Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PE-sieve – Detecting Hooking and Code Implants

hasherezade
September 14, 2018

PE-sieve – Detecting Hooking and Code Implants

hasherezade

September 14, 2018
Tweet

More Decks by hasherezade

Other Decks in Programming

Transcript

  1. Hasherezade
    @hasherezade
    PE-SIEVE – DETECTING
    HOOKING AND CODE IMPLANTS

    View Slide

  2. Agenda
    1. Basics – how code implants are installed
    2. Searching and preventing malicious implants
    3. Introducing PE-sieve
    4. PE-sieve implementation details

    View Slide

  3. BASICS – HOW CODE IMPLANTS ARE INSTALLED
    (AND WHY?)

    View Slide

  4. Basics – a process

    View Slide

  5. Basics – how and why code implants are
    installed?
    Any code that
    was added to the
    original process.
    It can be a PE
    (DLL, EXE), or a
    shellcode

    View Slide

  6. Basics – code implants and in-memory patches
    • Malicious and non-malicious purposes
    • Process impersonation (Process Hollowing etc) –
    full PE is replaced/implanted
    • Micro-patching applications without recompiling
    code
    • Packed executables, self-modifying code
    • Hooking: userland rootkits, data interception,
    sandboxes

    View Slide

  7. Basics – inline hooking

    View Slide

  8. Basics – process impersonation
    • Malware impersonates processes to run under
    their cover
    • Examples of the techniques:
    • Process Hollowing (RunPE)
    • Reflective DLL injection
    • Manual PE loading (various variants)
    • Process Doppelgänging
    • Combinations of multiple techniques (i.e.
    Transacted Hollowing)

    View Slide

  9. Basics – Process Hollowing

    View Slide

  10. Basics – Process Doppelgänging

    View Slide

  11. Basics – new combinations of known techniques
    https://blog.malwarebytes.com/threat-analysis/2018/08/process-
    doppelganging-meets-process-hollowing_osiris/

    View Slide

  12. SEARCHING AND PREVENTING MALICIOUS
    IMPLANTS

    View Slide

  13. Searching and preventing malicious implants
    • Many AV products monitor called APIs to
    prevent installing malicious implants
    Blocked
    by AV

    View Slide

  14. Searching and preventing malicious implants
    • Malware authors/offensive researchers try
    to evade it by finding uncommon APIs that
    can be used to make injection. Some newer
    examples:
    • AtomBombing technique
    • Process Doppelgänging
    • What if some unknown API was used for
    injection?

    View Slide

  15. Searching and preventing malicious implants
    • What if we want to scan a system post-
    factum?
    • How to detect and implant without knowing
    how it was injected?

    View Slide

  16. Searching and preventing malicious implants
    • There are various applications that allow to
    detect some indicators, i.e. GMER
    (rootkits/hooking), RunPE detector
    • They don’t help collecting material for analysis
    • Some of them detect only the most popular
    variants of the implants – not robust enough
    to analyze new types of malware

    View Slide

  17. Searching and preventing malicious implants
    • RunPE detector – detects typical RunPE – but
    not its modified versions
    https://www.youtube.com/watch?v=-8EJfvPo_yQ

    View Slide

  18. Searching and preventing malicious implants
    • Volatility + MalFind plugin
    • Works on Volatility dumps
    https://www.youtube.com/watch?v=lm4oESpAnmM

    View Slide

  19. INTRODUCING PE-SIEVE

    View Slide

  20. Introducing PE-sieve
    • PE-sieve – works on a live system
    • Focus: speed and simplicity of use
    • Passive scan, not hooking any APIs
    • Can be used post-infection
    • Generates a material ready to be analyzed: not
    only detection, but precise details
    • Free & open source:
    https://github.com/hasherezade/pe-sieve
    https://github.com/hasherezade/hollows_hunter

    View Slide

  21. Introducing PE-sieve

    View Slide

  22. Introducing PE-sieve: Hollows Hunter
    Deploys scan on
    all the running
    processes

    View Slide

  23. What PE-sieve detects?
    • Inline hooks
    • Packed and self-modifying PE files
    • Replaced processes: i.e. Process Hollowing,
    Process Doppelganging
    • Manually loaded PE-files (Reflective DLL
    Injection and others)
    • Shellcodes

    View Slide

  24. PE-sieve vs corrupt PE implants
    • Reconstructs erased imports
    • Detects (and possibly reconstructs) partially
    erased PE headers

    View Slide

  25. Inline hooking detection
    • Test case #1: a crackme with inline hooks
    • Report from GMER

    View Slide

  26. Inline hooking detection
    • Test case #1: a crackme with inline hooks
    • Report from PE-sieve
    The hooked/patched
    modue is
    automatically dumped
    Report about
    hooks

    View Slide

  27. Inline hooking detection: tagging hooks
    • The TAG file, along with the dumped module,
    can be loaded to PE-bear or IDA and further
    analyzed

    View Slide

  28. Implanted PE files: Kronos case study
    Entry Point of
    svchost is
    patched to
    redirect to the
    implant

    View Slide

  29. PE-SIEVE – HOW IT WORKS?

    View Slide

  30. Simples ideas work...
    • It is very easy to detect code overwritten in
    memory by comparing it with the executable
    on disk
    • No impersonation technique is perfect: they all
    leave some suspicious artefacts

    View Slide

  31. Detection: inline hooking, self-modifying code
    • Code scan
    • Load the PE from the disk that corresponds to
    the module withing the process
    • Detect all the sections containing code
    • Transform both sections into the same format
    (relocate to the same base, remove IAT, etc)
    • Compare

    View Slide

  32. Detection: impersonated process
    • Headers scan
    • Load the PE from the disk that corresponds to
    the module withing the process
    • Are their headers matching?
    • When it works?
    • For all the techniques that rely on connecting the
    implanted PE to the PEB, in order to have imports
    automatically resolved

    View Slide

  33. Headers scan detected Process Hollowing

    View Slide

  34. Detection: manually mapped PE / shellcode
    • Workingset scan
    • Search executable memory pages that are not a
    part of any module
    • Suspicious mapping type? Other indicators?
    • Are they part of a PE file? Detection of PE
    headers /artefacts

    View Slide

  35. This is not a normally mapped PE... #1

    View Slide

  36. This is not a normally mapped PE... #1
    https://github.co
    m/stephenfewer/
    ReflectiveDLLInje
    ction
    [-] PE implanted into MEM_PRIVATE (vs typical:
    MEM_IMAGE)
    [-] RWX – very unusual protection

    View Slide

  37. This is not a normally mapped PE... #1
    Reflective DLL injection

    View Slide

  38. This is not a normally mapped PE... #2

    View Slide

  39. This is not a normally mapped PE... #2
    [-] PE implanted into MEM_PRIVATE (vs typical: MEM_IMAGE)
    Process
    Hollowing
    or manually
    mapped PE

    View Slide

  40. This is not a normally mapped PE... #3

    View Slide

  41. This is not a normally mapped PE... #3
    [-] PE implanted into MEM_MAPPED (vs typical: MEM_IMAGE)
    From
    Kronos
    loader

    View Slide

  42. This is not a normally mapped PE... #4

    View Slide

  43. This is not a normally mapped PE... #4
    [+] MEM_IMAGE -> OK
    [-] PE Image has no path!
    Process
    Doppelganging

    View Slide

  44. Detecting partially erased headers
    Princess
    Locker
    overwrites
    headers of the
    implant with
    trash

    View Slide

  45. Detecting partially erased headers
    https://www.youtube.com/watch?v=dFJcGYUFB0s
    PE-sieve is still able to
    detect the remainings
    of the header and
    reconstruct the full PE

    View Slide

  46. Implanted PE files: fixing erased imports
    https://www.youtube.com/watch?v=YJjm5yT1rdM
    PE-sieve with
    option /imp –
    recovering imports

    View Slide

  47. PE-sieve – TODO:
    • IAT/EAT hooking detection
    • Classic DLL injection detection
    • Whitelisting known hooks
    • Bugs? Ideas?
    • https://github.com/hasherezade/pe-sieve/issues

    View Slide

  48. PE-sieve - links
    • More info: https://hshrzd.wordpress.com/pe-sieve/
    • Tweets – updates:
    • https://twitter.com/i/moments/1024005197926936577
    • Code:
    • https://github.com/hasherezade/pe-sieve
    • https://github.com/hasherezade/hollows_hunter

    View Slide

  49. Hasherezade
    @hasherezade
    THANK YOU

    View Slide