCid: 09a0 DirBase: 10e802c0 ObjectTable: e5883c08 HandleCount: 6. 59 Image: notepad.exe Tricks – Code Injection kd> !process 891a8690 1 PROCESS 891a8690 SessionId: 0 Cid: 080c Peb: 7ffdf000 ParentCid: 09a0 DirBase: 10e802c0 ObjectTable: e5883c08 HandleCount: 6. Image: notepad.exe VadRoot 891cb1b0 Vads 37 Clone 0 Private 199. Modified 0. Locked 0. DeviceMap e1c3e150 Token e305a970 ElapsedTime 02:46:57.484 UserTime 00:00:00.015 It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed KernelTime 00:00:12.140 – QuotaPoolUsage[PagedPool] 36940 QuotaPoolUsage[NonPagedPool] 1480 Working Set Sizes (now,min,max) (4025, 50, 345) (16100KB, 200KB, 1380KB) PeakWorkingSetSize 4025 VirtualSize 18 Mb Borges Alexandre PeakVirtualSize 18 Mb PageFaultCount 4014 MemoryPriority BACKGROUND BasePriority 8 60 CommitCharge 320 DebugPort 896f4ad8 Tricks – Code Injection It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed – Alexandre Borges Borges Alexandre 61 Tricks – Code Injection kd> .process /p 891a8690 Implicit process is now 891a8690 .cache forcedecodeuser done kd> .reload Connected to Windows XP 2600 x86 compatible target at (Fri Oct 14 01:41:27.977 2016 (UTC - 3:00)), ptr64 FALSE Loading Kernel Symbols ….. kd> dc 43430000 It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed 43430000 00905a4d 00000003 00000004 0000ffff MZ...... – 43430010 000000b8 00000000 00000040 00000000 ...... @...... 43430020 00000000 00000000 00000000 00000000 ...... 43430030 00000000 00000000 00000000 000000f0 ...... 43430040 0eba1f0e cd09b400 4c01b821 685421cd ...... !..L.!Th 43430050 70207369 72676f72 63206d61 6f6e6e61 is program canno Borges Alexandre 43430060 65622074 6e757220 206e6920 20534f44 t be run in DOS 43430070 65646f6d 0a0d0d2e 00000024 00000000 mode....$...... kd> lm vt a 434300000 62 start end module name Tricks – Code Injection kd> lm vt a 7c800000 start end module name 7c800000 7c8f6000 kernel32 Image path: C:\WINDOWS\system32\kernel32.dll Image name: kernel32.dll Timestamp: Sun Apr 13 21:11:24 2008 (4802A12C) CheckSum: 000F44A2 ImageSize: 000F6000 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 thisslide. reproduce neither It copy to is notallowed File type: 2.0 Dll – File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: kernel32 OriginalFilename: kernel32 Borges Alexandre ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2111) FileDescription: Windows NT BASE API Client DLL LegalCopyright: © Microsoft Corporation. All rights reserved. 63 Tricks - Hooking • What is hooking? • Why do we use hooking? • What are the types and targets of hooking? • SSDT • IDT • IAT • Inline • thisslide. reproduce neither It copy to is notallowed EAT • Detour – • IRP ..... push param3 push ebp push param2 Borges Alexandre mov esp, ebp Usual function call push param1 ...good things.. – no hooking call good_function ret mov ebx, eax 64 .... Tricks - Hooking push ebp mov esp, ebp .....bad things...... push param3 ret push param2 It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed push param1 – call bad_function mov ebx, eax .... push ebp The original mov esp, ebp Borges Alexandre function is never ...good things... called. ret 65 Tricks - Hooking push ebp mov esp, ebp .....bad things...... call good_function push param3 .... push param2 ret It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed push param1 – call bad_function mov ebx, eax .... push ebp mov esp, ebp Borges Alexandre ...good things... The original ret function is called. 66 Tricks - Hooking push ebp mov esp, ebp ...good things...... call bad_function push param3 .... push param2 ret It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed push param1 – call good_function mov ebx, eax .... push ebp mov esp, ebp Borges Alexandre ...bad things... ret 67 Tricks - Hooking • Of course, it is impossible to explain how to coding the hook during this presentation (tight time). However, take care while coding a hook: • function_1_addr: 0x42420090 • function_2_addr: 0x42420490 thisslide. reproduce neither It copy to is notallowed – • It is so common to hear from professionals the following wrong statement during the hooking programming: • function_2_addr = function_1_addr + offset (0x400). Borges Alexandre • However, it is wrong. Why? 68 Tricks - Hooking • function_1_addr: 0x42420000 • function_2_addr: 0x42420500 • function_2_addr = function_1_addr + offset (0x400) + 5 • offset = function_2_addr – function_1_addr – 5 It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed – • function_1: 0x42420090: push ebp 0x42420090: jmp function_2_addr 0x42420091: mov ebp, esp 0x42420095: nop Borges Alexandre 0x42420093: sub esp, 0x20 0x42420096: push ecx 0x42420096: push ecx 0x42420097: mov ecx, eax 0x42420097: mov ecx, eax 69 Tricks - Hooking Example 1: 0x010f0000 bdbcd47705 MOV EBP, 0x577d4bc 0x010f0005 8bff MOV EDI, EDI 0x010f0007 55 PUSH EBP 0x010f0008 8bec MOV EBP, ESP 0x010f000a e9b3bcc576 JMP 0x77d4bcc2 0x010f000f 0000 ADD [EAX], AL 0x010f0011 0000 ADD [EAX], AL It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed Example2: – 0x010e0000 58 POP EAX 0x010e0001 6805000f01 PUSH DWORD 0x10f0005 0x010e0006 6800000000 PUSH DWORD 0x0 0x010e000b 680000807c PUSH DWORD 0x7c800000 0x010e0010 6828180310 PUSH DWORD 0x10031828 Borges Alexandre 0x010e0015 50 PUSH EAX 0x010e0016 68619f0210 PUSH DWORD 0x10029f61 0x010e001b c3 RET 70 0x010e001c 0000 ADD [EAX], AL Tricks - Hooking Example 3: 0x01410000 MOV EAX, 0x35 0x01410005 JMP 0x7c90d7d7 0x0141000a MOV EAX, 0x7c90df63 0x0141000f JMP EAX 0x01410014 MOV EDI, EDI 0x01410016 PUSH EBP 0x01410017 MOV EBP, ESP It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed Example 4: – 0x7c900056 eb04 JMP 0x7c90005c 0x7c900058 b205 MOV DL, 0x5 0x7c90005a eb00 JMP 0x7c90005c 0x7c90005c 52 PUSH EDX 0x7c90005d e804000000 CALL 0x7c900066 Borges Alexandre 0x7c900062 f20094005aff2269 ADD [EAX+EAX+0x6922ff5a], DL 0x7c90006a 6e OUTS DX, BYTE [ESI] 0x7c900066 5a POP EDX 71 0x7c900067 ff22 JMP DWORD [EDX] Tricks - Hooking • Import Address Table: • Remember that the import table of a PE file holds: • pointers to names of API functions that a process uses in run time. • name of DLLs that contain each function. • addresses of API functions used by the process. It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed – • How can hook an IAT entry? • Inject an DLL into the process address space. Borges Alexandre • The DLL examines the PE header to find where the pointer to function is stored. 72 • The DLL overwrites the pointer for pointing to a bad function. Tricks - Hooking DOS Header PE Header Section Table function_1 .text section .data section function_2 function_3 good_dll.dll It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed – function_4 Application 1 Import Address Table bad_dll.dll Alexandre Borges Borges Alexandre 73 IAT hooking Tricks - Hooking • Export Address Table: • It holds names of functions exported by a DLL. • Additionally, it holds the RVA (Relative Virtual Address) to the base address of the DLL that is loaded in the memory. • Remember that a RVA is the address relative to the base address of a DLL (for example). Therefore, a VA = Base Address + RVA. • Detecting EAT hooks is easy: thisslide. reproduce neither It copy to is notallowed • We should enumerate each active process (from EPROCESS structures). – • List all DLLs loaded from each process (this information comes from PEB and/or VAD). • From each DLL in the list, gather DLL name, base address and its respective size. Borges Alexandre • Dump the .exe and rebuild the PE structure. • Locate the IAT. • For each function, add its RVA to the DLL base address. Check if the result 74 address fall outside of the memory range of DLL address. Tricks - Hooking DOS Header PE Header Section Table function_1 .text section .data section function_2 function_3 It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed – function_4 DLL 1 Export Address Table bad_dll.dll Alexandre Borges Borges Alexandre 75 EAT hooking Tricks - Hooking DOS Header PE Header function_1 Section Table function_2 .text section function_3 0x771d325f JMP 0x8e7415 It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed 0x771d3264 SUB ESP, 0x10 – 0x771d3267 PUSH EBX function_4 0x771d3268 XOR EBX, EBX 0x771d326a CMP [0x77239850], EBX Export Address Table Alexandre Borges Borges Alexandre bad_dll.dll DLL 1 76 Inline hooking Tricks - Hooking root@kali:~ # python /root/volatility25/vol.py -f ./malware4.vmem apihooks Volatility Foundation Volatility Framework 2.5 ************************************************************************ Hook mode: Usermode Hook type: Inline/Trampoline Process: 676 (services.exe) Victim module: ntdll.dll (0x7c900000 - 0x7c9b0000) Function: ntdll.dll!NtCreateThread at 0x7c90d7d2 Hook address: 0x7e3b47 It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed Hooking module: Disassembly(0): 0x7c90d7d2 e97063ed83 JMP 0x7e3b47 0x7c90d7d7 ba0003fe7f MOV EDX, 0x7ffe0300 0x7c90d7dc ff12 CALL DWORD [EDX] Borges Alexandre 0x7c90d7de c22000 RET 0x20 0x7c90d7e1 90 NOP 0x7c90d7e2 90 NOP 77 …… Tricks - Hooking • If you want to try a brutal force check for any kind of hooking, it is possible to try: kd> .sympath+ SRV*C:\symbols*http://msdl.microsoft.com/download/symbols kd> .reload kd> !for_each_module “!chkimg @#ModuleName” It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed – Alexandre Borges Borges Alexandre 78 Finding Registries It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed – Alexandre Borges Borges Alexandre 79 Finding Registries Index 34d: 6271c075 kcb=e15bb508 cell=00137170 f=00200004 \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\HTTP kd> !reg cellindex e1018370 00137170 Map = e101e000 Type = 0 Table = 0 Block = 137 Offset = 170 MapTable = e101f000 BlockAddress = d9638000 pcell: d9638174 KeyNodeAddress It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed kd> !reg valuelist e1018370 d9638174 – Dumping ValueList of Key [Idx] [ValAddr] [ValueName] [ 0] d96381cc DisplayName [ 1] d963820c Description Borges Alexandre [ 2] d9638384 ErrorControl [ 3] d96383ac ImagePath [ 4] d9638424 Start [ 5] d9638444 Type 80 Finding Registries kd> !reg kvalue d96383ac Signature: CM_KEY_VALUE_SIGNATURE (kv) Name : ImagePath {compressed} DataLength: 34 Data : 1373d0 [cell index] Type : 2 kd> !reg cellindex e1018370 1373d0 Map = e101e000 Type = 0 Table = 0 Block = 137 Offset = 3d0 MapTable = e101f000 BlockAddress = d9638000 It is not allowed to copy neither reproduce thisslide. reproduce neither It copy to is notallowed – pcell: d96383d4 kd> dc d96383d4 d96383d4 00790053 00740073 006d0065 00320033 S.y.s.t.e.m.3.2. d96383e4 0044005c 00690072 00650076 00730072 \.D.r.i.v.e.r.s. d96383f4 0048005c 00540054 002e0050 00790073 \.H.T.T.P...s.y. d9638404 00000073 fffffff8 00137670 fffffff0 s...... pv...... Borges Alexandre d9638414 00300032 00000031 00000000 ffffffe0 2.0.1...... d9638424 00056b76 80000004 00000003 00000004 vk...... d9638434 00000001 72617453 00000074 ffffffe0 ....Start...... d9638444 00046b76 80000004 00000001 00000004 vk...... 81 Thank you for attending my lecture! LinkedIn: http://www.linkedin.com/in/aleborges Twitter: @ale_sp_brazil Blog: http://alexandreborges.org E-mail: • Malware and Security Researcher. Consultant, [email protected] Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation. • Instructor at Oracle, (ISC)2 and EC-Council. Ex- instructor at Symantec. • Member of the CHFI Advisory Board in EC- Council. • Reviewer member of the The Journal of Digital Forensics, Security and Law • Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response • Author of “Oracle Solaris Advanced Administration book”