Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Skrull Like A King: 從重兵看守的天眼防線殺出重圍

229b1596ce57cd0935a2bacd410d87a0?s=47 adr
November 29, 2021

Skrull Like A King: 從重兵看守的天眼防線殺出重圍

The king is dead、long live the king!在雲端偵測技術成為標配後的現代防毒產品之監控防線猶如天眼般強大——除了能以多層次的監控有效的定位出具有潛在威脅的程式文件,還能以上帝視角俯視程式文件的流向,並回傳樣本給研究員與分析模型 達到有效的即時阻止惡意文件擴散至更多受害者設備。因此對惡意程式設計者而言,在這場貓捉老鼠的遊戲中能否在 Post Exploitation 階段生存的長久便是最主要的挑戰。
目前野外攻擊技術已有許多耳熟能詳的技巧應運而生,例如啟動項目投毒、劫持 COM 項目或採用系統級 Rookit 來隱匿後門;不過當前卻未發展出任何後門保護技巧能做到即使「整支程式文件被回傳給研究人員」也完全無法被分析的防護。
想像一個場景:倘若惡意程式獲得了「數位防盜拷防護」的裝甲、只要被安裝到受害者機器後,一但被回傳到資安公司上就會自動損毀、完全無法執行與分析,那事情會變得如何呢 ;)?
在本議程中將從 Process Doppelgänging 技巧與變種手法開始說起,並釋出一種全新的 Unlink 攻擊手法得以使惡意程式達成 無檔案攻擊、偽造自身數位簽章、甚至是武裝自身為無法被研究員拷貝與分析。

229b1596ce57cd0935a2bacd410d87a0?s=128

adr

November 29, 2021
Tweet

More Decks by adr

Other Decks in Programming

Transcript

  1. 2021 
 Skrull Like A King! 從重兵看守的天眼防線殺出重圍 aaaddress1@chroot.org

  2. April 21, 2021 2 Sheng-Hao Ma Threat Researcher at TXOne

    Networks • Core member of CHROOT Security Group • Over 10-year experience in reverse engineering, Windows vulnerability, and Intel 8086. • Spoke at S&P, BlackHat, DEFCON, HITB, HITCON, VXCON, ROOTCON, CYBERSEC, SITCON, etc. • Instructor of Ministry of National Defense, Ministry of Education, HITCON, and etc. • Publication Windows APT Warfare 惡意程式前線戰術指南
  3. Background

  4. April 21, 2021 Background 4

  5. April 21, 2021 Background 5

  6. April 21, 2021 Background 6

  7. April 21, 2021 Background 7

  8. April 21, 2021 AntiVirus Design • Malware Detection • Signature-Patterns

    Scanning e.g. YARA • ML: Heuristic-Detection e.g. SVM • Virtual Machine (VM) • When To Scan? • Regular Schedule Service • Minifilter & PsSetCreateProcessNotifyRoutine • Automatic Sample Submission 8
  9. April 21, 2021 Challenge 9 • Malware Detection • Signature-Patterns

    Scanning e.g. YARA • ML: Heuristic-Detection e.g. SVM • Virtual Machine (VM) • When To Scan? • Regular Schedule Service • Minifilter & PsSetCreateProcessNotifyRoutine • Automatic Sample Submission inject malware into trusted system processes, without triggering AV/EDR?
  10. April 21, 2021 Challenge 10 • Malware Detection • Signature-Patterns

    Scanning e.g. YARA • ML: Heuristic-Detection e.g. SVM • Virtual Machine (VM) • When To Scan? • Regular Schedule Service • Minifilter & PsSetCreateProcessNotifyRoutine • Automatic Sample Submission our payload shouldn't be scanned
  11. April 21, 2021 Challenge 11 • Malware Detection • Signature-Patterns

    Scanning e.g. YARA • ML: Heuristic-Detection e.g. SVM • Virtual Machine (VM) • When To Scan? • Regular Schedule Service • Minifilter & PsSetCreateProcessNotifyRoutine • Automatic Sample Submission can we protect our malware against reversing, even if the binary got captured in hand?
  12. April 21, 2021 Skynet by AV/EDR 12 • Malware Detection

    • Signature-Patterns Scanning e.g. YARA • ML: Heuristic-Detection e.g. SVM • Virtual Machine (VM) • When To Scan? • Regular Schedule Service • Minifilter & PsSetCreateProcessNotifyRoutine • Automatic Sample Submission and here's the only way we know about BAD GUYS ...
  13. April 21, 2021 Outline A. AV/EDR Real-Time Scan B. The

    Treasure left since XP: CreateProcessEx C. Force Unlink: Abuse NTFS Streams to Unlink() D. Skrull DRM: 千⾯⼈病毒 & Anti-Copy Malware E. Conclusion 13
  14. The Treasure left since XP

  15. April 21, 2021 15 Explorer EXE File C:\fishfish.exe got clicked!

  16. April 21, 2021 16 EXE File Explorer kernel32!CreateProcessW kernel32!CreateProcessInternalW C:\fishfish.exe

    got clicked!
  17. April 21, 2021 17 EXE File Process PE Header .text

    .data .idata .reloc file mapping (fishfish.exe) Explorer kernel32!CreateProcessW kernel32!CreateProcessInternalW ntdll!ZwCreateProcessEx( section ) filePtr = fopen( "C:\fishfish.exe" ) C:\fishfish.exe got clicked! Using ZwCreateSection, to create the file as an section That's used for mapping into the process note: in practice, fopen() should be replaced by CreateFile
  18. April 21, 2021 18 EXE File PE Header .text PEB

    .data .idata .reloc .ImageBase Process Explorer kernel32!CreateProcessW kernel32!CreateProcessInternalW ntdll!ZwCreateProcessEx( section ) filePtr = fopen( "C:\fishfish.exe" ) ntdll!RtlCreateProcessParametersEx C:\fishfish.exe got clicked! create a PEB struct & write info manually so we can make process path & cmdlinein in disguise :) path: "C:\fishfish.exe" cmdline: "fishfish.exe http://30cm.tw" workDir: "C:\Windows\System32"
  19. April 21, 2021 19 Explorer EXE File kernel32!CreateProcessW kernel32!CreateProcessInternalW ntdll!ZwCreateProcessEx(

    section ) ntdll!ZwCreateThreadEx PE Header .text .data .idata .reloc filePtr = fopen( "C:\fishfish.exe" ) ntdll!RtlCreateProcessParametersEx Process PEB .ImageBase C:\fishfish.exe got clicked!
  20. miniCreateProcessEx https://github.com/aaaddress1/PR0CESS April 21, 2021 20

  21. miniCreateProcessEx https://github.com/aaaddress1/PR0CESS April 21, 2021 21 yeah, got signed by

    M$
  22. It's All About The Time :) Hey... Wait a minute.

    So where's the Antivirus?
  23. April 21, 2021 Scan in "Real-Time"? • Microsoft provides a

    set of APIs for security vendors, to monitor: • PsSetCreateProcessNotifyRoutineEx • PsSetCreateThreadNotifyRoutineEx • It's in Kernel, hard to unhook • Sure, Bad for attackers :(
  24. April 21, 2021 Ok, so what they got in hands?

    • PsSetCreateProcessNotifyRoutineEx: • Recive a PS_CREATE_NOTIFY_INFO struct • It's a record about our child process • FILE_OBJECT corresponds to the file on disk 
 ...yes. it's the object, get by fopen() • ImageFileName & CommandLine 
 We can fake it, not a problem ;) 24 typedef struct _PS_CREATE_NOTIFY_INFO { SIZE_T Size; union { ULONG Flags; struct { ULONG FileFopenNameAvailable : 1; ULONG IsSubsystemProcess : 1; ULONG Reserved : 30; }; }; HANDLE ParentProcessId; CLIENT_ID CreatingThreadId; struct _FILE_OBJECT *FileObject; PCUNICODE_STRING ImageFileName; PCUNICODE_STRING CommandLine; NTSTATUS CreationStatus; };
  25. April 21, 2021 Process Notify? When? 25 Explorer EXE File

    kernel32!CreateProcessW kernel32!CreateProcessInternalW ntdll!ZwCreateProcessEx( section ) ntdll!ZwCreateThreadEx ntdll!RtlCreateProcessParametersEx --- ntdll!ZwCreateUserProcess (Win7+) --- 25 you'll say: hey it's easy, should be here right? filePtr = fopen( "C:\fishfish.exe" )
  26. April 21, 2021 Process Notify? When? 26 Explorer EXE File

    kernel32!CreateProcessW kernel32!CreateProcessInternalW ntdll!ZwCreateProcessEx( section ) ntdll!ZwCreateThreadEx filePtr = fopen( "C:\fishfish.exe" ) ntdll!RtlCreateProcessParametersEx --- ntdll!ZwCreateUserProcess (Win7+) --- 26 you'll say: hey it's easy, should be here right? ... but actually here :) creation of the first thread
  27. April 21, 2021 It's not the worst... 27 Explorer EXE

    File kernel32!CreateProcessW kernel32!CreateProcessInternalW ntdll!ZwCreateProcessEx( section ) ntdll!ZwCreateThreadEx filePtr = fopen( "C:\fishfish.exe" ) ntdll!RtlCreateProcessParametersEx --- ntdll!ZwCreateUserProcess (Win7+) --- 27 scan fopened file & the files listed in PEB typedef struct _PS_CREATE_NOTIFY_INFO { SIZE_T Size; union { ULONG Flags; struct { ULONG FileFopenNameAvailable : 1; ULONG IsSubsystemProcess : 1; ULONG Reserved : 30; }; }; HANDLE ParentProcessId; CLIENT_ID CreatingThreadId; struct _FILE_OBJECT *FileObject; PCUNICODE_STRING ImageFileName; PCUNICODE_STRING CommandLine; NTSTATUS CreationStatus; }; ... but actually here :) creation of the first thread
  28. April 21, 2021 28 Attacker filePtr = fopen( "dummy.txt" ,

    "wb") dummy.txt Create a controllable file for attackers. note: in practice, fopen() should be replaced by CreateFile
  29. April 21, 2021 29 Attacker PE Header .text .data .idata

    .reloc filePtr = fopen( "dummy.txt" , "wb") Process (dummy.txt) WriteFile( filePtr, mimikatz, ... ) 🥝 ntdll!ZwCreateProcessEx( section ) dummy.txt 🥝 # write malware into it # create the file as a new process yeah! so mimikatz landed into the process
  30. April 21, 2021 30 Attacker PE Header .text .data .idata

    .reloc filePtr = fopen( "dummy.txt" , "wb") Process (dummy.txt) 🥝 ntdll!ZwCreateProcessEx( section ) WriteFile( filePtr, mimikatz, ... ) WriteFile( filePtr, "AAAAAA..." ) dummy.txt "AAAAAAAAAAAAA" # remember that the file is still controled? # this makes it look innocent :)
  31. PEB April 21, 2021 31 Attacker ntdll!ZwCreateProcessEx( section ) PE

    Header .text .data .idata .reloc filePtr = fopen( "dummy.txt" , "wb") Process (dummy.txt) WriteFile( filePtr, mimikatz, ... ) WriteFile( filePtr, "AAAAAA..." ) ntdll!ZwCreateThreadEx ntdll!RtlCreateProcessParametersEx 🥝 dummy.txt "AAAAAAAAAAAAA"
  32. PEB April 21, 2021 32 Attacker ntdll!ZwCreateProcessEx( section ) PE

    Header .text .data .idata .reloc filePtr = fopen( "dummy.txt" , "wb") Process (dummy.txt) WriteFile( filePtr, mimikatz, ... ) WriteFile( filePtr, "AAAAAA..." ) ntdll!ZwCreateThreadEx ntdll!RtlCreateProcessParametersEx 🥝 dummy.txt "AAAAAAAAAAAAA" by this trick, AV/EDR always scan the wrong file (not the file run as the process)
  33. miniHerpaderping https://github.com/aaaddress1/PR0CESS April 21, 2021 33

  34. miniHerpaderping https://github.com/aaaddress1/PR0CESS April 21, 2021 34 we're mspaint.exe now

  35. April 21, 2021 Process Doppelganging • The Issue first introduced

    in BlackHat Europe 2017 "Lost in Transaction: Process Doppelgänging" by @Tal_Liberman • More variety following by this attack vector • Osiris banking Trojan • Herpaderping by @jxy__s • Process Ghosting by @GabrielLandau • Not Sneaky enough in 2021, got blocked by Defender • the well-known Minifilter • provide Defender with the ability to scan written files of NTFS → Find a method to control file data, but not actually write it? 35 WriteFile( filePtr, mimikatz, .. dummy.txt 🥝 filePtr = fopen( "dummy.txt" , "wb")
  36. Fileless Do we really need a file to run the

    process?
  37. April 21, 2021 37 Attacker filePtr = fopen( "dummy.txt" ,

    "wb") FileDispositionInfo.DeleteFile = TRUE dummy.txt # using SetFileInformationByHandle, # mark it as a temporary (delete-on-close) file. note: in practice, fopen() should be replaced by CreateFile
  38. April 21, 2021 38 Attacker filePtr = fopen( "dummy.txt" ,

    "wb") WriteFile( filePtr, mimikatz, ... ) FileDispositionInfo.DeleteFile = TRUE dummy.txt 🥝 As a result, we're indeed writing malware payload in files on NTFS but Defender cannot access or scan until we close it :)
  39. PEB April 21, 2021 39 Attacker ntdll!ZwCreateProcessEx( section ) PE

    Header .text .data .idata .reloc filePtr = fopen( "dummy.txt" , "wb") Process (dummy.txt) WriteFile( filePtr, mimikatz, ... ) 🥝 FileDispositionInfo.DeleteFile = TRUE dummy.txt 🥝
  40. PEB April 21, 2021 40 Attacker ntdll!ZwCreateProcessEx( section ) PE

    Header .text .data .idata .reloc filePtr = fopen( "dummy.txt" , "wb") Process (dummy.txt) WriteFile( filePtr, mimikatz, ... ) ntdll!ZwClose( filePtr ) 🥝 FileDispositionInfo.DeleteFile = TRUE dummy.txt 🥝 bye :) vanish from NTFS # it's temporary, right? # the file vanish, once got closed
  41. April 21, 2021 41 Attacker ntdll!ZwCreateProcessEx( section ) filePtr =

    fopen( "dummy.txt" , "wb") WriteFile( filePtr, mimikatz, ... ) ntdll!ZwClose( filePtr ) FileDispositionInfo.DeleteFile = TRUE PEB PE Header .text .data .idata .reloc Process (dummy.txt) ntdll!ZwCreateThreadEx ntdll!RtlCreateProcessParametersEx 🥝 dummy.txt 🥝
  42. PEB Attacker ntdll!ZwCreateProcessEx( section ) PE Header .text .data .idata

    .reloc filePtr = fopen( "dummy.txt" , "wb") Process (dummy.txt) WriteFile( filePtr, mimikatz, ... ) ntdll!ZwClose( filePtr ) ntdll!ZwCreateThreadEx ntdll!RtlCreateProcessParametersEx 🥝 FileDispositionInfo.DeleteFile = TRUE by this trick AV/EDR *ALWAYS* scan a non-existent file ? dummy.txt 🥝
  43. miniGhosting https://github.com/aaaddress1/PR0CESS April 21, 2021 43 name? no, it's fileless

    :)
  44. April 21, 2021 Process Ghosting • Abuse Temporary File, to

    Run a Ghost Process "What you need to know about Process Ghosting, a new executable image tampering attack" by @GabrielLandau • Totally bypass Defender & The others based on Minifilter → New Idea: Run ourself like a ghost, without Custom-Launcher? 44
  45. Arbitrary Unlink Yes, unlink all the files. even a running

    process
  46. April 21, 2021 NTFS Streams - Mark of the Web

    46
  47. April 21, 2021 NTFS Streams - Malware 47

  48. April 21, 2021 NTFS Streams - Malware 48 Write malware

    to arbitrary stream of innocent files & Run it as a single process even the process is still running but we can delete it anyway :)
  49. April 21, 2021 Force Unlink • Windows does not allow

    the deletion of files from running process • Amazing trick to force unlock files found by @jonasLyk 1. open the file with the DELETE flag 2. relocate EXE data from main stream to another one 3. yes. we can delete it now :) 49
  50. April 21, 2021 50 Attacker Malware Dropping & Run Malware.exe

    ::$DATA 1337 bytes 🥝
  51. April 21, 2021 51 Attacker Malware Dropping & Run filePtr

    = CreateFile( "malware.exe" , DELETE ) FILE_RENAME_INFORMATION.FileName = ":dummy" ntdll!ZwClose( filePtr ) Malware.exe ::$DATA 0 bytes :dummy:$DATA 1337 bytes 🥝 # using SetFileInformationByHandle, relocate the data to the dummy stream
  52. April 21, 2021 52 Attacker Malware Dropping & Run filePtr

    = CreateFile( "malware.exe" , DELETE ) FILE_RENAME_INFORMATION.FileName = ":dummy" ntdll!ZwClose( filePtr ) Malware.exe ::$DATA 0 bytes :dummy:$DATA 1337 bytes kernel32!DeleteFile( "malware.exe" ) 🥝
  53. April 21, 2021 53 Attacker Malware Dropping & Run filePtr

    = CreateFile( "malware.exe" , DELETE ) FILE_RENAME_INFORMATION.FileName = ":dummy" ntdll!ZwClose( filePtr ) Malware.exe ::$DATA Signed Benignware :dummy:$DATA Malware Running🥝 Fill In Payload of Signed EXE during AV/EDR scheduled scanning, always fetch the EXE data from the main stream ?
  54. DEMO File Unlink & Forged Sign https://github.com/aaaddress1/Skrull

  55. Skrull: Anti-Copy Launcher Fileless Malware Launcher: to Armor Malware and

    Deploy on Victim
  56. April 21, 2021 Automatic Sample Submission • most AV/EDR embedded

    the feature as default e.g. Windows Defender • Invoke when attackers carelessly do the suspicious behaviors • AV/EDR keep eyes on attackers by collecting those dropped files & analysis • Fileless is cool. but attackers need to deploy persistent trojan for long-term monitoring → Find a method to let the files naturally broken when submitted? 56
  57. April 21, 2021 🚀Skrull DRM: Anti-Copy Malware Launcher • Anti-Copy

    Malware Launcher • Running Malware by Process-Ghosting method • DRM: The Launch couldn't copied to another environment • Easy for attackers to run malware persistently & evade AV/EDR • Anti-Copy DRM for Malware • Obtain unique features on the victim's environment • User Name, System Version, CPU count, etc. • Should not be reproduced on the different environment • Use those features, to reassemble our EXE file • EXE files will be naturally broken when copied 57
  58. April 21, 2021 Skrull 58 Attacker run launcher Skrull.exe Collect

    Unique Features on victim Reassemble & Armor itself (Persistence & Anti-Copy) *contain malware payload*
  59. April 21, 2021 Skrull 59 Attacker Malware.exe 🥝 run launcher

    Skrull.exe Decrypt Malware Payload Collect Unique Features on victim Reassemble & Armor itself Launch the Malware by Ghosting Trick (Persistence & Anti-Copy) (Fileless)
  60. April 21, 2021 Skrull 60 Attacker AV/EDR Lab Malware.exe 🥝

    run launcher Skrull.exe Decrypt Malware Payload Collect Unique Features on victim Reassemble & Armor itself Launch the Malware by Ghosting Trick (Persistence & Anti-Copy) (Fileless) always capture broken files (Auto Sample Submit)
  61. DEMO Skrull: Malware DRM https://github.com/aaaddress1/Skrull

  62. Conclusion

  63. April 21, 2021 Conclusion • Process Ghosting: Attackers can abuse

    temporary files to create processes that will not be scanned by AV/EDR Real-Time Scan • File Unlink: Delete running programs by migrating data between NTFS streams • DRM: Malware rebuild itself before being submitted by AV/EDR, so it can perfectly resist follow-up analysis by researchers • Malware Scheduled & Real-Time Scan A. shouldn't assume all running process must have EXE file on NTFS B. shouldn't only scan for files on NTFS, but also for running processes, to prevent fileless & DRM attacks 63
  64. © 2021