SlideShare a Scribd company logo

Process Doppelgänging

K
KarlFrank99

The document discusses evasion techniques used by malware to avoid detection from antivirus scanners. It provides a brief history of techniques like process hollowing and code injection methods. It then summarizes how antivirus scanners work by intercepting processes like file opening and memory mapping. The document also discusses how NTFS transactions on Windows allow for file operations to occur transactionally.

Education
1 of 66
Download to read offline
Lost in Transaction: Process Doppelgänging Tal Liberman Eugene Kogan
About Us • @Tal_Liberman • Security Research Team Leader @ enSilo • Reverse Engineering, Research, Low Level Expert • Author on BreakingMalware • Eugene Kogan • Principal Development Lead @ enSilo • Former Tech Lead @ Imperva • Kernel Expert
Overview • Brief history of evasion techniques • AV scanners • Transacted NTFS (TxF) • Evolution of Windows process loader • Doppelgänging execution flow ( + live demo) • “Mitigation in Redstone” - The Story of a BSOD
Brief History of Evasion Techniques • Advanced Code Injections Overview • GhostWriting • AtomBombing • PowerLoader + PowerLoaderEx • PROPagate • … • Reflective Loading • Process Hollowing
GhostWritingA paradox: Writing to another process without opening it nor actually writing to it • Injection method from over 10 years ago • Has never received much attention • Inject arbitrary code into explorer.exe without: • OpenProcess • WriteProcessMemory • CreateRemoteThread Original post by c0de90e7: http://blog.txipinet.com/2007/04/05/69-a-paradox-writing-to-another-process-without-openning-it-nor-actually-writing-to-it/
GhostWritingA paradox: Writing to another process without opening it nor actually writing to it • Find 2 patterns in NTDLL • Move pattern • mov [REG1], REG2 ; mov [eax], ebx • ret • Jmp pattern • jmp 0x0 ;(eb fe) • Write-What-Where(What, Where) • SetThreadContext(…): • EIP=Move pattern • ESP=NewStack • REG1=Where • REG2=What Original post by c0de90e7: http://blog.txipinet.com/2007/04/05/69-a-paradox-writing-to-another-process-without-openning-it-nor-actually-writing-to-it/
GhostWritingA paradox: Writing to another process without opening it nor actually writing to it • Using write-what-where: • Write shellcode to stack • Write VirtualProtect parameters to stack • Using SetThreadContext: • Call VirtualProtect • Call shellcode
AtomBombing • Injection technique we published in October 2016 • Exploits the global atom table and APCs • Used in the wild by Dridex Original post: https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows
AtomBombing – Write-What-Where • GlobalAddAtom • NtQueueApcThread(…, GlobalGetAtomNameW, …) • Copy code to RW memory in target process • Copy ROP chain to target process • ROP chain • ZwAllocateVirtualMemory(…, RWX, …); • memcpy(RWX, RW, …); • Shellcode() • Initiate ROP chain • NtQueueApcThread(…, NtSetContextThread, …) Original post: https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows
Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…);
Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX svchost.exe EAX - Entry point
Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB hollowed EAX - Entry point
Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB evil.exe EAX - Entry point
Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW evil.exe EAX - Entry point
Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX evil.exe EAX - Entry point
Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX evil.exe EAX - Entry point
Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX evil.exe EAX - Entry point
Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX evil.exe EAX - Entry point
Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX evil.exe EAX - Entry point
Process Hollowing - Issues • The most trivial implementations create an image that is entirely RWX • Easy to detect in numerous ways • Unmap and VirtualAllocEx/NtAllocateVirtualMemory() with correct protection • Unmapping of main module is highly suspicious • ETHREAD.Win32StartAddress  VadType != VadImageMap • Overwrite original executable without unmapping • _MMPFN.u4.PrototypePte == 0 (0 means private/not shared, should be 1 - shared) • If not paged – cause page in • In forensics PTE.u.Soft.PageFileHigh != 0 • Unmap and remap as non image • Vad.Flags.VadType != VadImageMap • Unmap and remap as image • ETHREAD.Win32StartAddress != Image.AddressOfEntryPoint • EPROCESS.ImageFilePointer != VAD(ETHREAD.Win32StartAddress).Subsection.ControlArea.FilePointer * • On Win < 10 – EPROCESS.SectionObject
Quick Recap • Process hollowing – not so great anymore • Rest of techniques • Missing file mapping • Suspicious • We need something new • Wouldn’t it be cool if we could create a fileless mapped file? • But AVs scan files • We need to understand how scanners work
Anti-Viruses - Real Time Scan
AV Scanners – Scan on execute • Where to intercept? 1. Minifilter File open/create 2. Minifilter IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION 3. Process create notify routine (executables only) Open file Create section Mem map Execute 1 2 3 File execution timeline
AV Scanners – Challenges • How to open the file for scanning? • From User mode / Kernel • By File name/ FileId / using existing file object • Rescan on each change is not practical • Scan file before the execution • File content be altered before execution begins
AV Scanners – Examples Anti-Viruses - Examples
AV Scanners - Examples • Block during file open (partial stack) AV Blocks here FLTMGR!FltpPerformPostCallbacks+0x2a5 nt!ObOpenObjectByNameEx+0x1dd nt!IoCreateFileEx+0x115 nt!NtCreateUserProcess+0x431 -------------------- Kernel mode ---------------- ntdll!NtCreateUserProcess+0x14 Open file Create section Mem map Execute Intercept
AV Scanners - Examples • Scan intercepted file while blocked (partial stack) nt!ObpLookupObjectName+0x8b2 nt!ObOpenObjectByNameEx+0x1dd FLTMGR!FltCreateFile+0x8d AV minifilter code here FLTMGR!FltpDispatch+0xe9 nt!IopXxxControlFile+0xd9c nt!NtDeviceIoControlFile+0x56 nt!KiSystemServiceCopyEnd+0x13
AV Scanners - Examples • Block during ACQUIRE_FOR_SECTION_SYNC… AV Blocks here FLTMGR!FltpPerformPreCallbacks+0x2ea nt!FsRtlAcquireToCreateMappedSection+0x4e nt!FsRtlCreateSectionForDataScan+0xa6 FLTMGR!FltCreateSectionForDataScan+0xec WdFilter!MpCreateSection+0x138 Open file Create section Mem map Execute Intercept
AV Scanners - ACQUIRE_FOR_SECTION_SYNC • Flags are misleading – • SEC_IMAGE unavailable • Possible to pass PAGE_READONLY Data Or Executable?
AV Scanners - Examples • Block during process creation partial stack AV Blocks here nt!PspCallProcessNotifyRoutines+0x1cf nt!PspInsertThread+0x5ea nt!NtCreateUserProcess+0x8be -------------------- Kernel mode ---------------- ntdll!NtCreateUserProcess+0x14 KERNEL32!CreateProcessWStub+0x53 Open file Create section Mem map Execute Intercept
AV Scanners – Process Notification • PsSetCreateProcessNotifyRoutineEx available Windows Vista SP1+ • Can be achieved in other ways – SSDT (XP remember?) • Available only for main executable • Not useful for DLL loading • Blind to process hollowing
AV Scanners – Summary • It is not an easy job to create an AV • Performance vs coverage tradeoff • How often files are opened and sections are mapped • Variety of operating systems and file systems • From XP to Win 10 • Different CPUs 32 bit and 64 bit • FAT, NTFS, Network • Not complicated enough?
NTFS Transactions Transactional NTFS
NTFS Transactions - Facts • A.K.A. TxF • Introduced in Windows Vista • Implemented in NTFS driver (Kernel) • For local disks • Microsoft proposed use cases: Files update or DTC • Simplifies handling of a rollback after multiple file changes • For example during installation process
NTFS Transactions - Facts • Taken from Storage Developer conference – 2009: • TxF accounts for ~30% of NTFS driver size on AMD64 • MSDN lists 19 new Win32 *Transacted() APIs • 22 file I/O APIs whose behavior is affected by TxF • Deprecated on arrival • Still used today (almost 11 years later)
NTFS Transactions – API examples • Application explicitly uses transactions • CreateTransaction() • CommitTransaction() , RollbackTransaction() • CreateFileTransacted(), DeleteFileTransacted(), RemoveDirectoryTransacted(), MoveFileTransacted() • Most functions that work with handles should work with transactions
NTFS Transactions – Usage Example • hTransaction = CreateTransaction(NULL, NULL, 0, 0, 0, 0, NULL); • hFile = CreateFileTransacted(FILE_NAME, hTransaction); • WriteFile(hFile); • CloseHandle(hFile); • CommitTransaction(hTransaction); • CloseHandle(hTransaction);
Quick Recap What we have so far? TxF
Quick Recap • Naturally, transactions make life hard for AV vendors • We want to create a process from transacted file • However process creation does not support transacted files directly • We need dive into process creation on Windows to find a way to do it
Windows Process Loader Evolution • Comparing kernel32!CreateProcessW between XP and 10 gives the impression that MS completely changed how processes are created • A deeper examination shows that Microsoft simply moved most of the code from kernel32 to ntoskrnl (and somehow the function in kernel32 became longer) • Logically the steps remain mostly the same, at least for our purposes
Process Loader Evolution – XP
Process Loader Evolution – XP • CreateProcessW • CreateProcessInternalW • NtOpenFile – Open image file • NtCreateSection – Create section from opened image file • NtCreateProcessEx – Create process from section • PspCreateProcess – Actually create the process • ObCreateObject – Create the EPROCESS object • Add process to list of processes • BasePushProcessParameters – Copy process parameters • RtlCreateProcessParameters – Create process parameters • NtAllocateVirtualMemory – Allocate memory for process parameters • NtWriteVirtualMemory – Copy process parameters to allocated memory • NtWriteVirtualMemory – Write address to PEB.ProcessParameters • RtlDestroyProcessParameters – Destroy process parameters • BaseCreateStack – Create Stack for process • NtCreateThread – Create main thread • NtResumeThread – Resume main thread Kernel
Process Loader Evolution – 10
Process Loader Evolution – 10 • CreateProcessW • CreateProcessInternalW • BasepCreateProcessParameters - Create process parameters • RtlCreateProcessParametersEx - Create process parameters • NtCreateUserProcess - Create process from file • PspBuildCreateProcessContext – Build create process context • IoCreateFileEx – Open image file • MmCreateSpecialImageSection – Create section from image file • PspCaptureProcessParams – Copy process parameters from user mode • PspAllocateProcess - Create process from section • ObCreateObject – Create EPROCESS object • MmCreatePeb – Create PEB for process • PspSetupUserProcessAddressSpace – Allocate and copy process • KeStackAttachProcess – Attach to process memory • ZwAllocateVirtualMemory – Allocate memory for process parameters • PspCopyAndFixupParameters – Copy process parameters to process • Memcpy • Set PEB.ProcessParameters • KiUnstackDetachProcess – Detach from process memory • PspAllocateThread – Create thread • PspInsetProcess – Insert process to list of processes • PspInsertThread – Insert thread to list of threads • PspDeleteCreateProcessContext – Delete process create context • RtlDestroyProcessParameters – Delete process parameters • NtResumeThread – Start main thread Kernel
Windows Process Loader Evolution • NtCreateUserProcess used instead of NtCreateProcessEx • NtCreateProcessEx receives a handle to a section • NtCreateUserProcess receives a file path • NtCreateProcessEx still available – used in creation of minimal processes (nt!PsCreateMinimalProcess) • All the supporting user-mode code is not available post XP • We need to implement it ourselves
Doppelgänging - Motivation • Load and execute arbitrary code • In context of legitimate process • None of the suspicious process hollowing API calls • NtUnmapViewOfSection • VirtualProtectEx • SetThreadContext • AV will not scan at all / AV will scan “clean” files only • Will not be discovered by advanced forensics tools
Doppelgänging - Overview • We break Doppelgänging into 4 steps: • Transact – Overwrite legitimate executable with a malicious one • Load – Load malicious executable • Rollback – Rollback to original executable • Animate – Bring the Doppelgänger to life
Doppelgänging - Transact • Create a transaction • hTransaction = CreateTransaction(…); • Open a “clean” file transacted • hTransactedFile = CreateFileTransacted(“svchost.exe”, GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) • Overwrite the file with malicious code • WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …);
Doppelgänging - Transact • Create a transaction • hTransaction = CreateTransaction(…); • Open a “clean” file transacted • hTransactedFile = CreateFileTransacted(“svchost.exe”, GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) • Overwrite the file with malicious code • WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …);
Doppelgänging - Transact • Create a transaction • hTransaction = CreateTransaction(…); • Open a “clean” file transacted • hTransactedFile = CreateFileTransacted(“svchost.exe”, GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) • Overwrite the file with malicious code • WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …); File svchost.exe
Doppelgänging - Transact • Create a transaction • hTransaction = CreateTransaction(…); • Open a “clean” file transacted • hTransactedFile = CreateFileTransacted(“svchost.exe”, GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) • Overwrite the file with malicious code • WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …); File svchost.exe
Doppelgänging - Load • Create a section from the transacted file • NtCreateSection(&hSection, …, PAGE_READONLY, SEC_IMAGE, hTransactedFile); • The created section will point to our malicious executable File svchost.exe
Doppelgänging - Load • Create a section from the transacted file • NtCreateSection(&hSection, …, PAGE_READONLY, SEC_IMAGE, hTransactedFile); • The created section will point to our malicious executable Section svchost.exe File svchost.exe
Doppelgänging - Rollback • Rollback the transaction • RollbackTransaction(hTransaction); • Effectively removes our changes from the file system Section svchost.exe File svchost.exe
Doppelgänging - Rollback • Rollback the transaction • RollbackTransaction(hTransaction); • Effectively removes our changes from the file system Section svchost.exe File svchost.exe
Doppelgänging - Animate • Create process and thread objects • NtCreateProcessEx(&hProcess, …, hSection, …); • NtCreateThreadEx(&hThread, …, hProcess, MALICIOUS_EXE_ENTRYPOINT, …); Section svchost.exe File svchost.exe
Doppelgänging - Animate • Create process and thread objects • NtCreateProcessEx(&hProcess, …, hSection, …); • NtCreateThreadEx(&hThread, …, hProcess, MALICIOUS_EXE_ENTRYPOINT, …); Process Section svchost.exe File svchost.exe
Doppelgänging - Animate • Create process and thread objects • NtCreateProcessEx(&hProcess, …, hSection, …); • NtCreateThreadEx(&hThread, …, hProcess, MALICIOUS_EXE_ENTRYPOINT, …); • Create process parameters • RtlCreateProcessParametersEx(&ProcessParams, ...); • Copy parameters to the newly created process’s address space • VirtualAllocEx(hProcess, &RemoteProcessParams, …, PAGE_READWRITE); • WriteProcessMemory(hProcess, RemoteProcessParams, ProcessParams, …); • WriteProcessMemory(hProcess, RemotePeb.ProcessParameters, &RemoteProcessParams, …); • Start execution of the doppelgänged process • NtResumeThread(hThread, …);
Doppelgänging in Action DEMO
“Mitigation in Redstone” The story of a BSOD • Everything worked well on Windows 7 • First run on Windows 10 – BSOD • Reported by James Forshaw* • Null pointer dereference *https://bugs.chromium.org/p/project-zero/issues/detail?id=852
“Mitigation in Redstone” The story of a BSOD • How to get over it? • PsCreateMinimalProcess • MS was nice enough to fix it for this talk ;)
Affected Products Product Tested OS Result Windows Defender Windows 10 Bypass AVG Internet Security Windows 10 Bypass Bitdefender Windows 10 Bypass ESET NOD 32 Windows 10 Bypass Qihoo 360 Windows 10 Bypass Symantec Endpoint Protection Windows 7 SP1 Bypass McAfee VSE 8.8 Patch 6 Windows 7 SP1 Bypass Kaspersky Endpoint Security 10 Windows 7 SP1 Bypass Kaspersky Antivirus 18 Windows 7 SP1 Bypass Symantec Endpoint Protection 14 Windows 7 SP1 Bypass Panda Windows 8.1 Bypass Avast Windows 8.1 Bypass
Detection / Prevention • Realtime • Scan using file object available in create process notification routine (Vista+) • On error, block • What to do about DLLs? • Scan all sections, even data sections – performance issue to consider • Forensics • WriteAccess == TRUE for the FILE_OBJECT associated with process • EPROCESS. ImageFilePointer is NULL (Win 10)
Summary • Process will look legitimate • Uses Windows loader (no need for a custom one) • Mapped correctly to an image file on disk, just like any legit process • No “unmapped code” which is usually detected by modern solutions • Can also be leveraged to load DLLs • Fileless • Even advanced forensics tools such as Volatility will not detect it • Works on all Windows versions since Vista • Bypasses all tested security products
Special Thanks • Omri Misgav – Security Researcher @ enSilo • @UdiYavo – CTO @ enSilo • This research wouldn’t be possible without you
Questions? Thank you Tal Liberman Eugene Kogan http://breakingmalware.com

Recommended

Kongregate - Maximizing Player Retention and Monetization in Free-to-Play Gam...
Kongregate - Maximizing Player Retention and Monetization in Free-to-Play Gam...Kongregate - Maximizing Player Retention and Monetization in Free-to-Play Gam...
Kongregate - Maximizing Player Retention and Monetization in Free-to-Play Gam...
David Piao Chiu
 
入門啟示錄Ch08簡報
入門啟示錄Ch08簡報入門啟示錄Ch08簡報
入門啟示錄Ch08簡報
Chiou WeiHao
 
Visualizing STEP Files
Visualizing STEP FilesVisualizing STEP Files
Visualizing STEP FilesRichard Haney
 
Chicken
ChickenChicken
Chicken
Dan Kaminsky
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operations
Daniel López Jiménez
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
Positive Hack Days
 
LiveOps-E-book
LiveOps-E-bookLiveOps-E-book
LiveOps-E-bookScott Willoughby
 
Thinking Outside The [Sand]Box
Thinking Outside The [Sand]BoxThinking Outside The [Sand]Box
Thinking Outside The [Sand]Box
Michael Genkin
 

Recommended

Kongregate - Maximizing Player Retention and Monetization in Free-to-Play Gam...
Kongregate - Maximizing Player Retention and Monetization in Free-to-Play Gam...Kongregate - Maximizing Player Retention and Monetization in Free-to-Play Gam...
Kongregate - Maximizing Player Retention and Monetization in Free-to-Play Gam...
David Piao Chiu
 
入門啟示錄Ch08簡報
入門啟示錄Ch08簡報入門啟示錄Ch08簡報
入門啟示錄Ch08簡報
Chiou WeiHao
 
Visualizing STEP Files
Visualizing STEP FilesVisualizing STEP Files
Visualizing STEP FilesRichard Haney
 
Chicken
ChickenChicken
Chicken
Dan Kaminsky
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operations
Daniel López Jiménez
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
Positive Hack Days
 
LiveOps-E-book
LiveOps-E-bookLiveOps-E-book
LiveOps-E-bookScott Willoughby
 
Thinking Outside The [Sand]Box
Thinking Outside The [Sand]BoxThinking Outside The [Sand]Box
Thinking Outside The [Sand]Box
Michael Genkin
 
Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013] Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013]Kuba Břečka
 
JavaScript Event Loop
JavaScript Event LoopJavaScript Event Loop
JavaScript Event LoopThomas Hunter II
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesCharles Nutter
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
orkaplan
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
Building High Performance Android Applications in Java and C++
Building High Performance Android Applications in Java and C++Building High Performance Android Applications in Java and C++
Building High Performance Android Applications in Java and C++
Kenneth Geisshirt
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
Anatomy of an action
Anatomy of an actionAnatomy of an action
Anatomy of an action
Gordon Chung
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
Yen-Chin Lee
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Javascript Everywhere
Javascript EverywhereJavascript Everywhere
Javascript Everywhere
Pascal Rettig
 
iOS 2 - The practical Stuff
iOS 2 - The practical StuffiOS 2 - The practical Stuff
iOS 2 - The practical StuffPetr Dvorak
 
Node azure
Node azureNode azure
Node azure
Emanuele DelBono
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooks
KarlFrank99
 
Comodo q1 2018
Comodo q1 2018Comodo q1 2018
Comodo q1 2018
KarlFrank99
 

More Related Content

Similar to Process Doppelgänging

Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013] Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013]Kuba Břečka
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesCharles Nutter
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
orkaplan
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
Building High Performance Android Applications in Java and C++
Building High Performance Android Applications in Java and C++Building High Performance Android Applications in Java and C++
Building High Performance Android Applications in Java and C++
Kenneth Geisshirt
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
Anatomy of an action
Anatomy of an actionAnatomy of an action
Anatomy of an action
Gordon Chung
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
Yen-Chin Lee
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Javascript Everywhere
Javascript EverywhereJavascript Everywhere
Javascript Everywhere
Pascal Rettig
 
iOS 2 - The practical Stuff
iOS 2 - The practical StuffiOS 2 - The practical Stuff
iOS 2 - The practical StuffPetr Dvorak
 
Node azure
Node azureNode azure
Node azure
Emanuele DelBono
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 

Similar to Process Doppelgänging (20)

Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013] Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013]
 
JavaScript Event Loop
JavaScript Event LoopJavaScript Event Loop
JavaScript Event Loop
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Building High Performance Android Applications in Java and C++
Building High Performance Android Applications in Java and C++Building High Performance Android Applications in Java and C++
Building High Performance Android Applications in Java and C++
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Anatomy of an action
Anatomy of an actionAnatomy of an action
Anatomy of an action
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Javascript Everywhere
Javascript EverywhereJavascript Everywhere
Javascript Everywhere
 
iOS 2 - The practical Stuff
iOS 2 - The practical StuffiOS 2 - The practical Stuff
iOS 2 - The practical Stuff
 
Node azure
Node azureNode azure
Node azure
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 

More from KarlFrank99

Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooks
KarlFrank99
 
Comodo q1 2018
Comodo q1 2018Comodo q1 2018
Comodo q1 2018
KarlFrank99
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence technique
KarlFrank99
 
Osteoblast-Osteoclast Interactions
Osteoblast-Osteoclast InteractionsOsteoblast-Osteoclast Interactions
Osteoblast-Osteoclast Interactions
KarlFrank99
 
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
KarlFrank99
 
Osteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to EphrinOsteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to Ephrin
KarlFrank99
 
The Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune SystemThe Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune System
KarlFrank99
 
No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...
KarlFrank99
 
20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatement20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatement
KarlFrank99
 
20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreview20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreview
KarlFrank99
 
20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocus20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocus
KarlFrank99
 
20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_Update20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_Update
KarlFrank99
 
20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECB20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECB
KarlFrank99
 
NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423
KarlFrank99
 
20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicals20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicals
KarlFrank99
 
Hs P005 Reflective Dll Injection
Hs P005 Reflective Dll InjectionHs P005 Reflective Dll Injection
Hs P005 Reflective Dll InjectionKarlFrank99
 
Atomic Bomb Tutorial En
Atomic Bomb Tutorial EnAtomic Bomb Tutorial En
Atomic Bomb Tutorial EnKarlFrank99
 
Bh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallBh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallKarlFrank99
 

More from KarlFrank99 (20)

Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooks
 
Comodo q1 2018
Comodo q1 2018Comodo q1 2018
Comodo q1 2018
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence technique
 
Osteoblast-Osteoclast Interactions
Osteoblast-Osteoclast InteractionsOsteoblast-Osteoclast Interactions
Osteoblast-Osteoclast Interactions
 
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
 
Osteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to EphrinOsteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to Ephrin
 
The Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune SystemThe Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune System
 
No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...
 
20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatement20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatement
 
20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreview20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreview
 
20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocus20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocus
 
20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_Update20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_Update
 
20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECB20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECB
 
NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423
 
20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicals20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicals
 
Dsohowto
DsohowtoDsohowto
Dsohowto
 
Tesi Laurea
Tesi LaureaTesi Laurea
Tesi Laurea
 
Hs P005 Reflective Dll Injection
Hs P005 Reflective Dll InjectionHs P005 Reflective Dll Injection
Hs P005 Reflective Dll Injection
 
Atomic Bomb Tutorial En
Atomic Bomb Tutorial EnAtomic Bomb Tutorial En
Atomic Bomb Tutorial En
 
Bh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallBh Usa 07 Butler And Kendall
Bh Usa 07 Butler And Kendall
 

Recently uploaded

TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
Academy of Science of South Africa
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
Krisztián Száraz
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
kimdan468
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 

Recently uploaded (20)

TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 

Process Doppelgänging

  • 1. Lost in Transaction: Process Doppelgänging Tal Liberman Eugene Kogan
  • 2. About Us • @Tal_Liberman • Security Research Team Leader @ enSilo • Reverse Engineering, Research, Low Level Expert • Author on BreakingMalware • Eugene Kogan • Principal Development Lead @ enSilo • Former Tech Lead @ Imperva • Kernel Expert
  • 3. Overview • Brief history of evasion techniques • AV scanners • Transacted NTFS (TxF) • Evolution of Windows process loader • Doppelgänging execution flow ( + live demo) • “Mitigation in Redstone” - The Story of a BSOD
  • 4. Brief History of Evasion Techniques • Advanced Code Injections Overview • GhostWriting • AtomBombing • PowerLoader + PowerLoaderEx • PROPagate • … • Reflective Loading • Process Hollowing
  • 5. GhostWritingA paradox: Writing to another process without opening it nor actually writing to it • Injection method from over 10 years ago • Has never received much attention • Inject arbitrary code into explorer.exe without: • OpenProcess • WriteProcessMemory • CreateRemoteThread Original post by c0de90e7: http://blog.txipinet.com/2007/04/05/69-a-paradox-writing-to-another-process-without-openning-it-nor-actually-writing-to-it/
  • 6. GhostWritingA paradox: Writing to another process without opening it nor actually writing to it • Find 2 patterns in NTDLL • Move pattern • mov [REG1], REG2 ; mov [eax], ebx • ret • Jmp pattern • jmp 0x0 ;(eb fe) • Write-What-Where(What, Where) • SetThreadContext(…): • EIP=Move pattern • ESP=NewStack • REG1=Where • REG2=What Original post by c0de90e7: http://blog.txipinet.com/2007/04/05/69-a-paradox-writing-to-another-process-without-openning-it-nor-actually-writing-to-it/
  • 7. GhostWritingA paradox: Writing to another process without opening it nor actually writing to it • Using write-what-where: • Write shellcode to stack • Write VirtualProtect parameters to stack • Using SetThreadContext: • Call VirtualProtect • Call shellcode
  • 8. AtomBombing • Injection technique we published in October 2016 • Exploits the global atom table and APCs • Used in the wild by Dridex Original post: https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows
  • 9. AtomBombing – Write-What-Where • GlobalAddAtom • NtQueueApcThread(…, GlobalGetAtomNameW, …) • Copy code to RW memory in target process • Copy ROP chain to target process • ROP chain • ZwAllocateVirtualMemory(…, RWX, …); • memcpy(RWX, RW, …); • Shellcode() • Initiate ROP chain • NtQueueApcThread(…, NtSetContextThread, …) Original post: https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows
  • 10. Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…);
  • 11. Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX svchost.exe EAX - Entry point
  • 12. Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB hollowed EAX - Entry point
  • 13. Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB evil.exe EAX - Entry point
  • 14. Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW evil.exe EAX - Entry point
  • 15. Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX evil.exe EAX - Entry point
  • 16. Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX evil.exe EAX - Entry point
  • 17. Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX evil.exe EAX - Entry point
  • 18. Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX evil.exe EAX - Entry point
  • 19. Process Hollowing • CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …); • NtUnmapViewOfSection(…); • VirtualAllocEx(…); • For each section: • WriteProcessMemory(..., EVIL_EXE, …); • Relocate Image* • Set base address in PEB* • SetThreadContext(…); • ResumeThread(…); PEB .data RW .text RX evil.exe EAX - Entry point
  • 20. Process Hollowing - Issues • The most trivial implementations create an image that is entirely RWX • Easy to detect in numerous ways • Unmap and VirtualAllocEx/NtAllocateVirtualMemory() with correct protection • Unmapping of main module is highly suspicious • ETHREAD.Win32StartAddress  VadType != VadImageMap • Overwrite original executable without unmapping • _MMPFN.u4.PrototypePte == 0 (0 means private/not shared, should be 1 - shared) • If not paged – cause page in • In forensics PTE.u.Soft.PageFileHigh != 0 • Unmap and remap as non image • Vad.Flags.VadType != VadImageMap • Unmap and remap as image • ETHREAD.Win32StartAddress != Image.AddressOfEntryPoint • EPROCESS.ImageFilePointer != VAD(ETHREAD.Win32StartAddress).Subsection.ControlArea.FilePointer * • On Win < 10 – EPROCESS.SectionObject
  • 21. Quick Recap • Process hollowing – not so great anymore • Rest of techniques • Missing file mapping • Suspicious • We need something new • Wouldn’t it be cool if we could create a fileless mapped file? • But AVs scan files • We need to understand how scanners work
  • 22. Anti-Viruses - Real Time Scan
  • 23. AV Scanners – Scan on execute • Where to intercept? 1. Minifilter File open/create 2. Minifilter IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION 3. Process create notify routine (executables only) Open file Create section Mem map Execute 1 2 3 File execution timeline
  • 24. AV Scanners – Challenges • How to open the file for scanning? • From User mode / Kernel • By File name/ FileId / using existing file object • Rescan on each change is not practical • Scan file before the execution • File content be altered before execution begins
  • 25. AV Scanners – Examples Anti-Viruses - Examples
  • 26. AV Scanners - Examples • Block during file open (partial stack) AV Blocks here FLTMGR!FltpPerformPostCallbacks+0x2a5 nt!ObOpenObjectByNameEx+0x1dd nt!IoCreateFileEx+0x115 nt!NtCreateUserProcess+0x431 -------------------- Kernel mode ---------------- ntdll!NtCreateUserProcess+0x14 Open file Create section Mem map Execute Intercept
  • 27. AV Scanners - Examples • Scan intercepted file while blocked (partial stack) nt!ObpLookupObjectName+0x8b2 nt!ObOpenObjectByNameEx+0x1dd FLTMGR!FltCreateFile+0x8d AV minifilter code here FLTMGR!FltpDispatch+0xe9 nt!IopXxxControlFile+0xd9c nt!NtDeviceIoControlFile+0x56 nt!KiSystemServiceCopyEnd+0x13
  • 28. AV Scanners - Examples • Block during ACQUIRE_FOR_SECTION_SYNC… AV Blocks here FLTMGR!FltpPerformPreCallbacks+0x2ea nt!FsRtlAcquireToCreateMappedSection+0x4e nt!FsRtlCreateSectionForDataScan+0xa6 FLTMGR!FltCreateSectionForDataScan+0xec WdFilter!MpCreateSection+0x138 Open file Create section Mem map Execute Intercept
  • 29. AV Scanners - ACQUIRE_FOR_SECTION_SYNC • Flags are misleading – • SEC_IMAGE unavailable • Possible to pass PAGE_READONLY Data Or Executable?
  • 30. AV Scanners - Examples • Block during process creation partial stack AV Blocks here nt!PspCallProcessNotifyRoutines+0x1cf nt!PspInsertThread+0x5ea nt!NtCreateUserProcess+0x8be -------------------- Kernel mode ---------------- ntdll!NtCreateUserProcess+0x14 KERNEL32!CreateProcessWStub+0x53 Open file Create section Mem map Execute Intercept
  • 31. AV Scanners – Process Notification • PsSetCreateProcessNotifyRoutineEx available Windows Vista SP1+ • Can be achieved in other ways – SSDT (XP remember?) • Available only for main executable • Not useful for DLL loading • Blind to process hollowing
  • 32. AV Scanners – Summary • It is not an easy job to create an AV • Performance vs coverage tradeoff • How often files are opened and sections are mapped • Variety of operating systems and file systems • From XP to Win 10 • Different CPUs 32 bit and 64 bit • FAT, NTFS, Network • Not complicated enough?
  • 34. NTFS Transactions - Facts • A.K.A. TxF • Introduced in Windows Vista • Implemented in NTFS driver (Kernel) • For local disks • Microsoft proposed use cases: Files update or DTC • Simplifies handling of a rollback after multiple file changes • For example during installation process
  • 35. NTFS Transactions - Facts • Taken from Storage Developer conference – 2009: • TxF accounts for ~30% of NTFS driver size on AMD64 • MSDN lists 19 new Win32 *Transacted() APIs • 22 file I/O APIs whose behavior is affected by TxF • Deprecated on arrival • Still used today (almost 11 years later)
  • 36. NTFS Transactions – API examples • Application explicitly uses transactions • CreateTransaction() • CommitTransaction() , RollbackTransaction() • CreateFileTransacted(), DeleteFileTransacted(), RemoveDirectoryTransacted(), MoveFileTransacted() • Most functions that work with handles should work with transactions
  • 37. NTFS Transactions – Usage Example • hTransaction = CreateTransaction(NULL, NULL, 0, 0, 0, 0, NULL); • hFile = CreateFileTransacted(FILE_NAME, hTransaction); • WriteFile(hFile); • CloseHandle(hFile); • CommitTransaction(hTransaction); • CloseHandle(hTransaction);
  • 38. Quick Recap What we have so far? TxF
  • 39. Quick Recap • Naturally, transactions make life hard for AV vendors • We want to create a process from transacted file • However process creation does not support transacted files directly • We need dive into process creation on Windows to find a way to do it
  • 40. Windows Process Loader Evolution • Comparing kernel32!CreateProcessW between XP and 10 gives the impression that MS completely changed how processes are created • A deeper examination shows that Microsoft simply moved most of the code from kernel32 to ntoskrnl (and somehow the function in kernel32 became longer) • Logically the steps remain mostly the same, at least for our purposes
  • 42. Process Loader Evolution – XP • CreateProcessW • CreateProcessInternalW • NtOpenFile – Open image file • NtCreateSection – Create section from opened image file • NtCreateProcessEx – Create process from section • PspCreateProcess – Actually create the process • ObCreateObject – Create the EPROCESS object • Add process to list of processes • BasePushProcessParameters – Copy process parameters • RtlCreateProcessParameters – Create process parameters • NtAllocateVirtualMemory – Allocate memory for process parameters • NtWriteVirtualMemory – Copy process parameters to allocated memory • NtWriteVirtualMemory – Write address to PEB.ProcessParameters • RtlDestroyProcessParameters – Destroy process parameters • BaseCreateStack – Create Stack for process • NtCreateThread – Create main thread • NtResumeThread – Resume main thread Kernel
  • 44. Process Loader Evolution – 10 • CreateProcessW • CreateProcessInternalW • BasepCreateProcessParameters - Create process parameters • RtlCreateProcessParametersEx - Create process parameters • NtCreateUserProcess - Create process from file • PspBuildCreateProcessContext – Build create process context • IoCreateFileEx – Open image file • MmCreateSpecialImageSection – Create section from image file • PspCaptureProcessParams – Copy process parameters from user mode • PspAllocateProcess - Create process from section • ObCreateObject – Create EPROCESS object • MmCreatePeb – Create PEB for process • PspSetupUserProcessAddressSpace – Allocate and copy process • KeStackAttachProcess – Attach to process memory • ZwAllocateVirtualMemory – Allocate memory for process parameters • PspCopyAndFixupParameters – Copy process parameters to process • Memcpy • Set PEB.ProcessParameters • KiUnstackDetachProcess – Detach from process memory • PspAllocateThread – Create thread • PspInsetProcess – Insert process to list of processes • PspInsertThread – Insert thread to list of threads • PspDeleteCreateProcessContext – Delete process create context • RtlDestroyProcessParameters – Delete process parameters • NtResumeThread – Start main thread Kernel
  • 45. Windows Process Loader Evolution • NtCreateUserProcess used instead of NtCreateProcessEx • NtCreateProcessEx receives a handle to a section • NtCreateUserProcess receives a file path • NtCreateProcessEx still available – used in creation of minimal processes (nt!PsCreateMinimalProcess) • All the supporting user-mode code is not available post XP • We need to implement it ourselves
  • 46. Doppelgänging - Motivation • Load and execute arbitrary code • In context of legitimate process • None of the suspicious process hollowing API calls • NtUnmapViewOfSection • VirtualProtectEx • SetThreadContext • AV will not scan at all / AV will scan “clean” files only • Will not be discovered by advanced forensics tools
  • 47. Doppelgänging - Overview • We break Doppelgänging into 4 steps: • Transact – Overwrite legitimate executable with a malicious one • Load – Load malicious executable • Rollback – Rollback to original executable • Animate – Bring the Doppelgänger to life
  • 48. Doppelgänging - Transact • Create a transaction • hTransaction = CreateTransaction(…); • Open a “clean” file transacted • hTransactedFile = CreateFileTransacted(“svchost.exe”, GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) • Overwrite the file with malicious code • WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …);
  • 49. Doppelgänging - Transact • Create a transaction • hTransaction = CreateTransaction(…); • Open a “clean” file transacted • hTransactedFile = CreateFileTransacted(“svchost.exe”, GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) • Overwrite the file with malicious code • WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …);
  • 50. Doppelgänging - Transact • Create a transaction • hTransaction = CreateTransaction(…); • Open a “clean” file transacted • hTransactedFile = CreateFileTransacted(“svchost.exe”, GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) • Overwrite the file with malicious code • WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …); File svchost.exe
  • 51. Doppelgänging - Transact • Create a transaction • hTransaction = CreateTransaction(…); • Open a “clean” file transacted • hTransactedFile = CreateFileTransacted(“svchost.exe”, GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) • Overwrite the file with malicious code • WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …); File svchost.exe
  • 52. Doppelgänging - Load • Create a section from the transacted file • NtCreateSection(&hSection, …, PAGE_READONLY, SEC_IMAGE, hTransactedFile); • The created section will point to our malicious executable File svchost.exe
  • 53. Doppelgänging - Load • Create a section from the transacted file • NtCreateSection(&hSection, …, PAGE_READONLY, SEC_IMAGE, hTransactedFile); • The created section will point to our malicious executable Section svchost.exe File svchost.exe
  • 54. Doppelgänging - Rollback • Rollback the transaction • RollbackTransaction(hTransaction); • Effectively removes our changes from the file system Section svchost.exe File svchost.exe
  • 55. Doppelgänging - Rollback • Rollback the transaction • RollbackTransaction(hTransaction); • Effectively removes our changes from the file system Section svchost.exe File svchost.exe
  • 56. Doppelgänging - Animate • Create process and thread objects • NtCreateProcessEx(&hProcess, …, hSection, …); • NtCreateThreadEx(&hThread, …, hProcess, MALICIOUS_EXE_ENTRYPOINT, …); Section svchost.exe File svchost.exe
  • 57. Doppelgänging - Animate • Create process and thread objects • NtCreateProcessEx(&hProcess, …, hSection, …); • NtCreateThreadEx(&hThread, …, hProcess, MALICIOUS_EXE_ENTRYPOINT, …); Process Section svchost.exe File svchost.exe
  • 58. Doppelgänging - Animate • Create process and thread objects • NtCreateProcessEx(&hProcess, …, hSection, …); • NtCreateThreadEx(&hThread, …, hProcess, MALICIOUS_EXE_ENTRYPOINT, …); • Create process parameters • RtlCreateProcessParametersEx(&ProcessParams, ...); • Copy parameters to the newly created process’s address space • VirtualAllocEx(hProcess, &RemoteProcessParams, …, PAGE_READWRITE); • WriteProcessMemory(hProcess, RemoteProcessParams, ProcessParams, …); • WriteProcessMemory(hProcess, RemotePeb.ProcessParameters, &RemoteProcessParams, …); • Start execution of the doppelgänged process • NtResumeThread(hThread, …);
  • 60. “Mitigation in Redstone” The story of a BSOD • Everything worked well on Windows 7 • First run on Windows 10 – BSOD • Reported by James Forshaw* • Null pointer dereference *https://bugs.chromium.org/p/project-zero/issues/detail?id=852
  • 61. “Mitigation in Redstone” The story of a BSOD • How to get over it? • PsCreateMinimalProcess • MS was nice enough to fix it for this talk ;)
  • 62. Affected Products Product Tested OS Result Windows Defender Windows 10 Bypass AVG Internet Security Windows 10 Bypass Bitdefender Windows 10 Bypass ESET NOD 32 Windows 10 Bypass Qihoo 360 Windows 10 Bypass Symantec Endpoint Protection Windows 7 SP1 Bypass McAfee VSE 8.8 Patch 6 Windows 7 SP1 Bypass Kaspersky Endpoint Security 10 Windows 7 SP1 Bypass Kaspersky Antivirus 18 Windows 7 SP1 Bypass Symantec Endpoint Protection 14 Windows 7 SP1 Bypass Panda Windows 8.1 Bypass Avast Windows 8.1 Bypass
  • 63. Detection / Prevention • Realtime • Scan using file object available in create process notification routine (Vista+) • On error, block • What to do about DLLs? • Scan all sections, even data sections – performance issue to consider • Forensics • WriteAccess == TRUE for the FILE_OBJECT associated with process • EPROCESS. ImageFilePointer is NULL (Win 10)
  • 64. Summary • Process will look legitimate • Uses Windows loader (no need for a custom one) • Mapped correctly to an image file on disk, just like any legit process • No “unmapped code” which is usually detected by modern solutions • Can also be leveraged to load DLLs • Fileless • Even advanced forensics tools such as Volatility will not detect it • Works on all Windows versions since Vista • Bypasses all tested security products
  • 65. Special Thanks • Omri Misgav – Security Researcher @ enSilo • @UdiYavo – CTO @ enSilo • This research wouldn’t be possible without you
  • 66. Questions? Thank you Tal Liberman Eugene Kogan http://breakingmalware.com