PE-sieve – Detecting Hooking and Code Implants

5d5dda1e7e00492cdb89a26415b1fa8f?s=47 hasherezade
September 14, 2018

PE-sieve – Detecting Hooking and Code Implants

5d5dda1e7e00492cdb89a26415b1fa8f?s=128

hasherezade

September 14, 2018
Tweet

Transcript

  1. Hasherezade @hasherezade PE-SIEVE – DETECTING HOOKING AND CODE IMPLANTS

  2. Agenda 1. Basics – how code implants are installed 2.

    Searching and preventing malicious implants 3. Introducing PE-sieve 4. PE-sieve implementation details
  3. BASICS – HOW CODE IMPLANTS ARE INSTALLED (AND WHY?)

  4. Basics – a process

  5. Basics – how and why code implants are installed? Any

    code that was added to the original process. It can be a PE (DLL, EXE), or a shellcode
  6. Basics – code implants and in-memory patches • Malicious and

    non-malicious purposes • Process impersonation (Process Hollowing etc) – full PE is replaced/implanted • Micro-patching applications without recompiling code • Packed executables, self-modifying code • Hooking: userland rootkits, data interception, sandboxes
  7. Basics – inline hooking

  8. Basics – process impersonation • Malware impersonates processes to run

    under their cover • Examples of the techniques: • Process Hollowing (RunPE) • Reflective DLL injection • Manual PE loading (various variants) • Process Doppelgänging • Combinations of multiple techniques (i.e. Transacted Hollowing)
  9. Basics – Process Hollowing

  10. Basics – Process Doppelgänging

  11. Basics – new combinations of known techniques https://blog.malwarebytes.com/threat-analysis/2018/08/process- doppelganging-meets-process-hollowing_osiris/

  12. SEARCHING AND PREVENTING MALICIOUS IMPLANTS

  13. Searching and preventing malicious implants • Many AV products monitor

    called APIs to prevent installing malicious implants Blocked by AV
  14. Searching and preventing malicious implants • Malware authors/offensive researchers try

    to evade it by finding uncommon APIs that can be used to make injection. Some newer examples: • AtomBombing technique • Process Doppelgänging • What if some unknown API was used for injection?
  15. Searching and preventing malicious implants • What if we want

    to scan a system post- factum? • How to detect and implant without knowing how it was injected?
  16. Searching and preventing malicious implants • There are various applications

    that allow to detect some indicators, i.e. GMER (rootkits/hooking), RunPE detector • They don’t help collecting material for analysis • Some of them detect only the most popular variants of the implants – not robust enough to analyze new types of malware
  17. Searching and preventing malicious implants • RunPE detector – detects

    typical RunPE – but not its modified versions https://www.youtube.com/watch?v=-8EJfvPo_yQ
  18. Searching and preventing malicious implants • Volatility + MalFind plugin

    • Works on Volatility dumps https://www.youtube.com/watch?v=lm4oESpAnmM
  19. INTRODUCING PE-SIEVE

  20. Introducing PE-sieve • PE-sieve – works on a live system

    • Focus: speed and simplicity of use • Passive scan, not hooking any APIs • Can be used post-infection • Generates a material ready to be analyzed: not only detection, but precise details • Free & open source: https://github.com/hasherezade/pe-sieve https://github.com/hasherezade/hollows_hunter
  21. Introducing PE-sieve

  22. Introducing PE-sieve: Hollows Hunter Deploys scan on all the running

    processes
  23. What PE-sieve detects? • Inline hooks • Packed and self-modifying

    PE files • Replaced processes: i.e. Process Hollowing, Process Doppelganging • Manually loaded PE-files (Reflective DLL Injection and others) • Shellcodes
  24. PE-sieve vs corrupt PE implants • Reconstructs erased imports •

    Detects (and possibly reconstructs) partially erased PE headers
  25. Inline hooking detection • Test case #1: a crackme with

    inline hooks • Report from GMER
  26. Inline hooking detection • Test case #1: a crackme with

    inline hooks • Report from PE-sieve The hooked/patched modue is automatically dumped Report about hooks
  27. Inline hooking detection: tagging hooks • The TAG file, along

    with the dumped module, can be loaded to PE-bear or IDA and further analyzed
  28. Implanted PE files: Kronos case study Entry Point of svchost

    is patched to redirect to the implant
  29. PE-SIEVE – HOW IT WORKS?

  30. Simples ideas work... • It is very easy to detect

    code overwritten in memory by comparing it with the executable on disk • No impersonation technique is perfect: they all leave some suspicious artefacts
  31. Detection: inline hooking, self-modifying code • Code scan • Load

    the PE from the disk that corresponds to the module withing the process • Detect all the sections containing code • Transform both sections into the same format (relocate to the same base, remove IAT, etc) • Compare
  32. Detection: impersonated process • Headers scan • Load the PE

    from the disk that corresponds to the module withing the process • Are their headers matching? • When it works? • For all the techniques that rely on connecting the implanted PE to the PEB, in order to have imports automatically resolved
  33. Headers scan detected Process Hollowing

  34. Detection: manually mapped PE / shellcode • Workingset scan •

    Search executable memory pages that are not a part of any module • Suspicious mapping type? Other indicators? • Are they part of a PE file? Detection of PE headers /artefacts
  35. This is not a normally mapped PE... #1

  36. This is not a normally mapped PE... #1 https://github.co m/stephenfewer/

    ReflectiveDLLInje ction [-] PE implanted into MEM_PRIVATE (vs typical: MEM_IMAGE) [-] RWX – very unusual protection
  37. This is not a normally mapped PE... #1 Reflective DLL

    injection
  38. This is not a normally mapped PE... #2

  39. This is not a normally mapped PE... #2 [-] PE

    implanted into MEM_PRIVATE (vs typical: MEM_IMAGE) Process Hollowing or manually mapped PE
  40. This is not a normally mapped PE... #3

  41. This is not a normally mapped PE... #3 [-] PE

    implanted into MEM_MAPPED (vs typical: MEM_IMAGE) From Kronos loader
  42. This is not a normally mapped PE... #4

  43. This is not a normally mapped PE... #4 [+] MEM_IMAGE

    -> OK [-] PE Image has no path! Process Doppelganging
  44. Detecting partially erased headers Princess Locker overwrites headers of the

    implant with trash
  45. Detecting partially erased headers https://www.youtube.com/watch?v=dFJcGYUFB0s PE-sieve is still able to

    detect the remainings of the header and reconstruct the full PE
  46. Implanted PE files: fixing erased imports https://www.youtube.com/watch?v=YJjm5yT1rdM PE-sieve with option

    /imp – recovering imports
  47. PE-sieve – TODO: • IAT/EAT hooking detection • Classic DLL

    injection detection • Whitelisting known hooks • Bugs? Ideas? • https://github.com/hasherezade/pe-sieve/issues
  48. PE-sieve - links • More info: https://hshrzd.wordpress.com/pe-sieve/ • Tweets –

    updates: • https://twitter.com/i/moments/1024005197926936577 • Code: • https://github.com/hasherezade/pe-sieve • https://github.com/hasherezade/hollows_hunter
  49. Hasherezade @hasherezade THANK YOU