PE-sieve – Detecting Hooking and Code Implants

Transcript

1. Hasherezade @hasherezade PE-SIEVE – DETECTING HOOKING AND CODE IMPLANTS

2. Agenda 1. Basics – how code implants are installed 2.

   Searching and preventing malicious implants 3. Introducing PE-sieve 4. PE-sieve implementation details

3. BASICS – HOW CODE IMPLANTS ARE INSTALLED (AND WHY?)

4. Basics – a process

5. Basics – how and why code implants are installed? Any

   code that was added to the original process. It can be a PE (DLL, EXE), or a shellcode

6. Basics – code implants and in-memory patches • Malicious and

   non-malicious purposes • Process impersonation (Process Hollowing etc) – full PE is replaced/implanted • Micro-patching applications without recompiling code • Packed executables, self-modifying code • Hooking: userland rootkits, data interception, sandboxes

7. Basics – inline hooking

8. Basics – process impersonation • Malware impersonates processes to run

   under their cover • Examples of the techniques: • Process Hollowing (RunPE) • Reflective DLL injection • Manual PE loading (various variants) • Process Doppelgänging • Combinations of multiple techniques (i.e. Transacted Hollowing)

9. Basics – Process Hollowing

10. Basics – Process Doppelgänging

11. Basics – new combinations of known techniques https://blog.malwarebytes.com/threat-analysis/2018/08/process- doppelganging-meets-process-hollowing_osiris/

12. SEARCHING AND PREVENTING MALICIOUS IMPLANTS

13. Searching and preventing malicious implants • Many AV products monitor

    called APIs to prevent installing malicious implants Blocked by AV

14. Searching and preventing malicious implants • Malware authors/offensive researchers try

    to evade it by finding uncommon APIs that can be used to make injection. Some newer examples: • AtomBombing technique • Process Doppelgänging • What if some unknown API was used for injection?

15. Searching and preventing malicious implants • What if we want

    to scan a system post- factum? • How to detect and implant without knowing how it was injected?

16. Searching and preventing malicious implants • There are various applications

    that allow to detect some indicators, i.e. GMER (rootkits/hooking), RunPE detector • They don’t help collecting material for analysis • Some of them detect only the most popular variants of the implants – not robust enough to analyze new types of malware

17. Searching and preventing malicious implants • RunPE detector – detects

    typical RunPE – but not its modified versions https://www.youtube.com/watch?v=-8EJfvPo_yQ

18. Searching and preventing malicious implants • Volatility + MalFind plugin

    • Works on Volatility dumps https://www.youtube.com/watch?v=lm4oESpAnmM

19. INTRODUCING PE-SIEVE

20. Introducing PE-sieve • PE-sieve – works on a live system

    • Focus: speed and simplicity of use • Passive scan, not hooking any APIs • Can be used post-infection • Generates a material ready to be analyzed: not only detection, but precise details • Free & open source: https://github.com/hasherezade/pe-sieve https://github.com/hasherezade/hollows_hunter

21. Introducing PE-sieve

22. Introducing PE-sieve: Hollows Hunter Deploys scan on all the running

    processes

23. What PE-sieve detects? • Inline hooks • Packed and self-modifying

    PE files • Replaced processes: i.e. Process Hollowing, Process Doppelganging • Manually loaded PE-files (Reflective DLL Injection and others) • Shellcodes

24. PE-sieve vs corrupt PE implants • Reconstructs erased imports •

    Detects (and possibly reconstructs) partially erased PE headers

25. Inline hooking detection • Test case #1: a crackme with

    inline hooks • Report from GMER

26. Inline hooking detection • Test case #1: a crackme with

    inline hooks • Report from PE-sieve The hooked/patched modue is automatically dumped Report about hooks

27. Inline hooking detection: tagging hooks • The TAG file, along

    with the dumped module, can be loaded to PE-bear or IDA and further analyzed

28. Implanted PE files: Kronos case study Entry Point of svchost

    is patched to redirect to the implant

29. PE-SIEVE – HOW IT WORKS?

30. Simples ideas work... • It is very easy to detect

    code overwritten in memory by comparing it with the executable on disk • No impersonation technique is perfect: they all leave some suspicious artefacts

31. Detection: inline hooking, self-modifying code • Code scan • Load

    the PE from the disk that corresponds to the module withing the process • Detect all the sections containing code • Transform both sections into the same format (relocate to the same base, remove IAT, etc) • Compare

32. Detection: impersonated process • Headers scan • Load the PE

    from the disk that corresponds to the module withing the process • Are their headers matching? • When it works? • For all the techniques that rely on connecting the implanted PE to the PEB, in order to have imports automatically resolved

33. Headers scan detected Process Hollowing

34. Detection: manually mapped PE / shellcode • Workingset scan •

    Search executable memory pages that are not a part of any module • Suspicious mapping type? Other indicators? • Are they part of a PE file? Detection of PE headers /artefacts

35. This is not a normally mapped PE... #1

36. This is not a normally mapped PE... #1 https://github.co m/stephenfewer/

    ReflectiveDLLInje ction [-] PE implanted into MEM_PRIVATE (vs typical: MEM_IMAGE) [-] RWX – very unusual protection

37. This is not a normally mapped PE... #1 Reflective DLL

    injection

38. This is not a normally mapped PE... #2

39. This is not a normally mapped PE... #2 [-] PE

    implanted into MEM_PRIVATE (vs typical: MEM_IMAGE) Process Hollowing or manually mapped PE

40. This is not a normally mapped PE... #3

41. This is not a normally mapped PE... #3 [-] PE

    implanted into MEM_MAPPED (vs typical: MEM_IMAGE) From Kronos loader

42. This is not a normally mapped PE... #4

43. This is not a normally mapped PE... #4 [+] MEM_IMAGE

    -> OK [-] PE Image has no path! Process Doppelganging

44. Detecting partially erased headers Princess Locker overwrites headers of the

    implant with trash

45. Detecting partially erased headers https://www.youtube.com/watch?v=dFJcGYUFB0s PE-sieve is still able to

    detect the remainings of the header and reconstruct the full PE

46. Implanted PE files: fixing erased imports https://www.youtube.com/watch?v=YJjm5yT1rdM PE-sieve with option

    /imp – recovering imports

47. PE-sieve – TODO: • IAT/EAT hooking detection • Classic DLL

    injection detection • Whitelisting known hooks • Bugs? Ideas? • https://github.com/hasherezade/pe-sieve/issues

48. PE-sieve - links • More info: https://hshrzd.wordpress.com/pe-sieve/ • Tweets –

    updates: • https://twitter.com/i/moments/1024005197926936577 • Code: • https://github.com/hasherezade/pe-sieve • https://github.com/hasherezade/hollows_hunter

49. Hasherezade @hasherezade THANK YOU