Processes and Memory:

attack vectors
:Table of Contents
• Intro to computer memory
• How memory works
• What is stack and what is heap.
• Overflow attacks
• Memory protections
• Assembly 101

• Process:
• What is a process
• Process in memory
• What is the difference between a process, a service, DLL and executable.
• Common process attacks
• Process injection vs process hollowing
• Detection and mitigation
• Crowd-Strike visibility
• conclusion
Computer memory 101
So, how a computer memory works?
Whenever a program is executed, the CPU allocate a “space” in memory to the instruction of the program.
The CPU can access all the data stored in the memory in any order it required hence the name Random Accessed Memory (RAM)
but how the computer store data in the ram?
The ram is a series of logic gates that allow us to store a bit in it as long as 2 condition apply.
The first condition is the output of the write gate, which allow us to write to the memory
The second is the output of the logic gate itself that store either 1 or 0 in it
.the following diagram show the gates

in order to abstract a bit more we can consider the entire diagram as a box with 2 possible inputs and 1 output. For the sake of
simplicity the gate is called latch
Computer memory 101
In case both the data input is equal to 0 and the write enable is 0 the output will be 0
first we need to set the write enable to 1,
once the gate was set to 1 we can write our value (in our case the only possible value
is either 1 or 0 as it already set)
then we can close the write enable
so basically we successfully stored a bit in memory
.now we can change the data input but it will not effect the data output
Now that we know how a value is saved to the latch we can go a bit higher and simplify a bit more
a group of latches that works like that is called a register, which holds a single number.
And the number of bits in a register called width.

In order to write to our register we need to enable write mode, we can do it with a wire that connect to all the enable input and set it
all to 1 simultaneously then we can send data to each and every latch however this created a mess of wires.
So an idea to set them in a matrix was propose
in order to activate one latch we need to enable the row and the column
then the latch with both column AND row will be activated
however the other latches will be deactivated
the component that help us select a specific latch called multiplexer
simply putting this component assigns number to both the columns and rows
so its can coordinate the specific latch
Computer memory 101
Another level of abstraction, we can think of the 265 bits of memory as a bank of addresses that have 8 bits of data
for the address, a write enable wire, a read enable wire and data modification wire.
Just like the registers we can put them in a row of 8, this will allow us to store 8 bytes of data
We can think of each row as 2 parts, the first 4 digits (aka opcode) specify the operation we want to preform
.And the 4 last digits that describe the location of the data

In our example address 0 opcode was set to 0010 which translate to load_A and the data is 1110
(14 in binary) so basically we are storing the value 14 to register A.

Now that we have a basic understanding of how a computer save data to RAM and perform simple
operations we can move forward
in the next chapter we will talk about how computers know where the next instruction in the ram is located
and what is heap and stack and the differences between them
we will also dive into an overflow attacks (buffer/integer)
Computer memory 101
Well now that we know how a data is saved and how we run operation on that data we can talk about the heap and stack.

So what is the heap and what is the stack?

Both are concept in memory that allow us to save an use data while our program run

then what is the difference?

The stack is a concept we already familiar with, as we saw before the stack is a collection of primitive data types in
memory, just like in the picture.
the stack works very fast compare to the heap due to the fact that the stack is design to deal with a primitive
data types
the heap however, store the more complex data structures such as objects, classes and arrays.

Well then how does the stack and heap communicates?

Once a program needs to get data from the heap it uses a primitive data structure that called a pointer,
as the name suggest the pointer, points on the objects that located in the heap.
However, as mention before the heap is slower and sorting through the heap takes longer than sorting through the stack.
The stack and heap both “grows” toward one another when new data is stored in them.
once a program is loaded to memory the CPU assign a “virtual memory address” to it. however in reality,
.the program might be divided across the memory
:Low level memory attacks
Buffer overflow:
what is a buffer?
Buffers are a terms for block of memory reserved to a program for storing data.
What the attacker do?
For example lets assume we have a program that store user name and password,
and the program expect up to 10 charters in each field.
An adversary will try to write more then the expected amount and therefore the adversary
will write over an adjacent memory block, this might crash the program or the system.
And it also might allow the attacker to specify a return address to a previously loaded
malicious code

integer underflow:
integer underflow accrues when a programmer expect an int type of data (number) and received an unexpected number such as
negative number. Lets say as part of a game I am developing I have a currency system that can count until 4294967295$ (or 32 bit)
however if in the game I have 0$, and using a program that can provide me with -1$ (unexpected ammount)
the value of money will change to 4294967295$. This happed because the programmed “looped over” because there is no
representation of -1.
on the other hand we can have 4294967295$ and if we get 1$ more dollar we will have 0 (an integer overflow)
the dangerous part of the attack is that the data that appears is not a representation of the real amount
famous instance that accrued was when the singer PSY released a song to YouTube that at the time used a sign 32 bit (or roughly up to
2 billion) to mark the view count however, the song passed the threshold and the count was resets to 0
Low level memory attacks -
:mitigation
So there are several ways to defend buffer overflows. 2 of the most used methods are ASLR and DEP
Aslr - Address Space Layout Randomization (ASLR) is a computer security technique which involves randomly positioning the base
address of an executable and the position of libraries, heap, and stack, in a process's address space. The random mixing of memory
addresses performed by ASLR means that an attack no longer knows where to point the return functions to. That way, rather
than removing vulnerabilities from the system, ASLR attempts to make it more challenging to exploit existing vulnerabilities

dep - Data Execution Prevention (DEP) is a system-level memory protection feature that is built into the operating system starting with
Windows XP and Windows Server 2003. DEP enables the system to mark one or more pages of memory as non-executable. Marking
memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for the
exploitation of buffer overflows

both of these security systems are great to have but they cannot prevent all the attacks and every now and then a new way to bypass
ASLR is found, the best way to prevent exploitation of a Buffer is to sanitize the data the user provided. And to use only a safe
.commands while programming
:Assembly 101
The aim of the following slides is to get you familiar with assembly
Q: what is assembly?
A: assembly is a low level language, this language is closest to binary, we actually encountered assembly code in our memory intro
the opcode that we intrude before was assembly command (LOAD_A 14).

Here are a couple of assembly commands and the co-responding actions

MOV – move data from one register to another

PUSH – push data to the stack
POP – remove data from the stack
LEA - Load effective address
SUB - subtract two values
ADD - add two values
JMP - Transfers program control flow to the instruction at the memory location indicated by the operand.

There are a lot more commands for assembly

you can fine a link to a summery of the commands in the last slide
:Assembly 101
Registers types

Processor Registers
EAX - AX is the primary accumulator, it is used in input/output and most arithmetic instructions.
EBX - BX is known as the base register, as it could be used in indexed addressing.
ECX - CX is known as the count register, as the ECX, CX registers store the loop count in iterative operations
EDX - DX is known as the data register. It is also used in input/output operations. It is also used with AX register along with DX for multiply and
divide operations involving large values

Pointers:
EIP - The 16-bit IP register stores the offset address of the next instruction to be executed. IP in association with the CS register (as S:IP) gives the
complete address of the current instruction in the code segment.
ESP - The 16-bit SP register provides the offset value within the program stack. SP in association with the SS register (SS:SP) refers to be current
position of data or address within the program stack.
EBP - The 16-bit BP register mainly helps in referencing the parameter variables passed to a subroutine. The address in SS register is combined
with the offset in BP to get the location of the parameter. BP can also be combined with DI and SI as base register for special addressing.

Index registers:
ESI - It is used as source index for string operations.
EDI - It is used as destination index for string operations.

.there are also control registers but we wont get in to it in this presentation, if you want you can read more about them in the external links
Process vs service vs DLL vs
:executable
Process – A process is a program in execution, you may have several processes for the same program running (for example, chrome uses a process
for each tab open) generally speaking the process have 2 main modes to run in, kernel (which provide system level privileges) and user (which
provide user level privileges). Once a process is running in user mode it have less access to the share resources and to other processes that may
run on the system. In case a user process want to interact with the kernel, an interrupt request is raised.
Then a system call is raised to the OS to do the task on its behalf. Each process run in a virtual memory segment allocated specifically to the use of
.the process. To put it simply, each process have its own virtual stack and heap

Service - service is software that performs automated tasks, responds to hardware events, or listens for data requests from other software. In a
user's operating system, these services are often loaded automatically at startup, and run in the background, without user interaction

DLL - A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows
operating systems, the Comdlg32 DLL performs common dialog box related functions. Therefore, each program can use the functionality that is
contained in this DLL to implement an Open dialog box. This helps promote code reuse and efficient memory usage

exe – a static file that contain a collection of instruction, the file was compiled to an executable format.
However, when the file run in memory the object created called process. Most executable files in windows have “magic numbers” (aka mime
”types) that identify the file as an executable. When opening the file in hex editor we can see the mime type at the very beginning set to “MZ
: Process Genealogy
As we know windows have a process hierarchy that can help us find some suspicious activity
on the very top of the process tree we can usually find the system process
the system process – this process have no file in disk (no system.exe) and it start at boot
the number of expected instances is 1

under system usually we can find smss.exe (session manager service), the path of this file is
in c:\windows\system32\smss.exe and the number of expected instances is 1 for the master
instance and one for each session on the host. Once a session established (run any child
process) the child process exit.

Underneath smss.exe we can find csrss.exe/wininit.exe/winlogon.exe

csrss.exe - client server runtime sub-system can be found in c:\windows\system32\csrss.exe
the number of expected instance is 2 or more and the associated use is local system.
Wininit.exe – this process is responsible of starting background process for session 0. it can be found in c:\windows\system32\ Wininit.exe
the expected number of instances are 1 and the associated user is local system. This process start services.exe (1 instance) and it load svchost.exe
(can have multiple instances) and taskhost.exe (can have multiple instances)
lsass.exe (1 instance) is run under wininit.exe
winlogon.exe – the path of this file is c:\windows\system32\winlogon.exe can have 1 or more instances of it, associated with local system user
winlogon.exe run userinit.exe and userinit.exe run by default explorer.exe (the only process we talked about so far that run from c:\explorer.exe
and not from c:\windows\system32)

note: when smss.exe run a process, another process of smss is created as a “client” and when the process run the client is closed.
.That’s why we don’t see smss as the first process in our detections systems
:Process memory
What a process looks like in memory?
When an application is stared in a Win32 environment, a process is created and virtual memory is assigned to either the user space or kernel
space.
Kernel space – can be accessed by the user only via a system call.
User space - The user space is a computational resource allocated to a user, and it is a resource that the executing program can directly access.
This space can be categorized into some segments.
When a program loads in the virtual memory the process create its own stack, heap, bss, data, and text segments in the memory.
The stack – a segment in memory that store primitive data types, the method of data sorting is LIFO (last in first out).
The heap – a segment in memory to store complex data type, usually referred with a pointer from the stack
BSS – a segment in memory that contains uninitialized data.
Data – The data segment contains initialized global and static variables
Text – A segment in which a machine language instruction is stored. This segment is a read-only space.

When a sub process run another block of memory is being allocated to the process and all the segments
.of the process is recreated in the new process
:Process injection
What is process injection?
Process injection is an attack that uses a legit process to run a malicious code
the adversary load a malicious shellcode or a pointer to the code in memory into a legit PE (portable executable). Once the PE is being
loaded to the memory a small buffer (space in memory) is created to store EWM. When the code is executed so is the shellcode that
attached to the PE is also executed (or the pointer call the shellcode to be executed from the stack) in the background. Most of the time
the shellcode will initiate a connection to a remote server.

Detection:
the best way to detect these types of activates is to monitor for API calls related to enumerating and manipulating EWM such as
GetWindowLong, and SetWindowLong, Malware associated with this technique have also used SendNotifyMessage to trigger the
associated window procedure and eventual malicious injection.

mitigation: Some endpoint security solutions can be configured to block some types of process injection based on common sequences
.of behavior that occur during the injection process
:Process hollowing
What is process hollowing?
Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which
can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess,
which includes a flag to suspend the processes primary thread. At this point the process can be unmapped
using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to,
realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext,
then ResumeThread respectively.
Something worth noting, due to the fact that the process was unmapped all the security privilege of the
process was unmapped as well. Therefore this attack most likely wont results in privilege escalation.

Detection:
the detection of this attack is tricky because the attacker use windows API calls to a legit functions, monitoring all the API call may
results in a clutter and may make us miss something, the best way to detect is to analyze the activity of the process and to see if the
process does anything out of the ordinary

mitigation: Some endpoint security solutions can be configured to block some types of process injection based on common sequences
.of behavior that occur during the injection process
: Process doppelganger
What is process doppelganger?
Similarly to process hollowing, process doppelganger utilize an API call to NTFS transaction.
Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data integrity, TxF
enables only one transacted handle to write to a file at a given time. Adversary may create a process in a context of a transaction
the process will look as if it’s a legitimate process because it will be mapped to the correct location in memory and

Detection:
Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of
TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via
calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as
WriteProcessMemory.

mitigation:
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior
.that occur during the injection process
External
:ow
H links
a memory works: https://www.youtube.com/watch?v=fpnE6UAfbtU
how a program instruction works: https://www.youtube.com/watch?v=zltgXvg6r3k
heap vs stack: https://www.youtube.com/watch?v=IX3fDYz0WyM
Buffer overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo
process doppelganger: https://www.bleepingcomputer.com/news/security/-process-doppelg-nging-attack-works-on-all-windows-versions/
ASLR:
https://blog.morphisec.com/aslr-what-it-is-and-what-it-isnt/#:~:text=Address%20Space%20Layout%20Randomization%20(ASLR,in%20a%20proce
ss's%20address%20space
.
DEP: https://docs.microsoft.com/en-us/windows/win32/memory/data-execution-prevention
common assembly command: http://flint.cs.yale.edu/cs421/papers/x86-asm/asm.html
Registers: https://www.tutorialspoint.com/assembly_programming/assembly_registers.htm
Process in memory: https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
in depth playlist of how OS works: https://www.youtube.com/watch?v=KkUT7yHp-qE&list=PLWl7jvxH18r1RSNrS7VF3Rfm557nzpi0M
sans know normal find evil: https://digital-forensics.sans.org/media/SANS_Poster_2018_Hunt_Evil_FINAL.pdf
windows process Genealogy: https://www.youtube.com/watch?v=s98_p3bheL0
diagram of windows 10 process hierarchy: https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
diagram of windows 7 process hierarchy: https://www.13cubed.com/downloads/windows_process_genealogy.pdf
Process injection: https://attack.mitre.org/techniques/T1055/011/
process hollowing: https://attack.mitre.org/techniques/T1055/012/
OS course (Hebrew): https://www.youtube.com/watch?v=9lKFOS0JmAA&list=PLM96W_EHEqh53Dj5aM5uzzwWiHYb2Imwr
process activity in memory:https://medium.com/@shoheiyokoyama/understanding-memory-layout-4ef452c2e709