Scribd
Upload
2 views

Hunting in memory

The document discusses the importance of memory hunting in cybersecurity, highlighting various memory-based attacker techniques and existing tools. It introduces a new PowerShell tool designed for large-scale hunting, detailing methods such as reflective DLL injection, process hollowing, and PEB unlinking. Additionally, it presents a case study on the 9002 Trojan and outlines response strategies for dealing with such threats.

Uploaded by

xsplitfirex
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Hunting in memory

The document discusses the importance of memory hunting in cybersecurity, highlighting various memory-based attacker techniques and existing tools. It introduces a new PowerShell tool designed for large-scale hunting, detailing methods such as reflective DLL injection, process hollowing, and PEB unlinking. Additionally, it presents a case study on the 9002 Trojan and outlines response strategies for dealing with such threats.

Uploaded by

xsplitfirex
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

Hunting In Memory

April 19, 2017 Jared Atkinson, Joe Desimone


Who are we

▪ Jared Atkinson

• Defensive Service Technical Director - Specter Ops

• Microsoft Cloud and Datacenter Management MVP (PowerShell)

• Lead Developer PowerForensics

▪ Joe Desimone

• Senior Malware Researcher - Endgame

• Developer, Hunter, Reverse Engineer


Overview

▪ Why hunting in memory is important

▪ Memory based attacker techniques

▪ Existing tools and approaches

▪ New powershell tool for hunting at scale


Importance of Memory Hunting

▪ Memory resident malware has been in use for over a decade, and is now ubiquitous

▪ Once a staple of ‘APT’; now commonplace for crimeware

▪ Designed to evade PSPs and YOU

▪ Great signal to noise ratio; easy button hunting


Attacker Techniques

▪ Classic memory/shellcode injection

▪ Reflective DLLs

▪ Memory Module

▪ Process and Module Hollowing

▪ PEB Unlinking

▪ Gargoyle (ROP/APCs)
Classic Injection

▪ OpenProcess - Grab handle to target process

▪ VirtualAllocEx - Allocate a new chunk of memory in targe

▪ WriteProcessMemory - Write the shellcode/payload into target

▪ CreateRemoteThread - Start a new thread to execute the payload


Classic Injection - Poison Ivy
Poison Ivy
Poison Ivy
Poison Ivy Thread
Reflective DLL Injection

▪ DLL that maps itself into memory - original design and code by Steven Fewer [1]

▪ Handy from attacker perspective - makes for a ‘dumb’ injector

▪ No longer have to code in assembly (like PI)

▪ Very common technique (ex: meterpreter, powershell empire)

▪ Allocate memory, map sections, resolve imports, fixup relocations, call entry

[1] https://github.com/stephenfewer/ReflectiveDLLInjection
Meterpreter

▪ Classic DLL Reflection, such as meterpreter, is easy to find


Meterpreter
Memory Module

▪ Similar to Reflective technique, except loader does all the work [1]

▪ Payload DLL doesn’t need any special modifications

▪ Loader re-implements LoadLibrary(), but works on a buffer in memory

▪ Can map into local or remote process [2]

▪ Typical implementations avoid RWX

[1] Memory Module - https://github.com/fancycode/MemoryModule


[2] Manual Map - https://github.com/DarthTon/Blackbone
NetTraveler - Memory Layout

▪ Uses legitimate looking permissions


NetTraveler - Active Thread
Winnti - Memory Layout
Winnti - Header Wipe
Process Hollowing

▪ Create new, suspended process

▪ Allocate new memory, unmap (hollow) existing code

▪ Write payload

▪ Redirect execution - SetThreadContext() and ResumeThread()

▪ Stealthy variants
• Create/Map sections to avoid WriteProcessMemory
• Modify entry point instead of SetThreadContext
DarkComet - Process Hollowing
DarkComet
Module Overwriting

▪ Up until now, all examples have lead to non-image backed code executing

▪ Module Overwriting avoids this, making it more difficult to detect

▪ Flame and Careto are examples

▪ Map an unused module into target process

▪ Overwrite legitimate module with payload

▪ Odinaff had a similar trick but overwrote its own executable

Image Credit: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf


Odinaff

In Memory On Disk
PEB Unlinking

▪ Not an in memory technique, but rather an evasion

▪ Hide loaded DLL from security products, admins, hunters

▪ HackingTeam used this technique in their RAT

▪ Flame also unlinked shell32.dll

▪ To find peb unlinking, you could compare what the Win32 API reports as ‘loaded’
versus what you find is actually loaded with VirtualQuery/GetSectionName
Gargoyle

▪ Technique developed by Josh Lospinoso to


hide injected code from security products

▪ Payload lies dormant, with read only


permissions

▪ Periodically ‘wakes up.’ Sets payload


executable with an asynchronous procedure
call and ROP. Permissions reverted, cycle
repeats.

▪ https://jlospinoso.github.io/security/assembly/c/cpp/developing/sof
tware/2017/03/04/gargoyle-memory-analysis-evasion.html
Available Tools

▪ Volatility / malfind

▪ GRR

▪ Rekall

▪ inVtero
Detecting Injection
w/ PowerShell
PSReflect
▪ PowerShell module written by Matt Graeber (@mattifestation)
• https://github.com/mattifestation/PSReflect

▪ Avoids the compilation artifacts associated with P/Invoke


• IMO the cleanest way to deal with Win32 API from PowerShell

▪ Library to abstract the complexities of calling Win32 functions via Reflection

▪ Intuitive “domain specific language” for defining enums, structs, and P/Invoke function
signatures

▪ Must include PSReflect code in your scripts/modules


Get-InjectedThread
▪ Built on PSReflect

▪ PowerShell function to identify injected threads via detection methodology:


• Use Windows Toolhelp API to get all threads
• Iterate through each thread
• Identify the thread’s Base (Memory) Address
• Query the memory page for which the Base Address belongs to
• Check if the memory page’s state is MEM_COMMIT
• Check if the memory page’s type is not MEM_IMAGE

▪ Returns details regarding offending process and thread


• Check memory page permissions
• Look for unnecessary privileges or integrity level
• Identify abnormal user tokens
Get-InjectedThread Output
▪ Injected Process Information ▪ Memory Segment
• Process Id • Base Address
• Name • Size
• File Path (PEB and EPROCESS) • Protection
• Command Line • State
• Type
▪ Thread Information • First 100 Bytes
• Thread Id
• Unique Thread Token ▪ Token (Thread or Process)
• Base Priority • Integrity Level
• Does thread have unique token? • Enabled Privileges
• SID / UserName
• Logon Session Start Time
• Logon Type
• Authentication Package
Our Threat - 9002 Trojan
▪ Delivered as .zip file via Google Drive

▪ Zip archive contains one file


• 2nd Myanmar Industrial Resource Development Symposium.exe
• File has PowerPoint icon to trick users into opening

▪ Drops files upon execution


• %USERPROFILE%\<random>\RealNetwork.exe (Legitimate Application)
• %USERPROFILE%\<random>\main.dll (Loaded by MPAMedia.dll)
• %USERPROFILE%\<ramdom>\mpaplugins\MPAMedia.dll (DLL Side Loading)
• Ppt
∙ Opened in PowerPoint to keep up the ruse

http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/
Response
▪ Kill Thread
• Stop-Thread
• Built on Window’s TerminateThread API

▪ Process Minidump
• Out-Minidump (PowerSploit)
• https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1

▪ Thread Dump
• Dump-Thread
Questions?

You might also like