Scribd
Upload
20 views36 pages

Hunting in memory

The document discusses the importance of memory hunting in cybersecurity, highlighting various memory-based attacker techniques and existing tools. It introduces a new PowerShell tool designed for large-scale hunting, detailing methods such as reflective DLL injection, process hollowing, and PEB unlinking. Additionally, it presents a case study on the 9002 Trojan and outlines response strategies for dealing with such threats.

Uploaded by

xsplitfirex
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views36 pages

Hunting in memory

The document discusses the importance of memory hunting in cybersecurity, highlighting various memory-based attacker techniques and existing tools. It introduces a new PowerShell tool designed for large-scale hunting, detailing methods such as reflective DLL injection, process hollowing, and PEB unlinking. Additionally, it presents a case study on the 9002 Trojan and outlines response strategies for dealing with such threats.

Uploaded by

xsplitfirex
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

Hunting In Memory

April 19, 2017 Jared Atkinson, Joe Desimone


Who are we

▪ Jared Atkinson

• Defensive Service Technical Director - Specter Ops

• Microsoft Cloud and Datacenter Management MVP (PowerShell)

• Lead Developer PowerForensics

▪ Joe Desimone

• Senior Malware Researcher - Endgame

• Developer, Hunter, Reverse Engineer


Overview

▪ Why hunting in memory is important

▪ Memory based attacker techniques

▪ Existing tools and approaches

▪ New powershell tool for hunting at scale


Importance of Memory Hunting

▪ Memory resident malware has been in use for over a decade, and is now ubiquitous

▪ Once a staple of ‘APT’; now commonplace for crimeware

▪ Designed to evade PSPs and YOU

▪ Great signal to noise ratio; easy button hunting


Attacker Techniques

▪ Classic memory/shellcode injection

▪ Reflective DLLs

▪ Memory Module

▪ Process and Module Hollowing

▪ PEB Unlinking

▪ Gargoyle (ROP/APCs)
Classic Injection

▪ OpenProcess - Grab handle to target process

▪ VirtualAllocEx - Allocate a new chunk of memory in targe

▪ WriteProcessMemory - Write the shellcode/payload into target

▪ CreateRemoteThread - Start a new thread to execute the payload


Classic Injection - Poison Ivy
Poison Ivy
Poison Ivy
Poison Ivy Thread
Reflective DLL Injection

▪ DLL that maps itself into memory - original design and code by Steven Fewer [1]

▪ Handy from attacker perspective - makes for a ‘dumb’ injector

▪ No longer have to code in assembly (like PI)

▪ Very common technique (ex: meterpreter, powershell empire)

▪ Allocate memory, map sections, resolve imports, fixup relocations, call entry

[1] https://github.com/stephenfewer/ReflectiveDLLInjection
Meterpreter

▪ Classic DLL Reflection, such as meterpreter, is easy to find


Meterpreter
Memory Module

▪ Similar to Reflective technique, except loader does all the work [1]

▪ Payload DLL doesn’t need any special modifications

▪ Loader re-implements LoadLibrary(), but works on a buffer in memory

▪ Can map into local or remote process [2]

▪ Typical implementations avoid RWX

[1] Memory Module - https://github.com/fancycode/MemoryModule


[2] Manual Map - https://github.com/DarthTon/Blackbone
NetTraveler - Memory Layout

▪ Uses legitimate looking permissions


NetTraveler - Active Thread
Winnti - Memory Layout
Winnti - Header Wipe
Process Hollowing

▪ Create new, suspended process

▪ Allocate new memory, unmap (hollow) existing code

▪ Write payload

▪ Redirect execution - SetThreadContext() and ResumeThread()

▪ Stealthy variants
• Create/Map sections to avoid WriteProcessMemory
• Modify entry point instead of SetThreadContext
DarkComet - Process Hollowing
DarkComet
Module Overwriting

▪ Up until now, all examples have lead to non-image backed code executing

▪ Module Overwriting avoids this, making it more difficult to detect

▪ Flame and Careto are examples

▪ Map an unused module into target process

▪ Overwrite legitimate module with payload

▪ Odinaff had a similar trick but overwrote its own executable

Image Credit: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf


Odinaff

In Memory On Disk
PEB Unlinking

▪ Not an in memory technique, but rather an evasion

▪ Hide loaded DLL from security products, admins, hunters

▪ HackingTeam used this technique in their RAT

▪ Flame also unlinked shell32.dll

▪ To find peb unlinking, you could compare what the Win32 API reports as ‘loaded’
versus what you find is actually loaded with VirtualQuery/GetSectionName
Gargoyle

▪ Technique developed by Josh Lospinoso to


hide injected code from security products

▪ Payload lies dormant, with read only


permissions

▪ Periodically ‘wakes up.’ Sets payload


executable with an asynchronous procedure
call and ROP. Permissions reverted, cycle
repeats.

▪ https://jlospinoso.github.io/security/assembly/c/cpp/developing/sof
tware/2017/03/04/gargoyle-memory-analysis-evasion.html
Available Tools

▪ Volatility / malfind

▪ GRR

▪ Rekall

▪ inVtero
Detecting Injection
w/ PowerShell
PSReflect
▪ PowerShell module written by Matt Graeber (@mattifestation)
• https://github.com/mattifestation/PSReflect

▪ Avoids the compilation artifacts associated with P/Invoke


• IMO the cleanest way to deal with Win32 API from PowerShell

▪ Library to abstract the complexities of calling Win32 functions via Reflection

▪ Intuitive “domain specific language” for defining enums, structs, and P/Invoke function
signatures

▪ Must include PSReflect code in your scripts/modules


Get-InjectedThread
▪ Built on PSReflect

▪ PowerShell function to identify injected threads via detection methodology:


• Use Windows Toolhelp API to get all threads
• Iterate through each thread
• Identify the thread’s Base (Memory) Address
• Query the memory page for which the Base Address belongs to
• Check if the memory page’s state is MEM_COMMIT
• Check if the memory page’s type is not MEM_IMAGE

▪ Returns details regarding offending process and thread


• Check memory page permissions
• Look for unnecessary privileges or integrity level
• Identify abnormal user tokens
Get-InjectedThread Output
▪ Injected Process Information ▪ Memory Segment
• Process Id • Base Address
• Name • Size
• File Path (PEB and EPROCESS) • Protection
• Command Line • State
• Type
▪ Thread Information • First 100 Bytes
• Thread Id
• Unique Thread Token ▪ Token (Thread or Process)
• Base Priority • Integrity Level
• Does thread have unique token? • Enabled Privileges
• SID / UserName
• Logon Session Start Time
• Logon Type
• Authentication Package
Our Threat - 9002 Trojan
▪ Delivered as .zip file via Google Drive

▪ Zip archive contains one file


• 2nd Myanmar Industrial Resource Development Symposium.exe
• File has PowerPoint icon to trick users into opening

▪ Drops files upon execution


• %USERPROFILE%\<random>\RealNetwork.exe (Legitimate Application)
• %USERPROFILE%\<random>\main.dll (Loaded by MPAMedia.dll)
• %USERPROFILE%\<ramdom>\mpaplugins\MPAMedia.dll (DLL Side Loading)
• Ppt
∙ Opened in PowerPoint to keep up the ruse

http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/
Response
▪ Kill Thread
• Stop-Thread
• Built on Window’s TerminateThread API

▪ Process Minidump
• Out-Minidump (PowerSploit)
• https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1

▪ Thread Dump
• Dump-Thread
Questions?

You might also like