PE-sieve – Detecting Hooking and Code Implants

Slide 1

Slide 1 text

Hasherezade @hasherezade PE-SIEVE – DETECTING HOOKING AND CODE IMPLANTS

Slide 2

Slide 2 text

Agenda 1. Basics – how code implants are installed 2. Searching and preventing malicious implants 3. Introducing PE-sieve 4. PE-sieve implementation details

Slide 3

Slide 3 text

BASICS – HOW CODE IMPLANTS ARE INSTALLED (AND WHY?)

Slide 4

Slide 4 text

Basics – a process

Slide 5

Slide 5 text

Basics – how and why code implants are installed? Any code that was added to the original process. It can be a PE (DLL, EXE), or a shellcode

Slide 6

Slide 6 text

Basics – code implants and in-memory patches • Malicious and non-malicious purposes • Process impersonation (Process Hollowing etc) – full PE is replaced/implanted • Micro-patching applications without recompiling code • Packed executables, self-modifying code • Hooking: userland rootkits, data interception, sandboxes

Slide 7

Slide 7 text

Basics – inline hooking

Slide 8

Slide 8 text

Basics – process impersonation • Malware impersonates processes to run under their cover • Examples of the techniques: • Process Hollowing (RunPE) • Reflective DLL injection • Manual PE loading (various variants) • Process Doppelgänging • Combinations of multiple techniques (i.e. Transacted Hollowing)

Slide 9

Slide 9 text

Basics – Process Hollowing

Slide 10

Slide 10 text

Basics – Process Doppelgänging

Slide 11

Slide 11 text

Basics – new combinations of known techniques https://blog.malwarebytes.com/threat-analysis/2018/08/process- doppelganging-meets-process-hollowing_osiris/

Slide 12

Slide 12 text

SEARCHING AND PREVENTING MALICIOUS IMPLANTS

Slide 13

Slide 13 text

Searching and preventing malicious implants • Many AV products monitor called APIs to prevent installing malicious implants Blocked by AV

Slide 14

Slide 14 text

Searching and preventing malicious implants • Malware authors/offensive researchers try to evade it by finding uncommon APIs that can be used to make injection. Some newer examples: • AtomBombing technique • Process Doppelgänging • What if some unknown API was used for injection?

Slide 15

Slide 15 text

Searching and preventing malicious implants • What if we want to scan a system post- factum? • How to detect and implant without knowing how it was injected?

Slide 16

Slide 16 text

Searching and preventing malicious implants • There are various applications that allow to detect some indicators, i.e. GMER (rootkits/hooking), RunPE detector • They don’t help collecting material for analysis • Some of them detect only the most popular variants of the implants – not robust enough to analyze new types of malware

Slide 17

Slide 17 text

Searching and preventing malicious implants • RunPE detector – detects typical RunPE – but not its modified versions https://www.youtube.com/watch?v=-8EJfvPo_yQ

Slide 18

Slide 18 text

Searching and preventing malicious implants • Volatility + MalFind plugin • Works on Volatility dumps https://www.youtube.com/watch?v=lm4oESpAnmM

Slide 19

Slide 19 text

INTRODUCING PE-SIEVE

Slide 20

Slide 20 text

Introducing PE-sieve • PE-sieve – works on a live system • Focus: speed and simplicity of use • Passive scan, not hooking any APIs • Can be used post-infection • Generates a material ready to be analyzed: not only detection, but precise details • Free & open source: https://github.com/hasherezade/pe-sieve https://github.com/hasherezade/hollows_hunter

Slide 21

Slide 21 text

Introducing PE-sieve

Slide 22

Slide 22 text

Introducing PE-sieve: Hollows Hunter Deploys scan on all the running processes

Slide 23

Slide 23 text

What PE-sieve detects? • Inline hooks • Packed and self-modifying PE files • Replaced processes: i.e. Process Hollowing, Process Doppelganging • Manually loaded PE-files (Reflective DLL Injection and others) • Shellcodes

Slide 24

Slide 24 text

PE-sieve vs corrupt PE implants • Reconstructs erased imports • Detects (and possibly reconstructs) partially erased PE headers

Slide 25

Slide 25 text

Inline hooking detection • Test case #1: a crackme with inline hooks • Report from GMER

Slide 26

Slide 26 text

Inline hooking detection • Test case #1: a crackme with inline hooks • Report from PE-sieve The hooked/patched modue is automatically dumped Report about hooks

Slide 27

Slide 27 text

Inline hooking detection: tagging hooks • The TAG file, along with the dumped module, can be loaded to PE-bear or IDA and further analyzed

Slide 28

Slide 28 text

Implanted PE files: Kronos case study Entry Point of svchost is patched to redirect to the implant

Slide 29

Slide 29 text

PE-SIEVE – HOW IT WORKS?

Slide 30

Slide 30 text

Simples ideas work... • It is very easy to detect code overwritten in memory by comparing it with the executable on disk • No impersonation technique is perfect: they all leave some suspicious artefacts

Slide 31

Slide 31 text

Detection: inline hooking, self-modifying code • Code scan • Load the PE from the disk that corresponds to the module withing the process • Detect all the sections containing code • Transform both sections into the same format (relocate to the same base, remove IAT, etc) • Compare

Slide 32

Slide 32 text

Detection: impersonated process • Headers scan • Load the PE from the disk that corresponds to the module withing the process • Are their headers matching? • When it works? • For all the techniques that rely on connecting the implanted PE to the PEB, in order to have imports automatically resolved

Slide 33

Slide 33 text

Headers scan detected Process Hollowing

Slide 34

Slide 34 text

Detection: manually mapped PE / shellcode • Workingset scan • Search executable memory pages that are not a part of any module • Suspicious mapping type? Other indicators? • Are they part of a PE file? Detection of PE headers /artefacts

Slide 35

Slide 35 text

This is not a normally mapped PE... #1

Slide 36

Slide 36 text

This is not a normally mapped PE... #1 https://github.co m/stephenfewer/ ReflectiveDLLInje ction [-] PE implanted into MEM_PRIVATE (vs typical: MEM_IMAGE) [-] RWX – very unusual protection

Slide 37

Slide 37 text

This is not a normally mapped PE... #1 Reflective DLL injection

Slide 38

Slide 38 text

This is not a normally mapped PE... #2

Slide 39

Slide 39 text

This is not a normally mapped PE... #2 [-] PE implanted into MEM_PRIVATE (vs typical: MEM_IMAGE) Process Hollowing or manually mapped PE

Slide 40

Slide 40 text

This is not a normally mapped PE... #3

Slide 41

Slide 41 text

This is not a normally mapped PE... #3 [-] PE implanted into MEM_MAPPED (vs typical: MEM_IMAGE) From Kronos loader

Slide 42

Slide 42 text

This is not a normally mapped PE... #4

Slide 43

Slide 43 text

This is not a normally mapped PE... #4 [+] MEM_IMAGE -> OK [-] PE Image has no path! Process Doppelganging

Slide 44

Slide 44 text

Detecting partially erased headers Princess Locker overwrites headers of the implant with trash

Slide 45

Slide 45 text

Detecting partially erased headers https://www.youtube.com/watch?v=dFJcGYUFB0s PE-sieve is still able to detect the remainings of the header and reconstruct the full PE

Slide 46

Slide 46 text

Implanted PE files: fixing erased imports https://www.youtube.com/watch?v=YJjm5yT1rdM PE-sieve with option /imp – recovering imports

Slide 47

Slide 47 text

PE-sieve – TODO: • IAT/EAT hooking detection • Classic DLL injection detection • Whitelisting known hooks • Bugs? Ideas? • https://github.com/hasherezade/pe-sieve/issues

Slide 48

Slide 48 text

PE-sieve - links • More info: https://hshrzd.wordpress.com/pe-sieve/ • Tweets – updates: • https://twitter.com/i/moments/1024005197926936577 • Code: • https://github.com/hasherezade/pe-sieve • https://github.com/hasherezade/hollows_hunter

Slide 49

Slide 49 text

Hasherezade @hasherezade THANK YOU