thisslide. to copy neither reproduce reproduce neither to copy Few tricks used by allowed It is not malwares – H2HC University 2016 Borges Alexandre By Alexandre Borges 1 . Profile and TOC slide. TOC: • Introduction • DKOM • Process Hollowing • SSDT • this reproduce neither It to copy is not allowed Code Injection • Hooking – • Malware and Security Researcher. Consultant, • Finding Registries Borges Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation. • Instructor at Oracle, (ISC)2 and EC-Council. Ex- Alexandre instructor at Symantec. • Member of the CHFI Advisory Board in EC- Council. • Reviewer member of the The Journal of Digital Forensics, Security and Law • Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response • Author of “Oracle Solaris Advanced Administration book” Introduction 3 Alexandre Borges – It is not allowed to copy neither reproduce this slide. Introduction • Tools are important, but they are not everything. • Keep your tools updated (licensed tools). • Strong knowledge about kernel (Windows, Linux and Mac OS X) and programming (by using APIs) are a must. • Sandboxes such as Cukoo are useful, but they are not efficient It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed for most complex malwares. – • Classical approach: static x dynamic analysis • Emulation: an interesting method (IDAEmu and Unicorn). • Do you use Radare2 or/and Capstone / Keystone (disassembly Borges Alexandre / assembly engine)? • Suggested lab: Windows XP SP3 + Windows 7/8 + Linux (Remnux and Kali) 4 Introduction It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed – Alexandre Borges Borges Alexandre 5 Introduction It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed – Alexandre Borges Borges Alexandre 6 Introduction It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed – Alexandre Borges Borges Alexandre 7 Tricks 8 Alexandre Borges – It is not allowed to copy neither reproduce this slide. Tricks - DKOM KPRCB ETHREAD EPROCESS *Current Thread KTHREAD KPROCESS *Next Thread APC State List Entry { It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed *Idle Thread FLINK – BLINK } Alexandre Borges Borges Alexandre KPRCB Kernel Processor Control Region Block – It contains information 9 about the processor and it is not at a fixed address anymore (since Win Vista) Tricks - DKOM flink flink flink 101 102 103 blink blink blink It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed flink flink flink – 101 102 103 blink blink blink Borges Alexandre Tricks - DKOM C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64> windbg.exe -k com:pipe,port=\\.\pipe\com_1 kd> dt _KPRCB nt!_KPRCB +0x000 MxCsr : Uint4B ….. +0x007 IdleHalt : UChar It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed +0x008 CurrentThread : Ptr64 _KTHREAD – +0x010 NextThread : Ptr64 _KTHREAD +0x018 IdleThread : Ptr64 _KTHREAD +0x020 NestingLevel : UChar +0x021 PrcbPad00 : [3] UChar kd> !prcb Borges Alexandre PRCB for Processor 0 at fffff80002bf8e80: Current IRQL -- 13 Threads-- Current fffff80002c06cc0 Next 0000000000000000 Idle fffff80002c06cc0 11 Processor Index 0 Number (0, 0) GroupSetMember 1 ...... Tricks - DKOM kd> nt!_ETHREAD +0x000 Tcb : _KTHREAD +0x368 CreateTime : _LARGE_INTEGER +0x370 ExitTime : _LARGE_INTEGER +0x370 KeyedWaitChain : _LIST_ENTRY +0x380 ExitStatus : Int4B …. kd> dt _KTHREAD It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed nt!_KTHREAD – +0x000 Header : _DISPATCHER_HEADER +0x018 CycleTime : Uint8B …… +0x04c MiscFlags : Int4B Borges Alexandre +0x050 ApcState : _KAPC_STATE +0x050 ApcStateFill : [43] UChar +0x07b Priority : Char 12 +0x07c NextProcessor : Uint4B Tricks - DKOM kd> dt nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x160 ProcessLock : _EX_PUSH_LOCK +0x168 CreateTime : _LARGE_INTEGER +0x170 ExitTime : _LARGE_INTEGER +0x178 RundownProtect : _EX_RUNDOWN_REF It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed +0x180 UniqueProcessId : Ptr64 Void – +0x188 ActiveProcessLinks : _LIST_ENTRY +0x198 ProcessQuotaUsage : [2] Uint8B +0x1a8 ProcessQuotaPeak : [2] Uint8B ... Borges Alexandre kd> dt nt!_LIST_ENTRY +0x000 Flink : Ptr64 _LIST_ENTRY 13 +0x008 Blink : Ptr64 _LIST_ENTRY Tricks - DKOM kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 89e43830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00334000 ObjectTable: e1000c98 HandleCount: 253. Image: System PROCESS 89b92340 SessionId: none Cid: 0178 Peb: 7ffde000 ParentCid: 0004 DirBase: 10980020 ObjectTable: e15227a8 HandleCount: 19. Image: smss.exe PROCESS 89957020 SessionId: 0 Cid: 025c Peb: 7ffdf000 ParentCid: 0178 It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed DirBase: 10980040 ObjectTable: e15f6858 HandleCount: 356. Image: csrss.exe – PROCESS 898e0020 SessionId: 0 Cid: 0280 Peb: 7ffd6000 ParentCid: 0178 DirBase: 10980060 ObjectTable: e143a500 HandleCount: 525. Image: winlogon.exe PROCESS 89ae6020 SessionId: 0 Cid: 02e4 Peb: 7ffdd000 ParentCid: 0280 Borges Alexandre DirBase: 10980080 ObjectTable: e197c8e8 HandleCount: 262. Image: services.exe ..... 14 Tricks - DKOM kd> dt nt!_EPROCESS 89ae6020 // (base of this _EPROCESS) +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER 0x01d22032`83696cc6 +0x078 ExitTime : _LARGE_INTEGER 0x0 +0x080 RundownProtect : _EX_RUNDOWN_REF It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed +0x084 UniqueProcessId : 0x000002e4 Void – +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x89afee28 - 0x898e00a8 ] +0x090 QuotaUsage : [3] 0x17d0 +0x09c QuotaPeak : [3] 0x1c88 Borges Alexandre kd> x nt!psact* 15 8055a158 nt!PsActiveProcessHead = <no type information> Tricks - DKOM kd> dt nt!_LIST_ENTRY 8055a158 [ 0x89e438b8 - 0x897d7b78 ] +0x000 Flink : 0x89e438b8 _LIST_ENTRY [ 0x89b923c8 - 0x8055a158 ] +0x004 Blink : 0x897d7b78 _LIST_ENTRY [ 0x8055a158 - 0x899415e0 ] kd> dt nt!_EPROCESS 0x89e438b8 - 0x088 -l ActiveProcessLinks.Flink -y ImageFileName ActiveProcessLinks.Flink at 0x89e438b8 --------------------------------------------- +0x088 ActiveProcessLinks : [ 0x0 - 0x0 ] +0x174 ImageFileName : [16] "" It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed kd> dt nt!_EPROCESS 0x89e438b8-0x088 -l ActiveProcessLinks.Flink -y ImageFileName – ActiveProcessLinks.Flink at 0x89e43830 --------------------------------------------- +0x088 ActiveProcessLinks : [ 0x89b923c8 - 0x8055a158 ] +0x174 ImageFileName : [16] "System" Borges Alexandre ActiveProcessLinks.Flink at 0x89b92340 --------------------------------------------- +0x088 ActiveProcessLinks : [ 0x899570a8 - 0x89e438b8 ] 16 +0x174 ImageFileName : [16] "smss.exe“ Tricks - DKOM • It is possible to perform DKOM from kernel drivers, but it is also feasible to execute it from userland: • It enables the SeDebugPrivilege by using: • RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &oldpriv); • NtQuerySystemInformation ( ) it locates the based address of the It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed kernel module (ntoskrnl.exe): – • NtQuerySystemInformation(SystemModuleInformation, &infomod, sizeof(infomod), NULL); • Extracts the base address of the kernel execute module Borges Alexandre (ntoskrnl.exe): 17 • kernelbase = (ULONG)infomod.Modules[0].ImageBase Tricks - DKOM • PsInitialSystemProcess variable it points to _EPROCESS for the System process. Therefore, we have to get the PsInitialProcess address: • kernelhandle = LoadLibraryA(kernelfilename); // ntoskrnl.exe • psinitialsys_addr = (ULONG)GetProcAddress(kernelhandle, "PsInitialSystemProcess") – (ULONG)kernelhandle + kernelbase; It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed • Walk in the linked list searching for a target process to hide – (remember about offset 0x88 – ActiveProcessLinks). • NtSystemDebugControl( ) it reads and writes Borges Alexandre (DebugSysReadVirtual DebugSysWriteVirtual) 4 bytes to a specific address in kernel memory. Thus, it is possible to overwrite the Flink and Blink pointers. 18 Tricks - DKOM • NtSystemDebugControl( IN SYSDBG_COMMAND Command, // IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength, OUT PULONG ReturnLength OPTIONAL ); It is not allowed to copy neither reproduce thisslide. reproduce neither It to copy is not allowed – • NtSystemDebugControl( SysDbgReadVirtual, &dbgmembuff, Alexandre Borges Borges Alexandre sizeof(dbgmembuff), NULL, 0, 19 NULL); • Tricks - DKOM root@kali:~/volatility25# python vol.py --profile=WinXPSP2x86 -f /malwares/malware2.vmem psxview Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- -------- 0x06499b80 svchost.exe 711 True True True True True True True 0x04b5a980 VMwareUser.exe 109 True True True True True True True 0x05f027e0 explorer.exe 216 True True True True True True