Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PE-sieve – Detecting Hooking and Code Implants

hasherezade
September 14, 2018

PE-sieve – Detecting Hooking and Code Implants

hasherezade

September 14, 2018
Tweet

More Decks by hasherezade

Other Decks in Programming

Transcript

  1. Hasherezade
    @hasherezade
    PE-SIEVE – DETECTING
    HOOKING AND CODE IMPLANTS

    View full-size slide

  2. Agenda
    1. Basics – how code implants are installed
    2. Searching and preventing malicious implants
    3. Introducing PE-sieve
    4. PE-sieve implementation details

    View full-size slide

  3. BASICS – HOW CODE IMPLANTS ARE INSTALLED
    (AND WHY?)

    View full-size slide

  4. Basics – a process

    View full-size slide

  5. Basics – how and why code implants are
    installed?
    Any code that
    was added to the
    original process.
    It can be a PE
    (DLL, EXE), or a
    shellcode

    View full-size slide

  6. Basics – code implants and in-memory patches
    • Malicious and non-malicious purposes
    • Process impersonation (Process Hollowing etc) –
    full PE is replaced/implanted
    • Micro-patching applications without recompiling
    code
    • Packed executables, self-modifying code
    • Hooking: userland rootkits, data interception,
    sandboxes

    View full-size slide

  7. Basics – inline hooking

    View full-size slide

  8. Basics – process impersonation
    • Malware impersonates processes to run under
    their cover
    • Examples of the techniques:
    • Process Hollowing (RunPE)
    • Reflective DLL injection
    • Manual PE loading (various variants)
    • Process Doppelgänging
    • Combinations of multiple techniques (i.e.
    Transacted Hollowing)

    View full-size slide

  9. Basics – Process Hollowing

    View full-size slide

  10. Basics – Process Doppelgänging

    View full-size slide

  11. Basics – new combinations of known techniques
    https://blog.malwarebytes.com/threat-analysis/2018/08/process-
    doppelganging-meets-process-hollowing_osiris/

    View full-size slide

  12. SEARCHING AND PREVENTING MALICIOUS
    IMPLANTS

    View full-size slide

  13. Searching and preventing malicious implants
    • Many AV products monitor called APIs to
    prevent installing malicious implants
    Blocked
    by AV

    View full-size slide

  14. Searching and preventing malicious implants
    • Malware authors/offensive researchers try
    to evade it by finding uncommon APIs that
    can be used to make injection. Some newer
    examples:
    • AtomBombing technique
    • Process Doppelgänging
    • What if some unknown API was used for
    injection?

    View full-size slide

  15. Searching and preventing malicious implants
    • What if we want to scan a system post-
    factum?
    • How to detect and implant without knowing
    how it was injected?

    View full-size slide

  16. Searching and preventing malicious implants
    • There are various applications that allow to
    detect some indicators, i.e. GMER
    (rootkits/hooking), RunPE detector
    • They don’t help collecting material for analysis
    • Some of them detect only the most popular
    variants of the implants – not robust enough
    to analyze new types of malware

    View full-size slide

  17. Searching and preventing malicious implants
    • RunPE detector – detects typical RunPE – but
    not its modified versions
    https://www.youtube.com/watch?v=-8EJfvPo_yQ

    View full-size slide

  18. Searching and preventing malicious implants
    • Volatility + MalFind plugin
    • Works on Volatility dumps
    https://www.youtube.com/watch?v=lm4oESpAnmM

    View full-size slide

  19. INTRODUCING PE-SIEVE

    View full-size slide

  20. Introducing PE-sieve
    • PE-sieve – works on a live system
    • Focus: speed and simplicity of use
    • Passive scan, not hooking any APIs
    • Can be used post-infection
    • Generates a material ready to be analyzed: not
    only detection, but precise details
    • Free & open source:
    https://github.com/hasherezade/pe-sieve
    https://github.com/hasherezade/hollows_hunter

    View full-size slide

  21. Introducing PE-sieve

    View full-size slide

  22. Introducing PE-sieve: Hollows Hunter
    Deploys scan on
    all the running
    processes

    View full-size slide

  23. What PE-sieve detects?
    • Inline hooks
    • Packed and self-modifying PE files
    • Replaced processes: i.e. Process Hollowing,
    Process Doppelganging
    • Manually loaded PE-files (Reflective DLL
    Injection and others)
    • Shellcodes

    View full-size slide

  24. PE-sieve vs corrupt PE implants
    • Reconstructs erased imports
    • Detects (and possibly reconstructs) partially
    erased PE headers

    View full-size slide

  25. Inline hooking detection
    • Test case #1: a crackme with inline hooks
    • Report from GMER

    View full-size slide

  26. Inline hooking detection
    • Test case #1: a crackme with inline hooks
    • Report from PE-sieve
    The hooked/patched
    modue is
    automatically dumped
    Report about
    hooks

    View full-size slide

  27. Inline hooking detection: tagging hooks
    • The TAG file, along with the dumped module,
    can be loaded to PE-bear or IDA and further
    analyzed

    View full-size slide

  28. Implanted PE files: Kronos case study
    Entry Point of
    svchost is
    patched to
    redirect to the
    implant

    View full-size slide

  29. PE-SIEVE – HOW IT WORKS?

    View full-size slide

  30. Simples ideas work...
    • It is very easy to detect code overwritten in
    memory by comparing it with the executable
    on disk
    • No impersonation technique is perfect: they all
    leave some suspicious artefacts

    View full-size slide

  31. Detection: inline hooking, self-modifying code
    • Code scan
    • Load the PE from the disk that corresponds to
    the module withing the process
    • Detect all the sections containing code
    • Transform both sections into the same format
    (relocate to the same base, remove IAT, etc)
    • Compare

    View full-size slide

  32. Detection: impersonated process
    • Headers scan
    • Load the PE from the disk that corresponds to
    the module withing the process
    • Are their headers matching?
    • When it works?
    • For all the techniques that rely on connecting the
    implanted PE to the PEB, in order to have imports
    automatically resolved

    View full-size slide

  33. Headers scan detected Process Hollowing

    View full-size slide

  34. Detection: manually mapped PE / shellcode
    • Workingset scan
    • Search executable memory pages that are not a
    part of any module
    • Suspicious mapping type? Other indicators?
    • Are they part of a PE file? Detection of PE
    headers /artefacts

    View full-size slide

  35. This is not a normally mapped PE... #1

    View full-size slide

  36. This is not a normally mapped PE... #1
    https://github.co
    m/stephenfewer/
    ReflectiveDLLInje
    ction
    [-] PE implanted into MEM_PRIVATE (vs typical:
    MEM_IMAGE)
    [-] RWX – very unusual protection

    View full-size slide

  37. This is not a normally mapped PE... #1
    Reflective DLL injection

    View full-size slide

  38. This is not a normally mapped PE... #2

    View full-size slide

  39. This is not a normally mapped PE... #2
    [-] PE implanted into MEM_PRIVATE (vs typical: MEM_IMAGE)
    Process
    Hollowing
    or manually
    mapped PE

    View full-size slide

  40. This is not a normally mapped PE... #3

    View full-size slide

  41. This is not a normally mapped PE... #3
    [-] PE implanted into MEM_MAPPED (vs typical: MEM_IMAGE)
    From
    Kronos
    loader

    View full-size slide

  42. This is not a normally mapped PE... #4

    View full-size slide

  43. This is not a normally mapped PE... #4
    [+] MEM_IMAGE -> OK
    [-] PE Image has no path!
    Process
    Doppelganging

    View full-size slide

  44. Detecting partially erased headers
    Princess
    Locker
    overwrites
    headers of the
    implant with
    trash

    View full-size slide

  45. Detecting partially erased headers
    https://www.youtube.com/watch?v=dFJcGYUFB0s
    PE-sieve is still able to
    detect the remainings
    of the header and
    reconstruct the full PE

    View full-size slide

  46. Implanted PE files: fixing erased imports
    https://www.youtube.com/watch?v=YJjm5yT1rdM
    PE-sieve with
    option /imp –
    recovering imports

    View full-size slide

  47. PE-sieve – TODO:
    • IAT/EAT hooking detection
    • Classic DLL injection detection
    • Whitelisting known hooks
    • Bugs? Ideas?
    • https://github.com/hasherezade/pe-sieve/issues

    View full-size slide

  48. PE-sieve - links
    • More info: https://hshrzd.wordpress.com/pe-sieve/
    • Tweets – updates:
    • https://twitter.com/i/moments/1024005197926936577
    • Code:
    • https://github.com/hasherezade/pe-sieve
    • https://github.com/hasherezade/hollows_hunter

    View full-size slide

  49. Hasherezade
    @hasherezade
    THANK YOU

    View full-size slide