Avoiding Memory Scanners
Avoiding Memory Scanners
Kyle Avery
Introduction
• Offensive Security Lead at H-E-B
• Former BHIS
• Focus on Post-Exploitation
• Twitter: @kyleavery_
• GitHub: kyleavery
Introduction
• Goals for the talk:
• Describe memory scanner
capabilities
• Demonstrate bypasses for each
• Eliminate misconceptions
• Why Cobalt Strike?
• Common denominator for many
red teams
• Highly targeted by scanning tools
https://github.com/kyleavery/AceLdr
Agenda
• Memory Scanner Background – Notable Capabilities
• Pattern Matching
• Memory Attributes
• Stack Tracing
• Memory Evasion – Bypassing Scanners
• Encrypting Data
• Heap Encryption
• Obfuscating Executable Code
• Avoiding Sleep
• Return Address Spoofing
• Introducing AceLdr – Ready-to-Use Evasion Tool
Memory Scanners – Pattern Matching
• YARA from VirusTotal rule ExampleYARA
• Text and binary pattern matching with {
conditional logic strings:
• BeaconEye by @_EthicalChaos_ $a = {41 42 ?? 44}
CreateTimerQueueTimer(
&Timer,
queue,
NtContinue, // Callback to NtContinue
&CtxVp, // Parameter for callback
100, // Delay used to offset actions
0,
WT_EXECUTEINTIMERTHREAD // Queues the callback as an APC
);
Avoiding Sleep
• Tools like BeaconHunter and Hunt-Sleeping-Beacons flag any program
waiting on NtDelayExecution
• This can be avoided with a variety of alternatives
• Waitable Timers – Requires multiple API calls
• WaitForSingleObject – Using the timeout parameter to delay execution
fixup:
sub rsp, 16
mov rcx, rbx ; Restore address of param struct
mov rbx, [rcx + 16] ; Restore original value of RBX
jmp QWORD [rcx + 8] ; Jump to the original return address