0% found this document useful (0 votes)

6 views156 pages

Module 2 - Malware Overview

Uploaded by

es169371

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

6 views156 pages

Module 2 - Malware Overview

Uploaded by

es169371

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 156

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

During our threat hunting missions on endpoint systems we
will be hunting malware in various forms: exe’s, dll’s, ps1’s,
etc.

In order for us to successfully hunt malware we need to fully

understand what it is, how it infects an endpoint, techniques
used to hide within the endpoint, etc.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

What is malware?

Malware is the short form of malicious software.

It is software written to infiltrate or damage a computer

system without the owners consent. It can be considered one
of the following: intrusive, hostile, and/or annoying.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

We will not focus on annoying malware, such as adware
and/or PUPs (Potentially Unwanted Programs).

We will be looking at intrusive and hostile forms of malware.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Viruses

A computer virus is a program that copies itself and spreads

without the permission or knowledge of the owner.

Viruses do not spread via exploiting vulnerabilities (the ones

that do that are called worms).

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Viruses

The only way viruses are supposed to spread is with the host,
at least in their rigorous classification.

Let’s say that a virus has infected a file; now if the owner
moves the file to any system, the virus has thus a chance to
spread and survive.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Viruses

Viruses can be classified into the following sub-types:

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Viruses

• When the virus is executed and becomes memory resident. It waits for some triggers such as loading of
Resident
another program. It then infects other programs and so on.

• When the virus is executed, it will search for files it can infect. After infecting them, it will quit. When the
Non- infected program is run again, it will again find new targets to infect and so on.
Resident

• Spreads via boot sectors. For example, if a user leaves an infected CD-ROM while turning off a system. The
next time the system will boot up, the boot sector virus will activate and will thus spread to the hard disk
Boot
Sector which will then spread to pen drives. When the pen drives are moved, the cycle repeats.

• These viruses have several types of infection mechanisms such as they can have both Boot-Sector and
Multi- Resident type viruses or even more.
Partite

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Worm

Worms are basically software which uses

network/system vulnerabilities to spread
themselves from system to system. They are
typically part of other software such as
rootkits and are normally the entry point into
the system. They basically compromise the
system (locally or remotely) and provide
access to other malware.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Rootkits

A rootkit is malware which is designed to hide

the fact that a compromise has already been
done or to do the compromise at a deeper
level. A rootkit is basically used as a
supplement to other malware.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Rootkits

Basically, rootkits can be used to:

• Hide processes • Implement backdoors
• Files on the file system • Create loopholes

When a rootkit is installed the entire operating system is

compromised. Rootkits exists for all major operating systems.
They are installed as drivers (or kernel modules).

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Rootkits

They are known to exist at the following levels (even lower

levels are possible):
• Application Level • Hypervisor Level
• Library Level • Firmware Level
• Kernel Level

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Rootkits

Application Level
•They actually replace programs with copes of other programs.

Library Level
•Let’s say that 10 applications are sharing a library. Taking control of the library means taking control of all 10 applications.

Kernel Level
•This is the most common type. They are known for their resistance to removal since they run at the same privilege level as antivirus.

Hypervisor Level
•These days processors have come up with support for virtualization. Rootkits which use such processor specific technologies are called
hypervisor rootkits, such as blue pill and SubVirt.

Firmware Level
•Rootkits for firmware such as BIOS, ACPI tables, or device ROMS are known to exist. They have the highest chance of survival because
currently no tools exist to verify/scan up the firmware level rootkits.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Bootkits

They differ from rootkits, in the installation process and

how/when they take control of the operating system.

Bootkits start attacking the operating system when the

operating system has not even started. They are able to
completely violate the security of the target operating
system.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Trojans

A trojan (or trojan horse) is a kind of

malware that appears to the user to
perform a function but in fact facilitates
unauthorized access to the owners
machine.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Trojans

An example of a trojan would be when you install a game you

downloaded off the Internet onto your machine but it might
contain additional malicious code that is not part of the
game.

While you’re playing the game, the secondary code would

execute to perform its unknown intents.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Backdoors

A backdoor is software (or modification of

software) which helps in bypassing
authentication mechanisms, keeping
remote access open for later unauthorized
purposes while trying to remain hidden.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Backdoors

For example, a backdoor in a login system might give you

access when a specified username/password is entered, even
though the credentials might not be a valid combination.

RATs (Remote Access Trojans) are similar to backdoors.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Remote Access Trojans

A Remote Access Trojan (RAT) is a

malicious remote administration tool in
which an attacker uses to issue commands
to the compromised host. A RAT uses a
client-server model and has a user
interface for easy administration.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Spyware

Spyware is software which spy on user

activities to collect user information, such
as what websites the user frequently visits,
without the consent of the computer
owner.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Spyware

The information is sent to the author or owner of the

spyware program after a certain amount has been collected.

Normally a system which has spyware also has other kinds of

malware, such as rootkits or trojans, to hide their tracks and
to keep control of the machine.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Botnets
Botnets refers to a collection of
compromised computers which run
commands automatically and
autonomously, with the help of command
and control server. Botnets are typically
created when a number of clients install
the same malware. The hosts are usually
infected via drive-by-downloads.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Botnets

The controller or owner of the botnet is called the bot master

and is usually the one who gives commands to the bots.

Botnets are used by the bot master for reasons such as DDoS,
sending spam, etc.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Ransomware
This type of malware encrypts files and demands the victim to send
money via bitcoin in which the user will be sent the key to unlock the
files.

The files are being held hostage until the victim pays the ransom, hence
the term ransomware.

They are also called extortive malware since they demand money in
exchange of restoration of the victims data.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Information Stealers

This type of malware basically steals data such as private

encryption keys, login credentials, credit card data,
competitor data (such as proprietary data, intellectual
property, etc.), and other important data which could be used
which could be used for many malicious reasons.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Information Stealers

Keyloggers
• Keyloggers capture keystrokes as the victim is typing. This information is saved locally and later sent to
the attacker.
Screen recorders
• Screen recorders take screenshots of the active window on the victims machine when a condition is
met, such as a time interval. These images are saved locally and sent to the attacker as well.

RAM scrapers
• RAM scrapers attempt to steal information in memory while its being processed. The reason for this is
because in memory everything is decrypted. Technique is well known for stealing credit card numbers
is some big name breaches within the last few years.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Basically the point to note is that there is no clear line which
distinguishes one form of malware from another.

Normally malware are found in pairs with multiple variants

simultaneously active on the target system.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

There are various other types of malware Malware
Classifications, such as Adware, Greyware, Scareware,
Fakeware, PUPs (Potentially Unwanted Programs), etc. but
we will not be covering those types of malware as they’re not
what we’ll be primarily hunting after within our corporate
environments.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Knowing malware and which classification it would fall under
will help you understand the purpose of the malware and
potentially what actions it took, or going to take.

Next we’ll look at methods on how the malware will reach

the target system.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
There are various ways malware can reach its target. Below is
a few:
Physical media Web advertising

Email (attachments) Social media

URL links File shares

Drive-by downloads Software vulnerabilities

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Physical Media

Malware that uses this medium to spread indicates that the

malware doesn’t have any other means to spread itself.

Malware that uses, for instance a USB stick, could infect the
boot sector or be configured to autorun once inserted into
the victim machine.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Physical Media

Maybe the malware is not configured that way.

Another method would be simply put the malware into the

USB stick and hope that you’re intended target(s) will run the
malware.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Physical Media

Another method worth mentioning would be HIDs (Human

Interface Device).

USB Rubber Ducky, USBdriveby, Teensy, and BadUSB are

examples of attacks where the attacker can create scripts to
execute a set of commands, such as load malware, into a
target system.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Emails

This is one of the most common methods to attempt to

infiltrate an organization.

Due to poor security awareness from users they are

susceptible to falling victim to social engineering via phishing,
spear phishing, and whaling attacks.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Emails

Why would an attacker spend hours, days, or even weeks

surveying the network perimeter of the target in hopes of
punching a hole through the firewall when a nicely crafted
email, with a malicious attachment, will do the trick and get
them inside?

This attack vector is fruitful compared to finding a

vulnerability through the firewall.
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Emails

Also remember that the email doesn’t necessarily need to

have an attachment.

The email can still be a carefully crafted to lure the victim to

click a link or even visit a website by which hosts the malware
by the attacker.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

URL Links

We have been reading about links thus far and it should still
have it’s own section as this is an attack vector to deliver
malware to the target.

With URL links the link can direct to victim to a website where
the malware is hosted or simply download the malware itself.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

URL Links

As we have read already, links can be placed anywhere:

• Emails • Instant Messaging
• Documents (Word, Excel, • Social Media Feeds
etc.) • Etc.
URL shortening has also aided in making this a successful
attack vector. The victim can’t tell what they’re clicking on by
simply looking at the link.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Drive-by Downloads

A drive-by download site installs malware once a victim visits

that site.

This means that the victim doesn’t need to click on a link.

Code in the web page, whether client-side or server-side, will
attempt to install malware based on the victims machine
configuration (Windows 7 running an unpatched version of
Flash). Typically this is achieved by exploit kits.
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Drive-by Downloads

The attackers can purchase and build specific domains to

spread malware via drive-by. Attackers can use popular
news/events and use SEO techniques to push their malware-
hosting website to the top of the search ranks to increase
chances of victims.

Another technique can be used which is called a watering

hole attack.
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Web Advertising

This technique is known as malvertising, delivering malware

through online ads.

This is achieved by buying ad space in popular, legit websites,

but the ads have a malicious purpose.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Web Advertising

The ads will either redirect the victim to a website hosting the
malware or it will insert malware directly into the victims
machine.

Now this can be done by clicking on the ad and even without

clicking on the ad. You can read more here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Web Advertising

Another way to use ad-serving code is through browser

extensions.

In more recent news, a couple of Chrome extensions were

targeted and displayed malicious ads.

You an read about this here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Social Media

Social media continues to grow in popularity.

The amount of users registered in various platforms are in the

hundreds of millions.

Even companies have social media accounts to promote their

company and products.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Social Media

Many of these social media platforms offer tools and features

that will aid an attacker in their mission. They have the ability
to post links in feeds and/or send direct messages to users.

Within their attack campaign the attackers will use some

social engineering, again, to convince the unsuspecting
victims to click on a link or to download the malware.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Software Vulnerabilities

With software vulnerabilities we’re referring to exploiting

vulnerabilities within whitelisted applications running in the
environment to inject executable code into the running
application and take control of the process.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Software Vulnerabilities

Attackers exploit the vulnerabilities (application bugs and/or

flaws) with buffer overflows:
• Stack overflows
• Heap overflows

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Software Vulnerabilities

• This is exploited by overflowing the buffers on the stack to get control

of flow of execution for the application to execute the malicious code.

• This is exploited by overwriting pointers in the heap (dynamically

allocated memory space) to point to malicious code instead of its
original location.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

There are other vectors that weren’t discussed in these slides
on how malware can infect its victim due to the chances of
vector being present in corporate environments are slim.

These other vectors are:

• Peer to peer (P2P)
• Instant messaging

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Thus far we discussed how malware is classified and how they
reach their victim machines.

Next we need to discuss how the malware attempts to

remain undetected and dormant once they land into the
victim machine, as well as techniques to avoid analysis if
found.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
We’ll begin this section with techniques on how malware
attempts to run and evade defenses.

Not only is the malware looking for a successful initial

execution but its also using techniques to escalate privileges,
steal credentials, exfiltration, and maintain persistence to
name a few. Refer to Mitre ATT&CK wiki here for more info.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Note that new methods and techniques are always being
discovered by researchers and, most importantly, the
adversary to remain covert.

As a hunter you must always be looking into the latest

techniques being shared and discovered.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

Alternate Data Streams, or streams, are a

feature of the NTFS file system. They are
not available on FAT file systems or any
other file system.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

As per the Technet article, the original data stream is the file
data itself. It is the data stream with no name. All other
streams have a name.

Alternate Data Streams can be used to store file meta data

and any other type of data.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

To explain this concept, we can type the following into the

command prompt:
echo “This is not ADS” > file.txt
echo “This is in ADS” > file.txt:stream1

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

We can also create streams programmatically. In the

CreateFile Windows API, just append “:stream_name” to the
file name, where “stream_name” is the name of the data
stream.

We also use the WriteFile Windows API function to write the

data.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams
#include <windows.h>
#include <stdio.h>

void main() {
...
hStream = CreateFile('file.txt:stream2',
GENERIC_WRITE,
FILE_SHARE_WRITE,
NULL,
OPEN_ALWAYS,
0,
NULL);
if(hStream == INVALID_HANDLE_VALUE)
printf("Cannot open file.txt:stream2\n");
else
WriteFile(hStream, "This data is hidden in the stream. Can you read it???", 53, &dwRet, NULL);
}

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

Lets use the DIR command to attempt to see the regular txt file and ADS.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

Here we attempt to view the contents of the txt file and ADS using
TYPE and MORE.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

Another tool to view alternate data streams is the Streams

tool bundled within Sysinternals.
streams.exe c:\users\elshunter\desktop\file.txt

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

This tool was useful prior to the Windows PowerShell days.

PowerShell’s cmdlet Get-Item has the capability to retrieve
alternate data stream information.

We’ll need to use the “–Stream” parameter in order to do so.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

get-item –path .\file.txt –stream *

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

Note that Microsoft uses ADS for non-nefarious reasons. For instance via
the Zone.Identifier (Zone 3) ADS we can tell if a file or binary was
downloaded from the Internet (Internet Zone).
Value Zone
0 My Computer
1 Local Intranet Zone
2 Trusted Sites Zone
3 Internet Zone
4 Restricted Sites Zone

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

To retrieve this information we need to use the Get-Content cmdlet within PowerShell.

get-item –path .\putty-64bit-0.70-installer.msi –stream *

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

Within PowerShell version 5, there is a lot more information

that is displayed when using the Get-Item cmdlet and the
“–Stream” parameter.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

An example malware that attempts to remove clues that it

was downloaded from the Internet by deleting the
Zone.Identifier from the file is CoinMiner.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Alternate Data Streams

Credit: https://secrary.com/ReversingMalware/CoinMiner/

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections

In the next upcoming slides we’ll look at various injection

techniques used by malware into inject itself into another
processes, threads, etc.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
DLL Injection

DLL Injection is the most common technique used to inject

malware into another process, or processes.

The next slide will illustrate how this is accomplished by

malware.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
DLL Injection
• Malware needs to find a target process to inject the malicious DLL into.
Locate • Windows API: CreateToolhelp32Snapshot(), Process32First(), Process32Next()
Process

• Once the malware finds the process it opens the process.

Open • Windows API: GetModuleHandle(), GetProcAddress(), OpenProcess()
Process

• The malware then needs to find a location in order to write path to the malicious DLL.
Allocate • Windows API: VirtualAllocEx()
Memory

• The malware will write the path to the malicious DLL into the allocated memory location.
Copy • Window API: WriteProcessMemory()

• The malware will execute the malicious DLL in another process by starting new thread.
Execute • Window API: CreateRemoteThread(), LoadLibrary()

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
DLL Injection

It’s important to note that the documented Windows API

CreateRemoteThread() function is not the only function that
can be used. There are undocumented functions can be used.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
DLL Injection

NTCreateThreadEx()
• The steps to utilize this undocumented function are a bit more
involved. This function needs to be loaded from Ntdll.dll.
RtlCreateUserThread()
• Both Mimikatz and Metasploit use this undocumented function.
This function also needs to be loaded from Ntdll.dll.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
DLL Injection

In order for this technique to work the path of the malicious

DLL needs to reside on disk.

Another, more stealthy technique, is Reflective DLL Injection

which loads the DLL in memory.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
Reflective DLL Injection

This technique was discovered and shared by Steven Fewer. As

stated on the GitHub page:

“Reflective DLL injection is a library injection

technique in which the concept of reflective
programming is employed to perform the loading of
a library from memory into a host process.”

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
Reflective DLL Injection

In a nutshell, this technique will load malicious DLL without calling

the normal Windows API calls as it does with DLL Injection.

The malicious DLL doesn’t need a loader and will map itself into
memory when run. It will resolve import addresses, fix relocations,
and call the DllMain function (without using LoadLibrary).

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
Reflective DLL Injection

Frameworks such as Metasploit and PowerShell Empire has

this capability incorporated into it.

APTs and malware authors, especially advanced ones, will

most likely not use these frameworks but instead create their
own tools using C/C++.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
Thread Hijacking

With this technique the malware will not need to create a

new process or thread.

Instead it will loop through threads of a process on the target

system and perform similar steps of DLL Injection but with
slight differences.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections Locate
•Malware needs to find a target thread to inject into.
•Windows API: CreateToolhelp32Snapshot(), Thread32First(), Thread32Next()
Thread
Thread Hijacking
•The malware opens the thread.
Open •Windows API: OpenThread()
Thread

•The thread needs to be suspended in order to inject.

Suspend •Windows API: SuspendThread()
Thread

•The malware then needs to find a location in order to write the path to the malicious DLL, or
shellcode.
Allocate
•Windows API: VirtualAllocEx()
Memory

•The malware will write the path to the malicious DLL, shellcode, or address to LoadLibrary into
the allocated memory location.
Copy •Window API: WriteProcessMemory()

•Once the malware has performed its injection, the thread resumes.
Resume •Windows API: ResumeThread()
Thread

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
PE Injection

PE (Portable Executable) Injection is similar to DLL Injection

but one notable difference is that, just like Reflective DLL
Injection, the malicious DLL doesn’t have to reside on disk.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
PE Injection

WriteProcessMemory() will be used by this technique but not

to write the path to the malicious DLL but to write the
malicious code into that location instead.

There is no need to use LoadLibrary() either with this

technique.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
PE Injection

Since the PE is injected into another process it will have a

new base address. The base address is the starting address of
a memory-mapped EXE or DLL. The malware will need to loop
through its relocation descriptors to find its addresses. You
can read more about PE Headers in the document titled
Peering Inside the PE: A Tour of the Win32 Portable
Executable File Format.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
Process Hollowing

Process Hollowing is the technique

where malware will un-map the
legitimate code from memory of the
process and overwrite memory of the
process with a malicious binary.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
Process Hollowing
•Malware will create a new process in a suspended state to host the malicious code. The primary thread will also be in a suspended state.
Create •Window API: CreateProcess()
Process

•The malware at this point will un-map the legitimate code from memory.
Un-map •Windows API: ZwUnmapViewOfSection(), NtUnmapViewOfSection()
Memory

•Same as DLL Injection technique, the malware will allocate memory locations for malicious code and write each section of the malware into this space.
Allocate & •Windows API: VirtualAllocEx(), WriteProcessMemory()
Write

•The malware will set the entry point to new code section.
Set Entry •Windows API: SetThreadContext()
Point

•The malware will take the process out of suspended state.

Resume •Windows API: ResumeThread()

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
Hook Injection

Malware uses hooking to intercept events and based on a

particular triggered event the malware will respond as
instructed.

This is accomplished using the Windows API

SetWindowsHookEx().

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
Hook Injection

This can be used to monitor the keyboard (WH_KEYBOARD)

and mouse (WH_MOUSE) input. WH_KEYBOARD and
WH_MOUSE are hook types. There are different hook types
that can be passed as an argument to SetWindowsHookEx().
You can read more about hook types here. Malware also can
use this technique to load a malicious DLL based on a specific
event.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
KernelMode Rootkits: SSDT Hooks

SSDT stands for System Service Descriptor Table. The

Windows Kernel uses this table to lookup system functions
and each table entry points to function code. Every SSDT
entry will point to the system kernel (ntoskrnl.exe) or the GUI
driver (win32k.sys).

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
KernelMode Rootkits: SSDT Hooks

For each entry in the SSDT table there is a suitable function in kernel
mode which completes the task specified by Native API. The SSDT resides
in the kernel and is exported as KeServiceDescriptorTable().

The representation can be pictured as:

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
KernelMode Rootkits: SSDT Hooks

With SSDT Hooking it will modify the pointers within this

table to point to a location that the rootkit controls, a
malicious function.

The effects to this technique are global to the system.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Injections
KernelMode Rootkits: SSDT Hooks

• Hook SSDT entry corresponding to NTQueryDirectoryFile.

Hook SSDT

• Now whenever the NTQueryDirectoryFile function is called, the malicious function will be called instead.
Call Function

• Right after the malicious functions gets called, call the original function (NTQueryDirectoryFile) and get
Pass Control its results, directory listing in this case.