Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PE-sieve – Detecting Hooking and Code Implants

September 14, 2018

PE-sieve – Detecting Hooking and Code Implants


September 14, 2018

More Decks by hasherezade

Other Decks in Programming


  1. Agenda 1. Basics – how code implants are installed 2.

    Searching and preventing malicious implants 3. Introducing PE-sieve 4. PE-sieve implementation details
  2. Basics – how and why code implants are installed? Any

    code that was added to the original process. It can be a PE (DLL, EXE), or a shellcode
  3. Basics – code implants and in-memory patches • Malicious and

    non-malicious purposes • Process impersonation (Process Hollowing etc) – full PE is replaced/implanted • Micro-patching applications without recompiling code • Packed executables, self-modifying code • Hooking: userland rootkits, data interception, sandboxes
  4. Basics – process impersonation • Malware impersonates processes to run

    under their cover • Examples of the techniques: • Process Hollowing (RunPE) • Reflective DLL injection • Manual PE loading (various variants) • Process Doppelgänging • Combinations of multiple techniques (i.e. Transacted Hollowing)
  5. Searching and preventing malicious implants • Many AV products monitor

    called APIs to prevent installing malicious implants Blocked by AV
  6. Searching and preventing malicious implants • Malware authors/offensive researchers try

    to evade it by finding uncommon APIs that can be used to make injection. Some newer examples: • AtomBombing technique • Process Doppelgänging • What if some unknown API was used for injection?
  7. Searching and preventing malicious implants • What if we want

    to scan a system post- factum? • How to detect and implant without knowing how it was injected?
  8. Searching and preventing malicious implants • There are various applications

    that allow to detect some indicators, i.e. GMER (rootkits/hooking), RunPE detector • They don’t help collecting material for analysis • Some of them detect only the most popular variants of the implants – not robust enough to analyze new types of malware
  9. Searching and preventing malicious implants • RunPE detector – detects

    typical RunPE – but not its modified versions https://www.youtube.com/watch?v=-8EJfvPo_yQ
  10. Searching and preventing malicious implants • Volatility + MalFind plugin

    • Works on Volatility dumps https://www.youtube.com/watch?v=lm4oESpAnmM
  11. Introducing PE-sieve • PE-sieve – works on a live system

    • Focus: speed and simplicity of use • Passive scan, not hooking any APIs • Can be used post-infection • Generates a material ready to be analyzed: not only detection, but precise details • Free & open source: https://github.com/hasherezade/pe-sieve https://github.com/hasherezade/hollows_hunter
  12. What PE-sieve detects? • Inline hooks • Packed and self-modifying

    PE files • Replaced processes: i.e. Process Hollowing, Process Doppelganging • Manually loaded PE-files (Reflective DLL Injection and others) • Shellcodes
  13. PE-sieve vs corrupt PE implants • Reconstructs erased imports •

    Detects (and possibly reconstructs) partially erased PE headers
  14. Inline hooking detection • Test case #1: a crackme with

    inline hooks • Report from PE-sieve The hooked/patched modue is automatically dumped Report about hooks
  15. Inline hooking detection: tagging hooks • The TAG file, along

    with the dumped module, can be loaded to PE-bear or IDA and further analyzed
  16. Implanted PE files: Kronos case study Entry Point of svchost

    is patched to redirect to the implant
  17. Simples ideas work... • It is very easy to detect

    code overwritten in memory by comparing it with the executable on disk • No impersonation technique is perfect: they all leave some suspicious artefacts
  18. Detection: inline hooking, self-modifying code • Code scan • Load

    the PE from the disk that corresponds to the module withing the process • Detect all the sections containing code • Transform both sections into the same format (relocate to the same base, remove IAT, etc) • Compare
  19. Detection: impersonated process • Headers scan • Load the PE

    from the disk that corresponds to the module withing the process • Are their headers matching? • When it works? • For all the techniques that rely on connecting the implanted PE to the PEB, in order to have imports automatically resolved
  20. Detection: manually mapped PE / shellcode • Workingset scan •

    Search executable memory pages that are not a part of any module • Suspicious mapping type? Other indicators? • Are they part of a PE file? Detection of PE headers /artefacts
  21. This is not a normally mapped PE... #1 https://github.co m/stephenfewer/

    ReflectiveDLLInje ction [-] PE implanted into MEM_PRIVATE (vs typical: MEM_IMAGE) [-] RWX – very unusual protection
  22. This is not a normally mapped PE... #2 [-] PE

    implanted into MEM_PRIVATE (vs typical: MEM_IMAGE) Process Hollowing or manually mapped PE
  23. This is not a normally mapped PE... #3 [-] PE

    implanted into MEM_MAPPED (vs typical: MEM_IMAGE) From Kronos loader
  24. This is not a normally mapped PE... #4 [+] MEM_IMAGE

    -> OK [-] PE Image has no path! Process Doppelganging
  25. PE-sieve – TODO: • IAT/EAT hooking detection • Classic DLL

    injection detection • Whitelisting known hooks • Bugs? Ideas? • https://github.com/hasherezade/pe-sieve/issues
  26. PE-sieve - links • More info: https://hshrzd.wordpress.com/pe-sieve/ • Tweets –

    updates: • https://twitter.com/i/moments/1024005197926936577 • Code: • https://github.com/hasherezade/pe-sieve • https://github.com/hasherezade/hollows_hunter