The document discusses evasion techniques used by malware to avoid detection from antivirus scanners. It provides a brief history of techniques like process hollowing and code injection methods. It then summarizes how antivirus scanners work by intercepting processes like file opening and memory mapping. The document also discusses how NTFS transactions on Windows allow for file operations to occur transactionally.
Operational Security (OPSEC) is one of the most important aspects to consider in Adversary Simulations (usually called "Red Teaming"). When talking about OPSEC, it is common to think around matters like AV/EDR evasion, avoiding "noises" or using builtin/legitimate tools whenever is possible. In fact, the scope of the term OPSEC is usually wider than that.
OPSEC usually refers to the identification and protection of data that could be useful for an adversary. In Adversary Simulations, the adversary is the organisation's security team (Blue Team) and the goal is to improve their detection capabilities. This is why the maturity of an organisation should dictate the complexity required to carry out these operations, so that the objectives are met with the minimum effort, as it would do an attacker in real life.
For example, for experienced Blue Teams, the mere fact of using legitimate tools such as net.exe (e.g. “net users /domain”) or powershell.exe could be a reason for the whole operation to be discovered, whereas in other organisations or situations these same actions could remain completely unnoticed.
In this presentation we will discuss how you should review and understand your own toolset and procedures in order to gain OPSEC. We will comprehend how to deal with trade-offs, and why understanding your adversary is key in that matter. In addition, sources of detection (disk, memory, network...) and resources commonly employed by defenders (events, hooks, callbacks...) will be explained visually and practically to help you building and improving your operations.
Understanding and Hiding your Operations’ goal is to be a resource for comprehending the meaning of OPSEC and creating awareness in your operations, so as you can successfully face – and improve – experienced security teams and their detection capabilities.
Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track
Operational Security (OPSEC) is one of the most important aspects to consider in Adversary Simulations (usually called "Red Teaming"). When talking about OPSEC, it is common to think around matters like AV/EDR evasion, avoiding "noises" or using builtin/legitimate tools whenever is possible. In fact, the scope of the term OPSEC is usually wider than that.
OPSEC usually refers to the identification and protection of data that could be useful for an adversary. In Adversary Simulations, the adversary is the organisation's security team (Blue Team) and the goal is to improve their detection capabilities. This is why the maturity of an organisation should dictate the complexity required to carry out these operations, so that the objectives are met with the minimum effort, as it would do an attacker in real life.
For example, for experienced Blue Teams, the mere fact of using legitimate tools such as net.exe (e.g. “net users /domain”) or powershell.exe could be a reason for the whole operation to be discovered, whereas in other organisations or situations these same actions could remain completely unnoticed.
In this presentation we will discuss how you should review and understand your own toolset and procedures in order to gain OPSEC. We will comprehend how to deal with trade-offs, and why understanding your adversary is key in that matter. In addition, sources of detection (disk, memory, network...) and resources commonly employed by defenders (events, hooks, callbacks...) will be explained visually and practically to help you building and improving your operations.
Understanding and Hiding your Operations’ goal is to be a resource for comprehending the meaning of OPSEC and creating awareness in your operations, so as you can successfully face – and improve – experienced security teams and their detection capabilities.
Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
"In a world of high volume malware and limited researchers we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the corporate sponsored research community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool for researchers alike."
A key feature when monitoring and debugging any Cloud infrastructure is to provide the ability to trace, track, and collate all the individual, discrete steps that compose an event. A typical resource action in OpenStack is often a combination of smaller tasks -- which given the distributed nature of OpenStack -- can fail at unpredictable points in the workflow. By collecting the appropriate events, operators can view all events within Ceilometer, filter on a failed action and trace back the history of related events to spot anomalies or errors. In this talk, we provide an overview of the recent enhancements made in Ceilometer to support the collection of event notifications from OpenStack services. We will describe: how events are processed, transformed and stored in Ceilometer; how you can derive metrics from events; and how it’s possible to track the events of a resource and analyse where errors occur.
Presentation to the MIT IAP HTML5 Game Development Class on Debugging and Optimizing Javascript, Local storage, Offline Storage and Server side Javascript with Node.js
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device.
This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried.
Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
"In a world of high volume malware and limited researchers we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the corporate sponsored research community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool for researchers alike."
A key feature when monitoring and debugging any Cloud infrastructure is to provide the ability to trace, track, and collate all the individual, discrete steps that compose an event. A typical resource action in OpenStack is often a combination of smaller tasks -- which given the distributed nature of OpenStack -- can fail at unpredictable points in the workflow. By collecting the appropriate events, operators can view all events within Ceilometer, filter on a failed action and trace back the history of related events to spot anomalies or errors. In this talk, we provide an overview of the recent enhancements made in Ceilometer to support the collection of event notifications from OpenStack services. We will describe: how events are processed, transformed and stored in Ceilometer; how you can derive metrics from events; and how it’s possible to track the events of a resource and analyse where errors occur.
Presentation to the MIT IAP HTML5 Game Development Class on Debugging and Optimizing Javascript, Local storage, Offline Storage and Server side Javascript with Node.js
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device.
This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried.
Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
2. About Us
• @Tal_Liberman
• Security Research Team Leader @ enSilo
• Reverse Engineering, Research, Low Level Expert
• Author on BreakingMalware
• Eugene Kogan
• Principal Development Lead @ enSilo
• Former Tech Lead @ Imperva
• Kernel Expert
3. Overview
• Brief history of evasion techniques
• AV scanners
• Transacted NTFS (TxF)
• Evolution of Windows process loader
• Doppelgänging execution flow ( + live demo)
• “Mitigation in Redstone” - The Story of a BSOD
4. Brief History of Evasion Techniques
• Advanced Code Injections Overview
• GhostWriting
• AtomBombing
• PowerLoader + PowerLoaderEx
• PROPagate
• …
• Reflective Loading
• Process Hollowing
5. GhostWritingA paradox: Writing to another process without opening it nor actually writing to it
• Injection method from over 10 years ago
• Has never received much attention
• Inject arbitrary code into explorer.exe without:
• OpenProcess
• WriteProcessMemory
• CreateRemoteThread
Original post by c0de90e7: http://blog.txipinet.com/2007/04/05/69-a-paradox-writing-to-another-process-without-openning-it-nor-actually-writing-to-it/
6. GhostWritingA paradox: Writing to another process without opening it nor actually writing to it
• Find 2 patterns in NTDLL
• Move pattern
• mov [REG1], REG2 ; mov [eax], ebx
• ret
• Jmp pattern
• jmp 0x0 ;(eb fe)
• Write-What-Where(What, Where)
• SetThreadContext(…):
• EIP=Move pattern
• ESP=NewStack
• REG1=Where
• REG2=What
Original post by c0de90e7: http://blog.txipinet.com/2007/04/05/69-a-paradox-writing-to-another-process-without-openning-it-nor-actually-writing-to-it/
7. GhostWritingA paradox: Writing to another process without opening it nor actually writing to it
• Using write-what-where:
• Write shellcode to stack
• Write VirtualProtect parameters to stack
• Using SetThreadContext:
• Call VirtualProtect
• Call shellcode
8. AtomBombing
• Injection technique we published in October 2016
• Exploits the global atom table and APCs
• Used in the wild by Dridex
Original post: https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows
9. AtomBombing – Write-What-Where
• GlobalAddAtom
• NtQueueApcThread(…, GlobalGetAtomNameW, …)
• Copy code to RW memory in target process
• Copy ROP chain to target process
• ROP chain
• ZwAllocateVirtualMemory(…, RWX, …);
• memcpy(RWX, RW, …);
• Shellcode()
• Initiate ROP chain
• NtQueueApcThread(…, NtSetContextThread, …)
Original post: https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows
10. Process Hollowing
• CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …);
• NtUnmapViewOfSection(…);
• VirtualAllocEx(…);
• For each section:
• WriteProcessMemory(..., EVIL_EXE, …);
• Relocate Image*
• Set base address in PEB*
• SetThreadContext(…);
• ResumeThread(…);
11. Process Hollowing
• CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …);
• NtUnmapViewOfSection(…);
• VirtualAllocEx(…);
• For each section:
• WriteProcessMemory(..., EVIL_EXE, …);
• Relocate Image*
• Set base address in PEB*
• SetThreadContext(…);
• ResumeThread(…);
PEB
.data RW
.text RX
svchost.exe
EAX - Entry point
12. Process Hollowing
• CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …);
• NtUnmapViewOfSection(…);
• VirtualAllocEx(…);
• For each section:
• WriteProcessMemory(..., EVIL_EXE, …);
• Relocate Image*
• Set base address in PEB*
• SetThreadContext(…);
• ResumeThread(…);
PEB
hollowed
EAX - Entry point
13. Process Hollowing
• CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …);
• NtUnmapViewOfSection(…);
• VirtualAllocEx(…);
• For each section:
• WriteProcessMemory(..., EVIL_EXE, …);
• Relocate Image*
• Set base address in PEB*
• SetThreadContext(…);
• ResumeThread(…);
PEB
evil.exe
EAX - Entry point
14. Process Hollowing
• CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …);
• NtUnmapViewOfSection(…);
• VirtualAllocEx(…);
• For each section:
• WriteProcessMemory(..., EVIL_EXE, …);
• Relocate Image*
• Set base address in PEB*
• SetThreadContext(…);
• ResumeThread(…);
PEB
.data RW
evil.exe
EAX - Entry point
15. Process Hollowing
• CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …);
• NtUnmapViewOfSection(…);
• VirtualAllocEx(…);
• For each section:
• WriteProcessMemory(..., EVIL_EXE, …);
• Relocate Image*
• Set base address in PEB*
• SetThreadContext(…);
• ResumeThread(…);
PEB
.data RW
.text RX
evil.exe
EAX - Entry point
16. Process Hollowing
• CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …);
• NtUnmapViewOfSection(…);
• VirtualAllocEx(…);
• For each section:
• WriteProcessMemory(..., EVIL_EXE, …);
• Relocate Image*
• Set base address in PEB*
• SetThreadContext(…);
• ResumeThread(…);
PEB
.data RW
.text RX
evil.exe
EAX - Entry point
17. Process Hollowing
• CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …);
• NtUnmapViewOfSection(…);
• VirtualAllocEx(…);
• For each section:
• WriteProcessMemory(..., EVIL_EXE, …);
• Relocate Image*
• Set base address in PEB*
• SetThreadContext(…);
• ResumeThread(…);
PEB
.data RW
.text RX
evil.exe
EAX - Entry point
18. Process Hollowing
• CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …);
• NtUnmapViewOfSection(…);
• VirtualAllocEx(…);
• For each section:
• WriteProcessMemory(..., EVIL_EXE, …);
• Relocate Image*
• Set base address in PEB*
• SetThreadContext(…);
• ResumeThread(…);
PEB
.data RW
.text RX
evil.exe
EAX - Entry point
19. Process Hollowing
• CreateProcess(“svchost.exe”, …, CREATE_SUSPENDED, …);
• NtUnmapViewOfSection(…);
• VirtualAllocEx(…);
• For each section:
• WriteProcessMemory(..., EVIL_EXE, …);
• Relocate Image*
• Set base address in PEB*
• SetThreadContext(…);
• ResumeThread(…);
PEB
.data RW
.text RX
evil.exe
EAX - Entry point
20. Process Hollowing - Issues
• The most trivial implementations create an image that is entirely RWX
• Easy to detect in numerous ways
• Unmap and VirtualAllocEx/NtAllocateVirtualMemory() with correct protection
• Unmapping of main module is highly suspicious
• ETHREAD.Win32StartAddress VadType != VadImageMap
• Overwrite original executable without unmapping
• _MMPFN.u4.PrototypePte == 0 (0 means private/not shared, should be 1 - shared)
• If not paged – cause page in
• In forensics PTE.u.Soft.PageFileHigh != 0
• Unmap and remap as non image
• Vad.Flags.VadType != VadImageMap
• Unmap and remap as image
• ETHREAD.Win32StartAddress != Image.AddressOfEntryPoint
• EPROCESS.ImageFilePointer != VAD(ETHREAD.Win32StartAddress).Subsection.ControlArea.FilePointer *
• On Win < 10 – EPROCESS.SectionObject
21. Quick Recap
• Process hollowing – not so great anymore
• Rest of techniques
• Missing file mapping
• Suspicious
• We need something new
• Wouldn’t it be cool if we could create a fileless mapped file?
• But AVs scan files
• We need to understand how scanners work
23. AV Scanners – Scan on execute
• Where to intercept?
1. Minifilter File open/create
2. Minifilter IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION
3. Process create notify routine (executables only)
Open file Create section Mem map Execute
1 2 3
File execution timeline
24. AV Scanners – Challenges
• How to open the file for scanning?
• From User mode / Kernel
• By File name/ FileId / using existing file object
• Rescan on each change is not practical
• Scan file before the execution
• File content be altered before execution begins
26. AV Scanners - Examples
• Block during file open (partial stack)
AV Blocks here
FLTMGR!FltpPerformPostCallbacks+0x2a5
nt!ObOpenObjectByNameEx+0x1dd
nt!IoCreateFileEx+0x115
nt!NtCreateUserProcess+0x431
-------------------- Kernel mode ----------------
ntdll!NtCreateUserProcess+0x14
Open file Create section Mem map Execute
Intercept
27. AV Scanners - Examples
• Scan intercepted file while blocked (partial stack)
nt!ObpLookupObjectName+0x8b2
nt!ObOpenObjectByNameEx+0x1dd
FLTMGR!FltCreateFile+0x8d
AV minifilter code here
FLTMGR!FltpDispatch+0xe9
nt!IopXxxControlFile+0xd9c
nt!NtDeviceIoControlFile+0x56
nt!KiSystemServiceCopyEnd+0x13
28. AV Scanners - Examples
• Block during ACQUIRE_FOR_SECTION_SYNC…
AV Blocks here
FLTMGR!FltpPerformPreCallbacks+0x2ea
nt!FsRtlAcquireToCreateMappedSection+0x4e
nt!FsRtlCreateSectionForDataScan+0xa6
FLTMGR!FltCreateSectionForDataScan+0xec
WdFilter!MpCreateSection+0x138
Open file Create section Mem map Execute
Intercept
30. AV Scanners - Examples
• Block during process creation partial stack
AV Blocks here
nt!PspCallProcessNotifyRoutines+0x1cf
nt!PspInsertThread+0x5ea
nt!NtCreateUserProcess+0x8be
-------------------- Kernel mode ----------------
ntdll!NtCreateUserProcess+0x14
KERNEL32!CreateProcessWStub+0x53
Open file Create section Mem map Execute
Intercept
31. AV Scanners – Process Notification
• PsSetCreateProcessNotifyRoutineEx available Windows Vista SP1+
• Can be achieved in other ways – SSDT (XP remember?)
• Available only for main executable
• Not useful for DLL loading
• Blind to process hollowing
32. AV Scanners – Summary
• It is not an easy job to create an AV
• Performance vs coverage tradeoff
• How often files are opened and sections are mapped
• Variety of operating systems and file systems
• From XP to Win 10
• Different CPUs 32 bit and 64 bit
• FAT, NTFS, Network
• Not complicated enough?
34. NTFS Transactions - Facts
• A.K.A. TxF
• Introduced in Windows Vista
• Implemented in NTFS driver (Kernel)
• For local disks
• Microsoft proposed use cases: Files update or DTC
• Simplifies handling of a rollback after multiple file changes
• For example during installation process
35. NTFS Transactions - Facts
• Taken from Storage Developer conference – 2009:
• TxF accounts for ~30% of NTFS driver size on AMD64
• MSDN lists 19 new Win32 *Transacted() APIs
• 22 file I/O APIs whose behavior is affected by TxF
• Deprecated on arrival
• Still used today (almost 11 years later)
36. NTFS Transactions – API examples
• Application explicitly uses transactions
• CreateTransaction()
• CommitTransaction() , RollbackTransaction()
• CreateFileTransacted(), DeleteFileTransacted(),
RemoveDirectoryTransacted(), MoveFileTransacted()
• Most functions that work with handles should work with transactions
39. Quick Recap
• Naturally, transactions make life hard for AV vendors
• We want to create a process from transacted file
• However process creation does not support transacted files directly
• We need dive into process creation on Windows to find a way to do it
40. Windows Process Loader Evolution
• Comparing kernel32!CreateProcessW between XP and 10 gives the
impression that MS completely changed how processes are created
• A deeper examination shows that Microsoft simply moved most of
the code from kernel32 to ntoskrnl (and somehow the function in
kernel32 became longer)
• Logically the steps remain mostly the same, at least for our purposes
42. Process Loader Evolution – XP
• CreateProcessW
• CreateProcessInternalW
• NtOpenFile – Open image file
• NtCreateSection – Create section from opened image file
• NtCreateProcessEx – Create process from section
• PspCreateProcess – Actually create the process
• ObCreateObject – Create the EPROCESS object
• Add process to list of processes
• BasePushProcessParameters – Copy process parameters
• RtlCreateProcessParameters – Create process parameters
• NtAllocateVirtualMemory – Allocate memory for process parameters
• NtWriteVirtualMemory – Copy process parameters to allocated memory
• NtWriteVirtualMemory – Write address to PEB.ProcessParameters
• RtlDestroyProcessParameters – Destroy process parameters
• BaseCreateStack – Create Stack for process
• NtCreateThread – Create main thread
• NtResumeThread – Resume main thread
Kernel
44. Process Loader Evolution – 10
• CreateProcessW
• CreateProcessInternalW
• BasepCreateProcessParameters - Create process parameters
• RtlCreateProcessParametersEx - Create process parameters
• NtCreateUserProcess - Create process from file
• PspBuildCreateProcessContext – Build create process context
• IoCreateFileEx – Open image file
• MmCreateSpecialImageSection – Create section from image file
• PspCaptureProcessParams – Copy process parameters from user mode
• PspAllocateProcess - Create process from section
• ObCreateObject – Create EPROCESS object
• MmCreatePeb – Create PEB for process
• PspSetupUserProcessAddressSpace – Allocate and copy process
• KeStackAttachProcess – Attach to process memory
• ZwAllocateVirtualMemory – Allocate memory for process parameters
• PspCopyAndFixupParameters – Copy process parameters to process
• Memcpy
• Set PEB.ProcessParameters
• KiUnstackDetachProcess – Detach from process memory
• PspAllocateThread – Create thread
• PspInsetProcess – Insert process to list of processes
• PspInsertThread – Insert thread to list of threads
• PspDeleteCreateProcessContext – Delete process create context
• RtlDestroyProcessParameters – Delete process parameters
• NtResumeThread – Start main thread
Kernel
45. Windows Process Loader Evolution
• NtCreateUserProcess used instead of NtCreateProcessEx
• NtCreateProcessEx receives a handle to a section
• NtCreateUserProcess receives a file path
• NtCreateProcessEx still available – used in creation of minimal
processes (nt!PsCreateMinimalProcess)
• All the supporting user-mode code is not available post XP
• We need to implement it ourselves
46. Doppelgänging - Motivation
• Load and execute arbitrary code
• In context of legitimate process
• None of the suspicious process hollowing API calls
• NtUnmapViewOfSection
• VirtualProtectEx
• SetThreadContext
• AV will not scan at all / AV will scan “clean” files only
• Will not be discovered by advanced forensics tools
47. Doppelgänging - Overview
• We break Doppelgänging into 4 steps:
• Transact – Overwrite legitimate executable with a malicious one
• Load – Load malicious executable
• Rollback – Rollback to original executable
• Animate – Bring the Doppelgänger to life
48. Doppelgänging - Transact
• Create a transaction
• hTransaction = CreateTransaction(…);
• Open a “clean” file transacted
• hTransactedFile = CreateFileTransacted(“svchost.exe”,
GENERIC_WRITE | GENERIC_READ, …, hTransaction, …)
• Overwrite the file with malicious code
• WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …);
49. Doppelgänging - Transact
• Create a transaction
• hTransaction = CreateTransaction(…);
• Open a “clean” file transacted
• hTransactedFile = CreateFileTransacted(“svchost.exe”,
GENERIC_WRITE | GENERIC_READ, …, hTransaction, …)
• Overwrite the file with malicious code
• WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …);
50. Doppelgänging - Transact
• Create a transaction
• hTransaction = CreateTransaction(…);
• Open a “clean” file transacted
• hTransactedFile = CreateFileTransacted(“svchost.exe”,
GENERIC_WRITE | GENERIC_READ, …, hTransaction, …)
• Overwrite the file with malicious code
• WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …);
File
svchost.exe
51. Doppelgänging - Transact
• Create a transaction
• hTransaction = CreateTransaction(…);
• Open a “clean” file transacted
• hTransactedFile = CreateFileTransacted(“svchost.exe”,
GENERIC_WRITE | GENERIC_READ, …, hTransaction, …)
• Overwrite the file with malicious code
• WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …);
File
svchost.exe
52. Doppelgänging - Load
• Create a section from the transacted file
• NtCreateSection(&hSection, …, PAGE_READONLY, SEC_IMAGE, hTransactedFile);
• The created section will point to our malicious executable
File
svchost.exe
53. Doppelgänging - Load
• Create a section from the transacted file
• NtCreateSection(&hSection, …, PAGE_READONLY, SEC_IMAGE, hTransactedFile);
• The created section will point to our malicious executable
Section
svchost.exe
File
svchost.exe
54. Doppelgänging - Rollback
• Rollback the transaction
• RollbackTransaction(hTransaction);
• Effectively removes our changes from the file system
Section
svchost.exe
File
svchost.exe
55. Doppelgänging - Rollback
• Rollback the transaction
• RollbackTransaction(hTransaction);
• Effectively removes our changes from the file system
Section
svchost.exe
File
svchost.exe
60. “Mitigation in Redstone”
The story of a BSOD
• Everything worked well on Windows 7
• First run on Windows 10 – BSOD
• Reported by James Forshaw*
• Null pointer dereference
*https://bugs.chromium.org/p/project-zero/issues/detail?id=852
61. “Mitigation in Redstone”
The story of a BSOD
• How to get over it?
• PsCreateMinimalProcess
• MS was nice enough to fix it for this talk ;)
62. Affected Products
Product Tested OS Result
Windows Defender Windows 10 Bypass
AVG Internet Security Windows 10 Bypass
Bitdefender Windows 10 Bypass
ESET NOD 32 Windows 10 Bypass
Qihoo 360 Windows 10 Bypass
Symantec Endpoint Protection Windows 7 SP1 Bypass
McAfee VSE 8.8 Patch 6 Windows 7 SP1 Bypass
Kaspersky Endpoint Security 10 Windows 7 SP1 Bypass
Kaspersky Antivirus 18 Windows 7 SP1 Bypass
Symantec Endpoint Protection 14 Windows 7 SP1 Bypass
Panda Windows 8.1 Bypass
Avast Windows 8.1 Bypass
63. Detection / Prevention
• Realtime
• Scan using file object available in create process notification routine (Vista+)
• On error, block
• What to do about DLLs?
• Scan all sections, even data sections – performance issue to consider
• Forensics
• WriteAccess == TRUE for the FILE_OBJECT associated with process
• EPROCESS. ImageFilePointer is NULL (Win 10)
64. Summary
• Process will look legitimate
• Uses Windows loader (no need for a custom one)
• Mapped correctly to an image file on disk, just like any legit process
• No “unmapped code” which is usually detected by modern solutions
• Can also be leveraged to load DLLs
• Fileless
• Even advanced forensics tools such as Volatility will not detect it
• Works on all Windows versions since Vista
• Bypasses all tested security products
65. Special Thanks
• Omri Misgav – Security Researcher @ enSilo
• @UdiYavo – CTO @ enSilo
• This research wouldn’t be possible without you