SlideShare a Scribd company logo
1 of 57
Download to read offline
Pirating AVS to Bypass Exploit Mitigations
Captain Hook:
WHO?
Udi Yavo
 CTO and Co-Founder, enSilo
 Former CTO, Rafael Cyber Security Division
 Researcher
 Author on BreakingMalware
Tomer Bitton
 VP Research and Co-Founder, enSilo
 Low Level Researcher, Rafael Advanced Defense Systems
 Malware Researcher
 Author on BreakingMalware
 Hooking In a Nutshell
 Scope of Research
 Inline Hooking – Under the hood
- 32-bit function hooking
- 64-bit function hooking
 Hooking Engine Injection Techniques
 The 6 Security Issues of Hooking
 Demo – Bypassing exploit mitigations
 3rd Party Hooking Engines
 Affected Products
 Research Tools
 Summary
AGENDA
 Hooking is used to intercept function calls in order to alter or
augment their behavior
 Used in most endpoint security products:
• Anti-Exploitation – EMET, Palo-Alto Traps, …
• Anti-Virus – Almost all of them
• Personal Firewalls – Comodo, Zone-Alarm,…
• …
 Also used in non-security products for various purposes:
• Application Performance Monitoring (APM)
• Application Virtualization (Microsoft App-V)
 Used in Malware:
• Man-In-The-Browser (MITB)
HOOKING IN A NUTSHELL
 Our research encompassed about a dozen security products
 Focused on user-mode inline hooks – The most common hooking
method in real-life products
 Hooks are commonly set by an injected DLL. We’ll refer to this DLL
as the “Hooking Engine”
 Kernel-To-User DLL injection techniques
• Used by most vendors to inject their hooking engine
• Complex and leads security issues
SCOPE OF RESEARCH
Inline Hooking
Disassemble
Prolog
Allocate
Code Stub
Copy Prolog
Instructions
Patch the
Prolog with a
JMP
Straight forward most of the time:
INLINE HOOKING – 32-BIT FUNCTION HOOKING
INLINE HOOKING – 32-BIT FUNCTION HOOKING
InternetConnectW before the hook is set:
InternetConnectW After the hook is set:
The hooking function (0x178940) The Copied Instructions
Original Function Code
INLINE HOOKING – 32-BIT FUNCTION HOOKING
 Other Techniques:
• One Byte Patching (Malware) - Patch with an illegal instruction and catch in
the exception handler
• Microsoft Hot Patching – Only 2 bytes function prolog overwrite
 Some Possible Complications:
• Relative jmp/call in the prolog
• Very short functions/short prolog
• jmp/jxx to the middle of the prolog’s instruction
• …
Hooking Function
INLINE HOOKING – 32-BIT FUNCTION HOOKING
Disassemble
Prolog
Allocate
Trampoline
Allocate
Code Stub
Write
Trampoline
Copy Prolog
Instructions
Patch the
Prolog with a
JMP
MOV RAX, <Hooking Function>
JMP RAX
• More complex
• 5 bytes jmp instruction might not be enough (limited to a 2GB range)
INLINE HOOKING – 64-BIT FUNCTION HOOKING
• InternetConnectA before the hook is set:
• InternetConnectA after the hook is set:
• Trampoline code:
INLINE HOOKING – 64-BIT FUNCTION HOOKING
If we follow the hooking function we get:
Original Function Code
INLINE HOOKING – 64-BIT FUNCTION HOOKING
 Other Techniques:
 6 Bytes patching (requires hooks’ code stub to be in 32-bit address)
 Double Push (Nikolay Igotti) – Preserves all registers
 …
 Possible Complications:
 Similar to 32-bit hooks
 More instruction pointer relative instructions:
MOV RAX, QWORD [RIP+0x15020]
Jumps to 0x7ffc00030000
INLINE HOOKING – 64-BIT FUNCTION HOOKING
 Inline hooking is the most common hooking technique in real-life products
 Rather intrusive – modifies the code of the of hooking function
 Used by most endpoint security products
 More on hooking:
• Binary Hooking Problems - By Gil Dabah
• Trampolines in X64 - By Gil Dabah
• Powerful x86/x64 Mini Hook-Engine - Daniel Pistelli
• Inline Hooking for Programmers - Malware Tech
• …
INLINE HOOKING – RECAP
Kernel-To-User Code Injections
INTRODUCTION - KERNEL-TO-USER CODE INJECTIONS
 Mainly used for:
• Injecting DLLs
• Sandbox escapes – After exploiting privilege
escalation vulnerability
• Injecting to protected processes
 Fewer techniques exist than user-mode
 Less documented than user-mode techniques
 Used by both Malware and Software/Security vendors
 The most common Kernel-To-User injection method
 Used by lots of malwares:
• TDL
• ZERO ACCESS
• Sandbox escape shellcodes
• …
 Also used by lots of security products:
• AVG
• Kaspersky Home Edition
• Avecto
• …
 Documented:
• Blackout: What Really Happened
• Much more in forums and leaked source codes
INJECTION METHODS – USER APC
Basic Steps (There are several variations):
1. Register load image callback using PsSetLoadImageNotifyRoutine
2. Write payload that injects a dll using LdrLoadDll
(Other variations use LoadLibrary)
3. Insert User APC using KeInsertQueueApc
INJECTION METHODS – USER APC
• Not really common but worth mentioning
• Used by Duqu
• Fully documented in:
http://binsec.gforge.inria.fr/pdf/Malware2013-Analysis-Diversion-Duqu-paper.pdf
INJECTION METHODS – ENTRY POINT PATCHING
Kernel Space
User Space
RtlUserThreadStart
KiStartUserThread Callback Routine
Process Image
• Register load image callback using PsSetLoadImageNotifyRoutine
and wait for main module to load
INJECTION METHODS – ENTRY POINT PATCHING
Application
Ntoskrnl.exe EvilDriver.sys
Kernel Space
User Space
RtlUserThreadStart
KiStartUserThread Callback Routine
Process Image
• Write the payload to the process address space
INJECTION METHODS – ENTRY POINT PATCHING
Application
Ntoskrnl.exe EvilDriver.sys
Payload
Kernel Space
User Space
RtlUserThreadStart
KiStartUserThread Callback Routine
• Replace the image entry point with JMP to the new code
INJECTION METHODS – ENTRY POINT PATCHING
Application
Ntoskrnl.exe EvilDriver.sys
Payload
JMP Payload
Process Image
Kernel Space
User Space
RtlUserThreadStart
KiStartUserThread Callback Routine
• The payload executes, fixes the entry point and jumps to it
INJECTION METHODS – ENTRY POINT PATCHING
Application
Ntoskrnl.exe EvilDriver.sys
Payload
JMP Payload
Process Image
Jump to entry point
• Internet Explorer patched entrypoint
INJECTION METHODS – ENTRY POINT PATCHING
 First published on Codeless-Code-Injections talk (to our knowledge)
 Never been used by malware (to our knowledge)
 Used by software and security vendors:
• Symantec
• Trusteer
• Microsoft App-V
 Similar method could probably use TLS data directory
INJECTION METHODS – IMPORT TABLE PATCHING
PE HeaderMZ Header
DOS Stub
File Header
Optional Header
Data Directories
Imports
…
Import Descriptor 1
Import Descriptor 2
Before
PE HeaderMZ Header
DOS Stub
File Header
Optional Header
Data Directories
Imports
…
Import Descriptor 1
Import Descriptor 2
After
Import Descriptor 1
Import Descriptor 2
Injected DLL Descriptor
…
1. Register load image callback using
PsSetLoadImageNotifyRoutine and wait for main
module to load
2. Allocate memory for the new import table and copy
old table with a new record for the injected DLL
INJECTION METHODS – IMPORT TABLE PATCHING
3. Point the import data directory to the new
table
4. When the DLL is loaded the original PE
header is restored
INJECTION METHODS – IMPORT TABLE PATCHING
Internet Explorer patched import table
Kernel Space
User Space
RtlUserThreadStart
KiStartUserThread Callback Routine
LdrLoadDll
• Register load image callback using PsSetLoadImageNotifyRoutine
and wait for ntdll.dll module to load
INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING
Application
Ntoskrnl.exe EvilDriver.sys
Kernel Space
User Space
RtlUserThreadStart
KiStartUserThread Callback Routine
LdrLoadDll
• Write the payload to the process address space
INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING
Application
Ntoskrnl.exe EvilDriver.sys
Payload
Kernel Space
User Space
RtlUserThreadStart
KiStartUserThread Callback Routine
LdrLoadDll
• Replace the LdrLoadLibrary prolog with JMP (or equivalent) to the payload
INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING
Application
Ntoskrnl.exe EvilDriver.sys
PayloadPayload
JMP Payload
Kernel Space
User Space
RtlUserThreadStart
KiStartUserThread Callback Routine
LdrLoadDll
• The payload loads a dll, fixes LdrLoadDll and jumps to it
INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING
Application
Ntoskrnl.exe EvilDriver.sys
PayloadPayload
JMP Payload
Jump to LdrLoadDll
• Kernel-To-User Injections are extensively used by both
malware and security/software products
• Kernel injections are mainly used to inject a DLL to
target processes
• In security products the injected DLL is commonly the
hooking engine
• Prone to mistakes – due to its relative complexity
INJECTION METHODS – QUICK SUMMARY
The 6 security issues of hooking
Severity: Very High
Affected Systems: All Windows Versions
Occurs due to bad DLL injection implementation
 We found 2 types of unsafe injections:
• LoadLibrary from a relative path – vulnerable
to DLL Hijacking
• Unprotected injected DLL file – placed in
%appdata%LocalVendor
Can easily be replaced by the attacker
#1 – UNSAFE INJECTION
RWX PermissionsFunctions pointers in constant addresses
Severity: Very High
Affected Systems: All Windows Versions
The Kernel-To-User DLL injection allocates RWX code in a
predictable location
• Implications:
• ASLR Bypass – The code stubs normally contains
addresses of critical OS functions
• Great for shellcode – Allows writing malicious code
to the allocated code-stub
#2 – PREDICTABLE RWX CODE STUBS
Severity: Very High
Affected Systems: All Windows Versions
The Kernel-To-User DLL injection or hooking engine
allocates R-X code in a predictable location
Implications:
• ASLR Bypass – The code stubs contain the addresses
of critical OS functions
• Hooks Bypass – Calling the hook code stub
effectively bypasses the hook
• Code Reuse – The code can also be useful for ROP
#3 – PREDICTABLE R-X CODE STUBS
Severity: High
Affected Systems: Windows 7 and Below
The Kernel-To-User DLL injection allocates RWX code
without specifying exact address
Implications:
• Similar to the first predictable RWX Code issue
#4 – PREDICTABLE RWX CODE STUBS 2
Severity: Medium
Affected Systems: All Windows Versions
The most common issue: most hooking engines leave their
hook code stubs as RWX
The implication - possible CFG bypass:
• Get arbitrary read/write in the target process
• Find the hook’s stub (R)
• Overwrite it (W)
• Trigger the execution of the hooked function (X)
#5 –RWX CODE STUBS
* Note: Attacker with arbitrary read/write will probably succeed anyway
LdrLoadDll Hook
RWX Permissions
Severity: Medium
Affected Systems: All Windows Versions
Some hooking engines leave the code of the hooked
modules as RWX
The implication - possible CFG bypass
#6 –RWX HOOKED MODULES
SECURITY ISSUES OF HOOKING - RECAP
Demo
Bypassing Exploit Mitigations
3rd Party Hooking Engines
 Developing a hooking engine is not an easy task
 Using open-source* or commercial hooking engines has many advantages:
• Easy API to work with
• Supports many platforms
• Saves development effort
• Saves testing effort
 3rd party hooking engines are also integrated into non-security products
 A security issue in a hooking engine results in many patches…
3RD PARTY HOOKING ENGINES
* We really like Gil Dabah’s distormx
 Used by many open-source projects
 Also used by a few security vendors. For example, Vera
Features:
 Kernel Hooking support
 Thread Deadlock Barrier
 RIP-relative address relocation for 64-bit
 …
Security Issues:
 RWX Hook Code Stubs
 RWX Hooked Modules
Bad Practice:
 Uses Non-Executable heap and changes parts of it to code
EASYHOOK – OPEN-SOURCE HOOKING ENGINE
“Several Fortune 500 companies are using Deviare technology for application
virtualization, packaging, and troubleshooting, and for computer security.”
 Dual License – Commercial or GPL for open-source
 Fixed the issues quickly
 From their web site:
Features:
 Defer Hook –Set a hook only when and if a module is loaded
 .NET Function hooking
 Interface for many languages: (C++, VB, Python, C#,…)
 …
Security Issues:
 RWX Hook Code Stubs
DEVIARE2 - OPEN-SOURCE HOOKING ENGINE
 Used by a lot for security vendors (75% of its users)
 Used by emsisoft
 Fixed the issues quickly
Features:
 Injection Driver – Used to perform kernel-injection into processes
 IPC API –Used to easily communicate with some main process
 IAT Hooking
 …
Security Issues:
 RWX Hook Code Stubs
MADCODEHOOK – POWERFUL COMMERCIAL HOOKING
 The most popular hooking engine in the world
 Microsoft’s App-V uses Detours which is integrated into Office
 We were surprised to find out that it has problems too…
Features:
 ARM support
 …
Security Issues:
• Predictable RX (Universal).
MICROSOFT DETOURS
* Details won’t be revealed until the patch is released (September)
“Under commercial release for over 10 years, Detours is licensed by over 100 ISVs and used
within nearly every product team at Microsoft.”
 Microsoft’s hooking engine Detours – via Microsoft.com:
 Could potentially affect millions of users
 Also used in security products
 Hard to patch - In most cases fixing this issue requires recompilation of
each product individually which makes patching cumbersome
MICROSOFT DETOURS VULNERABILITY - IMPLICATIONS
Affected Products
Products/Vendors
UnSafe
Injection
Predictable
RWX(Universal)
Predictable
RX(Universal)
Predictable
RWX
RWX Hook
code stubs
RWX Hooked
Modules
Time To Fix (Days)
Symantec X 90
McAfee X X 90
Trend Micro X X (Initial Fix) X 210
Kaspersky X X 90
AVG X 30
BitDefender X X 30
WebRoot X X 29
AVAST X X 30
Emsisoft X 90
Citrix - Xen Desktop X X 90
Microsoft Office* X 180
WebSense X X X 30
Vera X X ?
Invincea X(64-bit) X X ?
Anti-Exploitation* X ?
BeyondTrust X X Fixed Independently
T O T A L S 2 2 6 8 7 5 7 9 . 9
*Patchwasn’treleasedyet
AFFECTEDPRODUCTS
High
Research Tools
Memory Region
Affected Process IDsAffected Process
• Tool to detect predictable RWX code regions
• Can be found at https://github.com/BreakingMalware/AVulnerabilityChecker
• Compares memory maps of processes
RESEARCH TOOLS – AVULNERABILITY
• Tool for scanning hooks and checking their code permissions
• Compares code “On-Disk” with the code “In-Memory”
• Does best-effort to track hooks code stubs
RESEARCH TOOLS – HOOKS SCAN
• Code hooking is an important capability for security/software vendors
• Similar to other intrusive operations it has security implications
• Almost all the vendors we tested were vulnerable to at least one issue
• We worked closely with affected vendors to address all these issues –
most are already patched
SUMMARY
Contact Us:
Udi, udi@ensilo.com
Tomer, tomer@ensilo.com

More Related Content

What's hot

Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingSam Bowne
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Sam Bowne
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)Sam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 

What's hot (20)

Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware Launching
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Packers
PackersPackers
Packers
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 

Similar to Captain Hook: Pirating AVs to Bypass Exploit Mitigations

EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Zhen Huang
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Software Protection Techniques
Software Protection TechniquesSoftware Protection Techniques
Software Protection TechniquesChaitanya Anpat
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingAsep Sopyan
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Safe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSafe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSoumitra Bhattacharyya
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 

Similar to Captain Hook: Pirating AVs to Bypass Exploit Mitigations (20)

Dll injection
Dll injectionDll injection
Dll injection
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Software Protection Techniques
Software Protection TechniquesSoftware Protection Techniques
Software Protection Techniques
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hacking
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Safe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSafe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devices
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

  • 1. Pirating AVS to Bypass Exploit Mitigations Captain Hook:
  • 2. WHO? Udi Yavo  CTO and Co-Founder, enSilo  Former CTO, Rafael Cyber Security Division  Researcher  Author on BreakingMalware Tomer Bitton  VP Research and Co-Founder, enSilo  Low Level Researcher, Rafael Advanced Defense Systems  Malware Researcher  Author on BreakingMalware
  • 3.  Hooking In a Nutshell  Scope of Research  Inline Hooking – Under the hood - 32-bit function hooking - 64-bit function hooking  Hooking Engine Injection Techniques  The 6 Security Issues of Hooking  Demo – Bypassing exploit mitigations  3rd Party Hooking Engines  Affected Products  Research Tools  Summary AGENDA
  • 4.  Hooking is used to intercept function calls in order to alter or augment their behavior  Used in most endpoint security products: • Anti-Exploitation – EMET, Palo-Alto Traps, … • Anti-Virus – Almost all of them • Personal Firewalls – Comodo, Zone-Alarm,… • …  Also used in non-security products for various purposes: • Application Performance Monitoring (APM) • Application Virtualization (Microsoft App-V)  Used in Malware: • Man-In-The-Browser (MITB) HOOKING IN A NUTSHELL
  • 5.  Our research encompassed about a dozen security products  Focused on user-mode inline hooks – The most common hooking method in real-life products  Hooks are commonly set by an injected DLL. We’ll refer to this DLL as the “Hooking Engine”  Kernel-To-User DLL injection techniques • Used by most vendors to inject their hooking engine • Complex and leads security issues SCOPE OF RESEARCH
  • 7. Disassemble Prolog Allocate Code Stub Copy Prolog Instructions Patch the Prolog with a JMP Straight forward most of the time: INLINE HOOKING – 32-BIT FUNCTION HOOKING
  • 8. INLINE HOOKING – 32-BIT FUNCTION HOOKING InternetConnectW before the hook is set: InternetConnectW After the hook is set:
  • 9. The hooking function (0x178940) The Copied Instructions Original Function Code INLINE HOOKING – 32-BIT FUNCTION HOOKING
  • 10.  Other Techniques: • One Byte Patching (Malware) - Patch with an illegal instruction and catch in the exception handler • Microsoft Hot Patching – Only 2 bytes function prolog overwrite  Some Possible Complications: • Relative jmp/call in the prolog • Very short functions/short prolog • jmp/jxx to the middle of the prolog’s instruction • … Hooking Function INLINE HOOKING – 32-BIT FUNCTION HOOKING
  • 11. Disassemble Prolog Allocate Trampoline Allocate Code Stub Write Trampoline Copy Prolog Instructions Patch the Prolog with a JMP MOV RAX, <Hooking Function> JMP RAX • More complex • 5 bytes jmp instruction might not be enough (limited to a 2GB range) INLINE HOOKING – 64-BIT FUNCTION HOOKING
  • 12. • InternetConnectA before the hook is set: • InternetConnectA after the hook is set: • Trampoline code: INLINE HOOKING – 64-BIT FUNCTION HOOKING
  • 13. If we follow the hooking function we get: Original Function Code INLINE HOOKING – 64-BIT FUNCTION HOOKING
  • 14.  Other Techniques:  6 Bytes patching (requires hooks’ code stub to be in 32-bit address)  Double Push (Nikolay Igotti) – Preserves all registers  …  Possible Complications:  Similar to 32-bit hooks  More instruction pointer relative instructions: MOV RAX, QWORD [RIP+0x15020] Jumps to 0x7ffc00030000 INLINE HOOKING – 64-BIT FUNCTION HOOKING
  • 15.  Inline hooking is the most common hooking technique in real-life products  Rather intrusive – modifies the code of the of hooking function  Used by most endpoint security products  More on hooking: • Binary Hooking Problems - By Gil Dabah • Trampolines in X64 - By Gil Dabah • Powerful x86/x64 Mini Hook-Engine - Daniel Pistelli • Inline Hooking for Programmers - Malware Tech • … INLINE HOOKING – RECAP
  • 17. INTRODUCTION - KERNEL-TO-USER CODE INJECTIONS  Mainly used for: • Injecting DLLs • Sandbox escapes – After exploiting privilege escalation vulnerability • Injecting to protected processes  Fewer techniques exist than user-mode  Less documented than user-mode techniques  Used by both Malware and Software/Security vendors
  • 18.  The most common Kernel-To-User injection method  Used by lots of malwares: • TDL • ZERO ACCESS • Sandbox escape shellcodes • …  Also used by lots of security products: • AVG • Kaspersky Home Edition • Avecto • …  Documented: • Blackout: What Really Happened • Much more in forums and leaked source codes INJECTION METHODS – USER APC
  • 19. Basic Steps (There are several variations): 1. Register load image callback using PsSetLoadImageNotifyRoutine 2. Write payload that injects a dll using LdrLoadDll (Other variations use LoadLibrary) 3. Insert User APC using KeInsertQueueApc INJECTION METHODS – USER APC
  • 20. • Not really common but worth mentioning • Used by Duqu • Fully documented in: http://binsec.gforge.inria.fr/pdf/Malware2013-Analysis-Diversion-Duqu-paper.pdf INJECTION METHODS – ENTRY POINT PATCHING
  • 21. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine Process Image • Register load image callback using PsSetLoadImageNotifyRoutine and wait for main module to load INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys
  • 22. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine Process Image • Write the payload to the process address space INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload
  • 23. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine • Replace the image entry point with JMP to the new code INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload JMP Payload Process Image
  • 24. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine • The payload executes, fixes the entry point and jumps to it INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload JMP Payload Process Image Jump to entry point
  • 25. • Internet Explorer patched entrypoint INJECTION METHODS – ENTRY POINT PATCHING
  • 26.  First published on Codeless-Code-Injections talk (to our knowledge)  Never been used by malware (to our knowledge)  Used by software and security vendors: • Symantec • Trusteer • Microsoft App-V  Similar method could probably use TLS data directory INJECTION METHODS – IMPORT TABLE PATCHING
  • 27. PE HeaderMZ Header DOS Stub File Header Optional Header Data Directories Imports … Import Descriptor 1 Import Descriptor 2 Before PE HeaderMZ Header DOS Stub File Header Optional Header Data Directories Imports … Import Descriptor 1 Import Descriptor 2 After Import Descriptor 1 Import Descriptor 2 Injected DLL Descriptor … 1. Register load image callback using PsSetLoadImageNotifyRoutine and wait for main module to load 2. Allocate memory for the new import table and copy old table with a new record for the injected DLL INJECTION METHODS – IMPORT TABLE PATCHING 3. Point the import data directory to the new table 4. When the DLL is loaded the original PE header is restored
  • 28. INJECTION METHODS – IMPORT TABLE PATCHING Internet Explorer patched import table
  • 29. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • Register load image callback using PsSetLoadImageNotifyRoutine and wait for ntdll.dll module to load INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys
  • 30. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • Write the payload to the process address space INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload
  • 31. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • Replace the LdrLoadLibrary prolog with JMP (or equivalent) to the payload INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys PayloadPayload JMP Payload
  • 32. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • The payload loads a dll, fixes LdrLoadDll and jumps to it INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys PayloadPayload JMP Payload Jump to LdrLoadDll
  • 33. • Kernel-To-User Injections are extensively used by both malware and security/software products • Kernel injections are mainly used to inject a DLL to target processes • In security products the injected DLL is commonly the hooking engine • Prone to mistakes – due to its relative complexity INJECTION METHODS – QUICK SUMMARY
  • 34. The 6 security issues of hooking
  • 35. Severity: Very High Affected Systems: All Windows Versions Occurs due to bad DLL injection implementation  We found 2 types of unsafe injections: • LoadLibrary from a relative path – vulnerable to DLL Hijacking • Unprotected injected DLL file – placed in %appdata%LocalVendor Can easily be replaced by the attacker #1 – UNSAFE INJECTION
  • 36. RWX PermissionsFunctions pointers in constant addresses Severity: Very High Affected Systems: All Windows Versions The Kernel-To-User DLL injection allocates RWX code in a predictable location • Implications: • ASLR Bypass – The code stubs normally contains addresses of critical OS functions • Great for shellcode – Allows writing malicious code to the allocated code-stub #2 – PREDICTABLE RWX CODE STUBS
  • 37. Severity: Very High Affected Systems: All Windows Versions The Kernel-To-User DLL injection or hooking engine allocates R-X code in a predictable location Implications: • ASLR Bypass – The code stubs contain the addresses of critical OS functions • Hooks Bypass – Calling the hook code stub effectively bypasses the hook • Code Reuse – The code can also be useful for ROP #3 – PREDICTABLE R-X CODE STUBS
  • 38. Severity: High Affected Systems: Windows 7 and Below The Kernel-To-User DLL injection allocates RWX code without specifying exact address Implications: • Similar to the first predictable RWX Code issue #4 – PREDICTABLE RWX CODE STUBS 2
  • 39. Severity: Medium Affected Systems: All Windows Versions The most common issue: most hooking engines leave their hook code stubs as RWX The implication - possible CFG bypass: • Get arbitrary read/write in the target process • Find the hook’s stub (R) • Overwrite it (W) • Trigger the execution of the hooked function (X) #5 –RWX CODE STUBS * Note: Attacker with arbitrary read/write will probably succeed anyway
  • 40. LdrLoadDll Hook RWX Permissions Severity: Medium Affected Systems: All Windows Versions Some hooking engines leave the code of the hooked modules as RWX The implication - possible CFG bypass #6 –RWX HOOKED MODULES
  • 41. SECURITY ISSUES OF HOOKING - RECAP
  • 43. 3rd Party Hooking Engines
  • 44.  Developing a hooking engine is not an easy task  Using open-source* or commercial hooking engines has many advantages: • Easy API to work with • Supports many platforms • Saves development effort • Saves testing effort  3rd party hooking engines are also integrated into non-security products  A security issue in a hooking engine results in many patches… 3RD PARTY HOOKING ENGINES * We really like Gil Dabah’s distormx
  • 45.  Used by many open-source projects  Also used by a few security vendors. For example, Vera Features:  Kernel Hooking support  Thread Deadlock Barrier  RIP-relative address relocation for 64-bit  … Security Issues:  RWX Hook Code Stubs  RWX Hooked Modules Bad Practice:  Uses Non-Executable heap and changes parts of it to code EASYHOOK – OPEN-SOURCE HOOKING ENGINE
  • 46. “Several Fortune 500 companies are using Deviare technology for application virtualization, packaging, and troubleshooting, and for computer security.”  Dual License – Commercial or GPL for open-source  Fixed the issues quickly  From their web site: Features:  Defer Hook –Set a hook only when and if a module is loaded  .NET Function hooking  Interface for many languages: (C++, VB, Python, C#,…)  … Security Issues:  RWX Hook Code Stubs DEVIARE2 - OPEN-SOURCE HOOKING ENGINE
  • 47.  Used by a lot for security vendors (75% of its users)  Used by emsisoft  Fixed the issues quickly Features:  Injection Driver – Used to perform kernel-injection into processes  IPC API –Used to easily communicate with some main process  IAT Hooking  … Security Issues:  RWX Hook Code Stubs MADCODEHOOK – POWERFUL COMMERCIAL HOOKING
  • 48.  The most popular hooking engine in the world  Microsoft’s App-V uses Detours which is integrated into Office  We were surprised to find out that it has problems too… Features:  ARM support  … Security Issues: • Predictable RX (Universal). MICROSOFT DETOURS * Details won’t be revealed until the patch is released (September)
  • 49. “Under commercial release for over 10 years, Detours is licensed by over 100 ISVs and used within nearly every product team at Microsoft.”  Microsoft’s hooking engine Detours – via Microsoft.com:  Could potentially affect millions of users  Also used in security products  Hard to patch - In most cases fixing this issue requires recompilation of each product individually which makes patching cumbersome MICROSOFT DETOURS VULNERABILITY - IMPLICATIONS
  • 51. Products/Vendors UnSafe Injection Predictable RWX(Universal) Predictable RX(Universal) Predictable RWX RWX Hook code stubs RWX Hooked Modules Time To Fix (Days) Symantec X 90 McAfee X X 90 Trend Micro X X (Initial Fix) X 210 Kaspersky X X 90 AVG X 30 BitDefender X X 30 WebRoot X X 29 AVAST X X 30 Emsisoft X 90 Citrix - Xen Desktop X X 90 Microsoft Office* X 180 WebSense X X X 30 Vera X X ? Invincea X(64-bit) X X ? Anti-Exploitation* X ? BeyondTrust X X Fixed Independently T O T A L S 2 2 6 8 7 5 7 9 . 9 *Patchwasn’treleasedyet AFFECTEDPRODUCTS
  • 52. High
  • 54. Memory Region Affected Process IDsAffected Process • Tool to detect predictable RWX code regions • Can be found at https://github.com/BreakingMalware/AVulnerabilityChecker • Compares memory maps of processes RESEARCH TOOLS – AVULNERABILITY
  • 55. • Tool for scanning hooks and checking their code permissions • Compares code “On-Disk” with the code “In-Memory” • Does best-effort to track hooks code stubs RESEARCH TOOLS – HOOKS SCAN
  • 56. • Code hooking is an important capability for security/software vendors • Similar to other intrusive operations it has security implications • Almost all the vendors we tested were vulnerable to at least one issue • We worked closely with affected vendors to address all these issues – most are already patched SUMMARY