BYPASSING USER MODE HOOKS ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019 2 ENSILOCOM ABOUT US Omri Misgav Security Research Team Leader enSilo Reverse Engineering OS in ID: 840325
Download Pdf The PPT/PDF document "ENSILOCOM" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 ENSILO.COM BYPASSING USER - MODE HOOKS A
ENSILO.COM BYPASSING USER - MODE HOOKS ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019 2 // ENSILO.COM ABOUT US ⢠Omri Misgav â Security Research Team Leader @ enSilo â Reverse Engineering, OS internals ⢠Udi Yavo â CTO & Co - Found
2 er @ enSilo â Former CTO, Rafael Cyber
er @ enSilo â Former CTO, Rafael Cyber Security Division â Past speaker in Blackhat and RSA ⢠Our technical blog: BreakingMalware.com 3 // ENSILO.COM AGENDA ⢠Intro and background ⢠Bypass techniques analysis â Secondary DLL mapping â
3 Direct system call invocation â Cod
Direct system call invocation â Code splicing ⢠Comparison and takeaways 4 // ENSILO.COM INTRO ⢠Hooking is used to intercept function calls in order to alter or augment their behavior ⢠User - mode hooks are used in many security produc
4 ts and tools â AVs \ NGAVs â EDRs â![ts and tools
â
AVs
\
NGAVs
â
EDRs
â](840325/ts-and-tools-avs-ngavs-edrs-sandboxes-dl.jpg "ts and tools
â
AVs
\
NGAVs
â
EDRs
â")
ts and tools â AVs \ NGAVs â EDRs â Sandboxes â DLPs â And more ⦠⢠Why? â Stable, simple ( nevertheless, not without faults ) â Lack of Patch Protection â Full context ⢠Bypasses exist for a very long time ⢠Last ~ 1.5 years th
5 ere â s an increasing number of report
ere â s an increasing number of reports (malware and pentesters ) 5 // ENSILO.COM HOOKING BACKGROUND Application kernel 32 ! CreateProcessA kernel 32 ! CreateProcessInternalA kernel 32 ! CreateProcessInternalW ntdll! NtCreateUserProcess ntoskrnl
6 !... ntoskrnl! NtCreateUserProcess ntos
!... ntoskrnl! NtCreateUserProcess ntoskrnl !... Kernel User Kernel User WOW 64 User Application Kernel 32 ! ReadProcessMemory KernelBase! ReadProcessMemory ntdll! NtReadVirtualMemory wow 64 cpu! X 86 SwitchTo 64 BitMode wow 64 ! Wow 64 SystemServiceEx
7 ntdll! NtReadVirtualMemory ntoskrnl !..
ntdll! NtReadVirtualMemory ntoskrnl !... ntoskrnl! NtCreateUserProcess ntoskrnl !... 6 // ENSILO.COM ⢠Control flow instructions ⢠Generating exceptions function_B : 0 x 403000 : cc 0 x 403001 : 89 e 5 0 x 403003 : 83 ec 50 0 x 403006 :
8 ⦠int 3 mov ebp , esp sub esp , 0 x
⦠int 3 mov ebp , esp sub esp , 0 x 50 function_A : 0 x 401000 : 55 0 x 401001 : 89 e 5 0 x 401003 : 83 ec 40 0 x 401006 : 50 0 x 401007 : 8 b 44 24 0 c 0 x 40100 a: ⦠push ebp mov ebp , esp sub esp , 0 x 40 push eax mov eax , [ esp
9 + 0 xc] HOOKING BACKGROUND Inline Hooks![+
0
xc]
HOOKING BACKGROUND
Inline Hooks](840325/0-xc-hooking-background-inline-hooks-hoo.jpg "+
0
xc]
HOOKING BACKGROUND
Inline Hooks")
+ 0 xc] HOOKING BACKGROUND Inline Hooks hook_A : 0 x 402000 : 55 0 x 402001 : 89 e 5 0 x 402003 : 83 ec 40 0 x 402006 : e 9 06 10 40 00 push ebp mov ebp , esp sub esp , 0 x 40 jmp function_A + 6 function_A : 0 x 401000 : e 9 00 20 40 00 0 x 4
10 01005 : 89 0 x 401006 : 50 0 x 401007
01005 : 89 0 x 401006 : 50 0 x 401007 : 8 b 44 24 0 c 0 x 40100 a: ⦠jmp hook_A nop push eax mov eax , [ esp + 0 xc] function_B : 0 x 403000 : 55 0 x 403001 : 89 e 5 0 x 403003 : 83 ec 50 0 x 403006 : ⦠push ebp mov ebp , esp sub esp
11 , 0 x 50 7 // ENSILO.COM BYPASS T
, 0 x 50 7 // ENSILO.COM BYPASS TECHNIQUES ANALYSIS Secondary DLL mapping 8 // ENSILO.COM BYPASS TECHNIQUES ⢠ReadFile () + Reflective Loading ⢠FormBook , reported by FireEye ⢠Infostealer ⢠Referred to as "Lagos Island method â
12 ⢠Loads ntdll.dll â Code injection a
⢠Loads ntdll.dll â Code injection and Process Hollowing â File system and registry access Manually Load DLL From Disk 9 // ENSILO.COM BYPASS TECHNIQUES Manually Load DLL From Disk 10 // ENSILO.COM BYPASS TECHNIQUES Manually Load DLL Fro
13 m Disk 11 // ENSILO.COM BYPASS TECH
m Disk 11 // ENSILO.COM BYPASS TECHNIQUES ⢠CopyFile () + LoadLibrary () ⢠Hancitor , reported by MalwareBytes ⢠Downloader ⢠Copies kernel 32 .dll â Call CreateProcess as part of Process Hollowing Clone DLL 12 // ENSILO.COM BYPAS
14 S TECHNIQUES Clone DLL 13 // ENSILO
S TECHNIQUES Clone DLL 13 // ENSILO.COM BYPASS TECHNIQUES Clone DLL 14 // ENSILO.COM BYPASS TECHNIQUES ⢠[ Nt ] CreateFile () + NtCreateSection ( ⦠, SEC_IMAGE, ⦠) + ZwMapViewOfSection () ⢠Osiris, reported by MalwareBytes ⢠Ban
15 king trojan ⢠Remaps ntdll.dll â Pro
king trojan ⢠Remaps ntdll.dll â Process Doppelgänging \ Hollowing hybrid ( â Transacted Hollowing â ) Section Remapping 15 // ENSILO.COM BYPASS TECHNIQUES Section Remapping 16 // ENSILO.COM BYPASS TECHNIQUES ANALYSIS Direct system ca
16 ll invocation 17 // ENSILO.COM BYPA
ll invocation 17 // ENSILO.COM BYPASS TECHNIQUES ⢠Calling system calls directly ⢠DarkGate , reported by enSilo ⢠Crypto miner and stealer ⢠Used for Process Hollowing and writing to the registry NTDLL Parsing 18 // ENSILO.COM BYPASS
17 TECHNIQUES NTDLL Parsing 19 // ENS
TECHNIQUES NTDLL Parsing 19 // ENSILO.COM BYPASS TECHNIQUES NTDLL Parsing Application kernel 32 ! CreateProcessA kernel 32 ! CreateProcessInternalA kernel 32 ! CreateProcessInternalW ntdll! NtCreateUserProcess ntoskrnl !... ntoskrnl! NtCreateUserP
18 rocess ntoskrnl !... Kernel User Kernel
rocess ntoskrnl !... Kernel User Kernel User WOW 64 User Application Kernel 32 ! ReadProcessMemory KernelBase! ReadProcessMemory ntdll! NtReadVirtualMemory wow 64 cpu! X 86 SwitchTo 64 BitMode wow 64 ! Wow 64 SystemServiceEx ntdll! NtReadVirtualMemory n
19 toskrnl !... ntoskrnl! NtCreateUserProce
toskrnl !... ntoskrnl! NtCreateUserProcess ntoskrnl !... 20 // ENSILO.COM BYPASS TECHNIQUES ⢠Make system calls from within WOW 64 emulation layer â 32 - bit application on 64 - bit Windows ⢠GlobeImposter , reported by enSilo ⢠Ransomwa
20 re ⢠Used for Process Hollowing Heaven
re ⢠Used for Process Hollowing Heaven â s Gate 21 // ENSILO.COM BYPASS TECHNIQUES Heaven â s Gate 22 // ENSILO.COM BYPASS TECHNIQUES Heaven â s Gate Application kernel 32 ! CreateProcessA kernel 32 ! CreateProcessInternalA kernel 32 !
21 CreateProcessInternalW ntdll! NtCreateU
CreateProcessInternalW ntdll! NtCreateUserProcess ntoskrnl !... ntoskrnl! NtCreateUserProcess ntoskrnl !... Kernel User Kernel User WOW 64 User Application Kernel 32 ! ReadProcessMemory KernelBase! ReadProcessMemory ntdll! NtReadVirtualMemory wow 64 cp
22 u! X 86 SwitchTo 64 BitMode wow 64 ! Wow
u! X 86 SwitchTo 64 BitMode wow 64 ! Wow 64 SystemServiceEx ntdll! NtReadVirtualMemory ntoskrnl !... ntoskrnl! NtCreateUserProcess ntoskrnl !... 23 // ENSILO.COM BYPASS TECHNIQUES ANALYSIS Code splicing 24 // ENSILO.COM BYPASS TECHNIQUES ⢠R
23 ebuild function stubs elsewhere ⢠Comm
ebuild function stubs elsewhere ⢠Commonly used by packers ⢠CodeFork â s Gamarue , reported by Radware ⢠Downloader for bots, spamming, miners ⦠⢠Copies the first instruction of library functions it uses Code Splicing (a.k.a. Byte Stealin
24 g) 25 // ENSILO.COM BYPASS TECHNIQU
g) 25 // ENSILO.COM BYPASS TECHNIQUES Code Splicing (a.k.a. Byte Stealing) 26 // ENSILO.COM BYPASS TECHNIQUES Code Splicing (a.k.a. Byte Stealing) 27 // ENSILO.COM BYPASS TECHNIQUES Comparison Technique Runtime Indicators Forensic Artifac
25 ts Drawbacks Manually Load DLL From Dis
ts Drawbacks Manually Load DLL From Disk Callstacks missing relevant DLLs Floating PE copy in memory Significantly different from the norm Clone DLL Callstacks with unexpected DLLs Identical PEs in memory Changes to file system Lower level \ depende
26 ncies can be hooked Section Remapping M
ncies can be hooked Section Remapping Multiple mappings of same PE Multiple mappings of same PE Canât be used for complex code NTDLL Parsing Callstacks missing ntdll.dll Limited functionality Heaven â s Gate Callstacks missing WOW 64 system DLLs L
27 imited functionality Code Splicing Inter
imited functionality Code Splicing Internal \ lower level \ dependencies can be hooked 28 // ENSILO.COM BYPASS TECHNIQUES ⢠Used by all sorts of malware families ⢠Sophisticated actors, though not necessarily APTs ⢠Usually to mask the initi
28 al steps and establishing foothold ⢠N
al steps and establishing foothold ⢠None of the techniques are actually new ⢠Some techniques are not as commonly used in the wild â Unhook Flashbang \ ReflectiveDLLRefresher : detectible and reversible â Bring Your Own Indexes (BYOI): version
29 dependent Summary 29 // ENSILO.COM
dependent Summary 29 // ENSILO.COM ANALYSIS AND DETECTION TACTICS ⢠Events regarding system DLLs can be used as indicators â Copy, multiple read \ load operations ⢠Check the callstacks ⢠Place hooks \ breakpoints at non - trivial locatio
30 ns ⢠Randomize as much as you can â¢
ns ⢠Randomize as much as you can ⢠Hook many different layers ( â mine â the path) ⢠Correlate user - mode and kernel - mode data ⢠Use information provided by the OS (ETW) 30 // ENSILO.COM CLOSING REMARKS ⢠These are only a handful
31 of examples ⢠Trivial to implement, s
of examples ⢠Trivial to implement, simple to use (most have source code available) ⢠Hardly any recent innovations, yet still very effective ⢠MITRE ATT&CK doesn â t reference hook bypassing as defense evasion ⢠Using user - mode hooks for s
32 ecurity is not enough 31 // ENSILO.
ecurity is not enough 31 // ENSILO.COM QUESTIONS? udi@ensilo.com in/ udiyavo @ UdiYavo omri@ensilo.com www.breakingmalware.com in/ omri - misgav THANK YOU udi@ensilo.com in/ udiyavo @ UdiYavo omri@ensilo.com www.breakingmalware.com in/ omri - misga