Final

Processes

Processes are the container for execution, but threads are what the Windows OS executes. A process contains one or more threads, which execute part of the code within a process

Services

Services also provide another way to maintain persistence on a system because they can be set to run automatically when the OS starts, and may not even show up in the Task Manager as a process

Malware usage of \Device\PhysicalMemory

-in order to access physical memory directly, which allows user-space programs to write to kernel space -This technique has been used by malware to modify the kernel and hide programs in user space

Value entry

A value entry is an ordered pair with a name and value

MapViewOfFile

After obtaining a map of the file, the malware can parse the PE header and make all necessary changes to the file in memory, thereby causing the PE file to be executed as if it had been loaded by the OS loader

Using SeDebugPrivilege

Allows local Administrator accounts to escalate to System privileges

APPINIT DLLS

AppInit_DLLs are loaded into every process that loads User32.dll

Networking APIs

Berkeley compatible sockets' network functionality in Windows is implemented in the Winsock libraries, primarily in ws2_32.dll.

Pwdump

Injects lsaext.dll into lsass.exe -Calls GetHash, an export of lsaext.dll -Hash extraction uses undocumented Windows function calls

CreateThread

Malware can use CreateThread to load a new malicious library into a process, with CreateThread called and the address of LoadLibrary specified as the start address

CreateProcess

Malware commonly uses CreateProcess to create a simple remote shell with just a single function call. One of the parameters to the CreateProcess function, the STARTUPINFO struct, includes a handle to the standard input, standard output, and standard error streams for a process.

CreateMutex

Malware will commonly create a mutex and attempt to open an existing mutex with the same name to ensure that only one version of the malware is running at a time

No User Account Control

Most users run Windows XP as Administrator all the time, so no privilege escalation is needed to become Administrator

Process replacement

* Create target process and suspend it. * Unmap from memory. * Allocate space. * Write headers and sections into the remote process. * Resume remote thread.

Hook injection

* Find/Create process. * Set hook ## Note: `InjectProc` uses [SetWindowsHookEx]

APC injection

* Open process. * Allocate space. * Write code into remote threads. * "Execute" threads using QueueUserAPC.

DLL injection

* Open target process. * Allocate space. * Write code into the remote process. * Execute the remote code.

DllMain is called to notify the DLL whenever

-A process loads or unloads the library, creates a new thread, or finishes an existing thread. -This notification allows the DLL to manage any per-process or per-thread resources.

RegSetValueEx

-Adds a new value to the registry and sets its data.

Kernel-Based Keyloggers

-Difficult to detect with user-mode applications-Frequently part of a rootkit -Act as keyboard drivers-Bypass user -space programs and protections

RegOpenKeyEx

-Opens a registry for editing and querying. -There are functions that allow you to query and edit a registry key without opening it first, but most programs use RegOpenKeyEx anyway.

CreateRemoteThread uses 3 parameters

-Process handle hProcess -Starting point lpStartAddress (LoadLibrary) -Argument lpParameter Malicious DLL name

RegGetValue

-Returns the data for a value entry in the registry.

Handles

-are like pointers in that they refer to an object or memory location somewhere else. -However, unlike pointers, handles cannot be used in arithmetic operations, and -they do not always represent the object's address. The only thing you can do with a handle is store it and use it in a later function call to refer to the same object

NT namespace

-as access to all devices, and -all other namespaces exist within the NT namespace

Namespaces

-can be thought of as a fixed number of folders, each storing different types of objects -the lowest level namespace is the NT namespace with the prefix \

CreateFile

-create and open files -The parameter dwCreationDisposition controls whether to create a new file or open an existing one.

Alternate Data Streams (ADS)

-feature allows additional data to be added to an existing file within NTFS, essentially adding one file to another -Alternate Data Streams (ADS) are a file attribute only found on the NTFS file system. -The extra data does not show up in a directory listing, and -it is not shown when displaying the contents of the file; -it's visible only when you access the stream

CreateWindowEx

-has a simple example of a handle -It returns an HWND, which is a handle to a window -Whenever you want to do anything with that window, such as call DestroyWindow, you'll need to use that handle

HKEY_USERS

Defines settings for the default user, new users, and current users

Example of one popular subkey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, contains a series of values that are executables that are started automatically when a user logs in.

HKEY_LOCAL_MACHINE (HKLM)

Stores settings that are global to the local machine

WIN32_OWN_PROCESS

Stores the code in an .exe file and runs as an independent process.

WinINet API

The WinINet API functions are stored in Wininet.dll. -If a program imports functions from this DLL, it's using higher-level networking APIs.

Process Injection

The most popular covert launching process •Injects code into a running process •Conceals malicious behavior •May bypass firewalls and other process-specific security mechanisms

The one most commonly used by malware is the

The one most commonly used by malware is the WIN32_SHARE_PROCESS type Stores the code for the service in a DLL, and combines several different services in a single, shared process

resource section

The resource section of the PE file can store any file Malware will sometimes store another executable in the resource section

Asynchronous Procedure Call(APC)

These are processed when the thread is in an alterable state, such as when these functions are called -WaitForSingleObjectEx -WaitForMultipleObjectsEx -Sleep

T/F Compiler versions and settings can impact how a particular construct appears in disassembly

True

Basic DLL Structure

Under the hood, DLL files look almost exactly like .exe files. -DLLs use the PE file format, and only a single flag indicates that the file is a DLL and not an .exe. -DLLs often have more exports and generally fewer imports. -Other than that, there's no real difference between a DLL and an .exe.

Hooking

Uses SetWindowsHookEx function to notify malware each time a key is pressed

Pwdump Variant

Uses these libraries -samsrv.dll to access the SAM -advapi32.dll to access functions not already imported into lsass.exe -Several Sam functions -Hashes extracted by SamIGetPrivateData -Decrypted with SystemFunction025 and SystemFunction027

If a user-mode program executes an invalid instruction and crashes

Windows can reclaim all the resources and terminate the program.

Hash Dumping

Windows login passwords are stored as LM or NTLM hashes -Hashes can be used directly to authenticate (pass-the-hash attack) -Or cracked offline to find passwords

Witty worm

accessed \Device\PhysicalDisk1 via the NT namespace to corrupt its victim's file system

File mappings

are commonly used by malware writers because they allow a file to be loaded into memory and manipulated easily

Mutexes

are mainly used to control access to shared resources, and are often used by malware Only one thread can own a mutex at a time

Injectproc.exe

dll_inj hello-world.dll notepad.exe proc_rpl C:\Windows\System32\notepad.exe hook C:\Windows\System32\notepad.exe APC notepad.exe hello-world.dll

It's important for a malware analyst to be able to figure out

how malware could be inducing other code to run

Suspended State

in a suspended state, the process is loaded into memory but the primary thread is suspended -So malware can overwrite its code before it runs

code construct

is a code abstraction level that defines a functional property but not the details of its implementation

Scvhost

is a generic host process for services that run as DLLs

Malware authors like ADS because

it can be used to hide data

\\?\ prefix

tells the OS to disable all string parsing, and it allows access to longer filenames.

DLL Injection

•The most commonly used covert launching technique •Inject code into a remote process that calls LoadLibrary •Forces the DLL to load in the context of that process