Final
Processes
Processes are the container for execution, but threads are what the Windows OS executes. A process contains one or more threads, which execute part of the code within a process
Services
Services also provide another way to maintain persistence on a system because they can be set to run automatically when the OS starts, and may not even show up in the Task Manager as a process
Malware usage of \Device\PhysicalMemory
-in order to access physical memory directly, which allows user-space programs to write to kernel space -This technique has been used by malware to modify the kernel and hide programs in user space
Value entry
A value entry is an ordered pair with a name and value
MapViewOfFile
After obtaining a map of the file, the malware can parse the PE header and make all necessary changes to the file in memory, thereby causing the PE file to be executed as if it had been loaded by the OS loader
Using SeDebugPrivilege
Allows local Administrator accounts to escalate to System privileges
APPINIT DLLS
AppInit_DLLs are loaded into every process that loads User32.dll
Networking APIs
Berkeley compatible sockets' network functionality in Windows is implemented in the Winsock libraries, primarily in ws2_32.dll.
Pwdump
Injects lsaext.dll into lsass.exe -Calls GetHash, an export of lsaext.dll -Hash extraction uses undocumented Windows function calls
CreateThread
Malware can use CreateThread to load a new malicious library into a process, with CreateThread called and the address of LoadLibrary specified as the start address
CreateProcess
Malware commonly uses CreateProcess to create a simple remote shell with just a single function call. One of the parameters to the CreateProcess function, the STARTUPINFO struct, includes a handle to the standard input, standard output, and standard error streams for a process.
CreateMutex
Malware will commonly create a mutex and attempt to open an existing mutex with the same name to ensure that only one version of the malware is running at a time
No User Account Control
Most users run Windows XP as Administrator all the time, so no privilege escalation is needed to become Administrator
Process replacement
* Create target process and suspend it. * Unmap from memory. * Allocate space. * Write headers and sections into the remote process. * Resume remote thread.
Hook injection
* Find/Create process. * Set hook ## Note: `InjectProc` uses [SetWindowsHookEx]
APC injection
* Open process. * Allocate space. * Write code into remote threads. * "Execute" threads using QueueUserAPC.
DLL injection
* Open target process. * Allocate space. * Write code into the remote process. * Execute the remote code.
DllMain is called to notify the DLL whenever
-A process loads or unloads the library, creates a new thread, or finishes an existing thread. -This notification allows the DLL to manage any per-process or per-thread resources.
RegSetValueEx
-Adds a new value to the registry and sets its data.
Kernel-Based Keyloggers
-Difficult to detect with user-mode applications-Frequently part of a rootkit -Act as keyboard drivers-Bypass user -space programs and protections
RegOpenKeyEx
-Opens a registry for editing and querying. -There are functions that allow you to query and edit a registry key without opening it first, but most programs use RegOpenKeyEx anyway.
CreateRemoteThread uses 3 parameters
-Process handle hProcess -Starting point lpStartAddress (LoadLibrary) -Argument lpParameter Malicious DLL name
RegGetValue
-Returns the data for a value entry in the registry.
Handles
-are like pointers in that they refer to an object or memory location somewhere else. -However, unlike pointers, handles cannot be used in arithmetic operations, and -they do not always represent the object's address. The only thing you can do with a handle is store it and use it in a later function call to refer to the same object
NT namespace
-as access to all devices, and -all other namespaces exist within the NT namespace
Namespaces
-can be thought of as a fixed number of folders, each storing different types of objects -the lowest level namespace is the NT namespace with the prefix \
CreateFile
-create and open files -The parameter dwCreationDisposition controls whether to create a new file or open an existing one.
Alternate Data Streams (ADS)
-feature allows additional data to be added to an existing file within NTFS, essentially adding one file to another -Alternate Data Streams (ADS) are a file attribute only found on the NTFS file system. -The extra data does not show up in a directory listing, and -it is not shown when displaying the contents of the file; -it's visible only when you access the stream
CreateWindowEx
-has a simple example of a handle -It returns an HWND, which is a handle to a window -Whenever you want to do anything with that window, such as call DestroyWindow, you'll need to use that handle
HKEY_USERS
Defines settings for the default user, new users, and current users
Example of one popular subkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, contains a series of values that are executables that are started automatically when a user logs in.
HKEY_LOCAL_MACHINE (HKLM)
Stores settings that are global to the local machine
WIN32_OWN_PROCESS
Stores the code in an .exe file and runs as an independent process.
WinINet API
The WinINet API functions are stored in Wininet.dll. -If a program imports functions from this DLL, it's using higher-level networking APIs.
Process Injection
The most popular covert launching process •Injects code into a running process •Conceals malicious behavior •May bypass firewalls and other process-specific security mechanisms
The one most commonly used by malware is the
The one most commonly used by malware is the WIN32_SHARE_PROCESS type Stores the code for the service in a DLL, and combines several different services in a single, shared process
resource section
The resource section of the PE file can store any file Malware will sometimes store another executable in the resource section
Asynchronous Procedure Call(APC)
These are processed when the thread is in an alterable state, such as when these functions are called -WaitForSingleObjectEx -WaitForMultipleObjectsEx -Sleep
T/F Compiler versions and settings can impact how a particular construct appears in disassembly
True
Basic DLL Structure
Under the hood, DLL files look almost exactly like .exe files. -DLLs use the PE file format, and only a single flag indicates that the file is a DLL and not an .exe. -DLLs often have more exports and generally fewer imports. -Other than that, there's no real difference between a DLL and an .exe.
Hooking
Uses SetWindowsHookEx function to notify malware each time a key is pressed
Pwdump Variant
Uses these libraries -samsrv.dll to access the SAM -advapi32.dll to access functions not already imported into lsass.exe -Several Sam functions -Hashes extracted by SamIGetPrivateData -Decrypted with SystemFunction025 and SystemFunction027
If a user-mode program executes an invalid instruction and crashes
Windows can reclaim all the resources and terminate the program.
Hash Dumping
Windows login passwords are stored as LM or NTLM hashes -Hashes can be used directly to authenticate (pass-the-hash attack) -Or cracked offline to find passwords
Witty worm
accessed \Device\PhysicalDisk1 via the NT namespace to corrupt its victim's file system
File mappings
are commonly used by malware writers because they allow a file to be loaded into memory and manipulated easily
Mutexes
are mainly used to control access to shared resources, and are often used by malware Only one thread can own a mutex at a time
Injectproc.exe
dll_inj hello-world.dll notepad.exe proc_rpl C:\Windows\System32\notepad.exe hook C:\Windows\System32\notepad.exe APC notepad.exe hello-world.dll
It's important for a malware analyst to be able to figure out
how malware could be inducing other code to run
Suspended State
in a suspended state, the process is loaded into memory but the primary thread is suspended -So malware can overwrite its code before it runs
code construct
is a code abstraction level that defines a functional property but not the details of its implementation
Scvhost
is a generic host process for services that run as DLLs
Malware authors like ADS because
it can be used to hide data
\\?\ prefix
tells the OS to disable all string parsing, and it allows access to longer filenames.
DLL Injection
•The most commonly used covert launching technique •Inject code into a remote process that calls LoadLibrary •Forces the DLL to load in the context of that process
