This document contains a list of terms prefixed with "cyber". It includes over 300 terms related to cyber topics such as cybersecurity, cybercrime, cyberculture, cybertechnology, and more. Some examples included are cyberbullying, cyberterrorism, cyberpunk, cyberlaw, and cyberspace.
12. Why I’m Here
• -CON worthy? (…but people talk about it and use it already, so…)
• Generate more interest on the topic (next<buzz>
generation interest)
• Recognize other’s hard-work (…not really my presentation thereof)
13. Background Worth Noting
• Principal Base64 Cryptographer (Application Security)
• Reviewing of the computer codes
• Enhanced vulnerability assessments (corporate pen-testing)
• Nerf phishing exercises
• SAASSY: Strategic Advanced Application & Software SecuritY… Yackers? …Yuppies?
• Previously worked for a company known as eEye
• Never done a -CON talk
• Implicit Disclaimer
• Talk or content thereof does not reflect that of mycurrent employer in any way, shape, or
form (even though they aren’t a security company) nor does it reflect that of past employers
14. A Talk Mostly About Other’s Work
• In memory techniques not necessarily “new”
• There is more out there than you may think (TLDR; search for it)
• Credit and recognition past due
15. Talking Mostly About Other’s Work
viz. Mostly Others Work
This Talk
• Libraries and loading thereof on Windows (in a nutshell)
• Memory-based library loading using a specific technique (with a specific project)
• Compare/contrast memory-based techniques (fromother projects or concepts, similar or not)
• Real-world cases of/for real-world uses (of the topic technique)
Not This Talk
• Memory-Based Library Loadingon other platforms (Mac, Linux, UNIX, …)
• Usage of all memory-based techniques (or my use thereof)
• Guaranteed evasions (using any of the techniques)
16. Library Loading on Windows
• Portable Executable (PE) format
• EXE, DLL, …
• EXE and DLL are similar
• Code, Data, Resources
• Loader to load ;-]
17. Dynamic-Link Library (DLL)
• Module with things for another module (application or DLL)
• Functions and data (things) can be internal or exported
• Types of dynamic linking
• Load-time (module linked with import library)
• Run-time (LoadLibrary, LoadLibraryEx)
18. Other Dynamic-Link Library (DLL) points
• Entry point is optional
• Loader search order (and hijacking thereof)
• MSDN has all the information things
24. So, um…
Thankfully for you and me this is not a technical talk on PE
• See other innumerable resources, like Corkami, RE sites, MSDN, …
Take-Aways
• DLL and EXE are similar, as is the loading process
• High-level familiarity is okay (so long as you don’t ignore the low-level)
• Low-level familiarity is ideal (so long as you don’t forget the big-picture)
25. Fun Fact It looks like you need90’s eraarticles…
30. “MemoryModule”
Libraryto loada DLL from memory
Joachim Bauch
https://github.com/fancycode/
http://web.archive.org/web/20050202213757/http://www.joachim-bauch.de:80/
<blink>
</blink>
31. A comment from Joachim Bauch:
“My first use case for MemoryModule was to "protect" some
proprietary C-Python modules (which are .DLL files on Windows).
I had a "loader” Python module that was initialized with license files
and then decrypted and loaded the actual modules from memory using
MemoryModule.
That's how the project started and it was interesting to find out how
loading libraries worked internally in Windows. I liked the code (and
hoped others might, too), so I decided to open source it.”
32. Highlights on MemoryModule
• 10+ years senior to functionally equivalent techniques (ca. 2004)
• Pre-dates other security-related research (and isn’t security research)
• The code is documented and cleanly written (see for yourself)
33. So, let’s talk Memory-Based Library Loading
with Joachim’s MemoryModule
https://github.com/fancycode/MemoryModule/tree/master/doc
34. So, what does it do?
• Emulates standard Windows API functions
• LoadLibrary
• LoadLibraryEx
• GetProcAddress
• FreeLibrary
• FindResource
• FindResourceEx
• SizeofResource
• LoadResource
• LoadString
35. So, it’s kind of like Windows API.
• MemoryModule resembles the Windows API
• MemoryLoadLibrary
• MemoryLoadLibraryEx
• MemoryGetProcAddress
• MemoryFreeLibrary
• MemoryFindResource
• MemoryFindResourceEx
• MemorySizeofResource
• MemoryLoadResource
• MemoryLoadString
• MemoryLoadStringEx
36. So how is it like Windows PE loader?
• TLDR; Joachim’s documentation
37. Hear the docs: “Loading the library
To emulate the PE loader,we must first understand,which steps are neccessary to load the file to memory and prepare the structures
so theycan be called from other programs.
When issuingthe API call LoadLibrary,Windows basicallyperforms these tasks:
1. Open the given file and check the DOS and PE headers.
2. Try to allocate a memory block of PEHeader.OptionalHeader.SizeOfImage bytes at position PEHeader.OptionalHeader.ImageBase.
3. Parse section headers and copy sections to their addresses. The destination address for each section, relative to the base of the allocated
memory block, is stored in the VirtualAddress attribute of the IMAGE_SECTION_HEADER structure.
4. If the allocated memory block differs from ImageBase, various references in the code and/or data sections must be adjusted. This is called Base
relocation.
5. The required imports for the library must be resolved by loading the corresponding libraries.
6. The memory regions of the different sections must be protected depending on the section's characteristics. Some sections are marked as
discardable and therefore can be safely freed at this point. These sections normally contain temporary data that is only needed during the
import, like the informations for the base relocation.
7. Now the library is loaded completely. It must be notified about this by calling the entry point using the flag DLL_PROCESS_ATTACH.
In the followingparagraphs,each step is described.”
https://github.com/fancycode/MemoryModule/tree/c4074afd3e0eb01dfb36e89a8d10ae0fe94434a4/doc#loa
ding-the-library
38. Loading the library: Headers
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L507
39. Loading the library: Sections Table
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L556
40. Loading the library: ‘Mapping’
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L579
41. Loading the library: Imports
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L401
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L649
42. Loading the library: Execution
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L653
45. The How to Use in 1-slide Guide
• git clone https://github.com/fancycode/MemoryModule
MemoryModule-master
• Modify MemoryModule-master/CMakeList.txt PLATFORM variable for
target architecture (x86_64, i686, …)
• Use the example/DllLoader/DllLoader.cpp
• You can make modifications to Joachim’s example (remove test code, file name, perhaps add
a XOR decoder)
• Build
• Generate [commodity] payloads (perhaps XOR encode after)
• Configure endpoint security solution on target
• Copy the payload and payload loader to target
• Test
47. So, if you didn’t know by now why should we
use a memory-based library loader?
<marquee><blink><b><i><u>
Evasion
</u></i></b></blink></marquee>
48. So, remember...
• Requisite library loading API functions without Windows API
• Resource loading API functions without Windows API
• Payloads with files or without files; doesn’t matter
So many uses! Use your imagination…
49. So, let’s compare the techniques.
• Isn’t this just DLL injection?
Semantically this not an “injection”, even though the loading process
may be functionally equivalent at points.
MemoryModule is loading the file directly into the same executables
memory space; not “remotely” as-it-were, and independent of the
Windows API.
55. So, let’s compare the techniques.
• Isn’t this just process hollowing?
MemoryModule is loading the file directly into the same executables
memory space without spawning another process.
However, imaginably MemoryModule technique could take advantage
in some form to load itself differently (i.e. evasion), or vice versa.
56. Fun Fact It sounds like you meant “Nebbett’s Shuttle”fromcomp.os.ms-windows.programmer.win32…
https://groups.google.com/forum/#!msg/comp.os.ms-windows.programmer.win32/Md3GKPc279A/Ax3bYgXhpD8J
https://www.blackhat.com/presentations/bh-usa-07/Harbour/Presentation/bh-usa-07-harbour.pdf
https://attack.mitre.org/wiki/Technique/T1093
58. So, contrasting other memory techniques.
• MemoryModule-technique is not DLL injection
• MemoryModule-technique is not Process Hollowing
• Other techniques similar in loading but differ in how they get there
59. So, let’s see it in the real-world.
• Who is doing MemoryModule type of memory-based library loading?
• People on source code sites
• People all about the games -sites
• People porting it into different languages
• Legitimate software uses it (e.g. Py2Exe)
73. “How can I do stuff with MemoryModule?”
• Fork the source and build
• See the examples in Joachim’s source
• See Pitts’s and Morrow’s EBOWLA framework
• See legit uses like Py2exe
• See indirect uses via Py2exe like Veil
• See other research like Jung, Stevens, DarthTon
• See source repository forks on Github
• See my rudimentary examples and ideas
• Try it with existing frameworks like Cobalt Strike
• Experiment with delivery methods and payloads
• Experiment with obscuring MemoryModule
75. And, the obvious use case.
• Feigning the fudging of the fancy futuristic security solutions securing
of the digitals
76. So, someone should eventually research
• Computational expensiveness (hardware, ML models)
• Alternative MemoryModule loader implementations
• Other people, places, and things (malware, forks, sites, researchers)
• Dynamic detection (in-memory, computational expensiveness)
77. So, wrapping it all up.
• Emulating the Windows PE loader provides a unique method for employing memory-
based evasions
• MemoryModule by Joachim Bauch implements this technique, and has been around
since 2004 just for you, and for others too
• Other memory-based techniques exist and have been around longer than we may have
thought
• There’s a lot you can do either by contributing or tinkering
• There are a lot of smart and talented people, named or not, that I am honored to talk
about
78. Okay, that’s the talk.
(I’m done pushing buttons so it’s automatic slide advance from here on…)
79. Credits
• This entire talk was one built-in credit, thanks to everyone!
• Some images listed as public domain
• Unless otherwise noted by a URL or reference
• I can provide all references on request
80. Thanks (mostly for putting up with my nonsense)
God My wife - My family - My friends
“Ya’ll” “You’ns”
Those Not Named
Derbycon
(legacy…legacy…legacy…)
81. Okay, that’s the talk.
• Oh yeah, I have a Twitter.
• And a GitHub, too.