Scribd
Upload
174 views32 pages

Ensilo Omri Misgav Udi Yavo Analyzing Malware Evasion Trend Bypassing User Mode Hooks PDF

This document discusses techniques used by malware to bypass user-mode hooks. It begins with background on hooking techniques and then analyzes three main bypass methods - secondary DLL mapping, direct system call invocation, and code splicing. Secondary DLL mapping involves manually loading DLLs from disk or cloning them to load an unhooked version. Direct system call invocation removes the need for DLL functions by calling system calls directly. Code splicing rebuilds function stubs in a new location. The document compares the runtime indicators, forensic artifacts, and drawbacks of each technique.

Uploaded by

Laurent Narcisse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
174 views32 pages

Ensilo Omri Misgav Udi Yavo Analyzing Malware Evasion Trend Bypassing User Mode Hooks PDF

This document discusses techniques used by malware to bypass user-mode hooks. It begins with background on hooking techniques and then analyzes three main bypass methods - secondary DLL mapping, direct system call invocation, and code splicing. Secondary DLL mapping involves manually loading DLLs from disk or cloning them to load an unhooked version. Direct system call invocation removes the need for DLL functions by calling system calls directly. Code splicing rebuilds function stubs in a new location. The document compares the runtime indicators, forensic artifacts, and drawbacks of each technique.

Uploaded by

Laurent Narcisse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

BYPASSING USER-MODE HOOKS

ANALYZING MALWARE EVASION TREND

FIRST Tel Aviv 2019

ENSILO.COM
ABOUT US

• Omri Misgav
– Security Research Team Leader @ enSilo
– Reverse Engineering, OS internals

• Udi Yavo
– CTO & Co-Founder @ enSilo
– Former CTO, Rafael Cyber Security Division
– Past speaker in Blackhat and RSA

• Our technical blog: BreakingMalware.com

2 // ENSILO.COM
AGENDA

• Intro and background


• Bypass techniques analysis
– Secondary DLL mapping
– Direct system call invocation
– Code splicing
• Comparison and takeaways

3 // ENSILO.COM
INTRO

• Hooking is used to intercept function calls in order to alter or augment their behavior
• User-mode hooks are used in many security products and tools
– AVs\NGAVs
– EDRs
– Sandboxes
– DLPs
– And more…
• Why?
– Stable, simple (nevertheless, not without faults)
– Lack of Patch Protection
– Full context
• Bypasses exist for a very long time
• Last ~1.5 years there’s an increasing number of reports (malware and pentesters)
4 // ENSILO.COM
HOOKING BACKGROUND

User Application User Application

Kernel32!ReadProcessMemory
kernel32!CreateProcessA
KernelBase!ReadProcessMemory
kernel32!CreateProcessInternalA
ntdll!NtReadVirtualMemory
kernel32!CreateProcessInternalW User wow64cpu!X86SwitchTo64BitMode
WOW64
ntdll!NtCreateUserProcess wow64!Wow64SystemServiceEx

Kernel
ntdll!NtReadVirtualMemory
ntoskrnl!...
Kernel ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!NtCreateUserProcess
ntoskrnl!... ntoskrnl!...

5 // ENSILO.COM
HOOKING BACKGROUND
Inline Hooks

• Control flow instructions function_A:


0x401000: e9 00 20 40 00 jmp hook_A
0x401005: 89 nop
function_A: 0x401006: 50 push eax
0x401000: 55 push ebp 0x401007: 8b 44 24 0c mov eax, [esp + 0xc]
0x401001: 89 e5 mov ebp, esp 0x40100a: …
0x401003: 83 ec 40 sub esp, 0x40
0x401006: 50 push eax
hook_A:
0x401007: 8b 44 24 0c mov eax, [esp + 0xc]
0x402000: 55 push ebp
0x40100a: …
0x402001: 89 e5 mov ebp, esp
0x402003: 83 ec 40 sub esp, 0x40
0x402006: e9 06 10 40 00 jmp function_A + 6
• Generating exceptions

function_B: function_B:
0x403000: 55 push ebp 0x403000: cc int 3
0x403001: 89 e5 mov ebp, esp 0x403001: 89 e5 mov ebp, esp
0x403003: 83 ec 50 sub esp, 0x50 0x403003: 83 ec 50 sub esp, 0x50
0x403006: … 0x403006: …

6 // ENSILO.COM
BYPASS TECHNIQUES ANALYSIS
Secondary DLL mapping

7 // ENSILO.COM
BYPASS TECHNIQUES
Manually Load DLL From Disk

• ReadFile() + Reflective Loading

• FormBook, reported by FireEye


• Infostealer
• Referred to as "Lagos Island method“
• Loads ntdll.dll
– Code injection and Process Hollowing
– File system and registry access

8 // ENSILO.COM
BYPASS TECHNIQUES
Manually Load DLL From Disk

9 // ENSILO.COM
BYPASS TECHNIQUES
Manually Load DLL From Disk

10 // ENSILO.COM
BYPASS TECHNIQUES
Clone DLL

• CopyFile() + LoadLibrary()

• Hancitor, reported by MalwareBytes


• Downloader
• Copies kernel32.dll
– Call CreateProcess as part of Process Hollowing

11 // ENSILO.COM
BYPASS TECHNIQUES
Clone DLL

12 // ENSILO.COM
BYPASS TECHNIQUES
Clone DLL

13 // ENSILO.COM
BYPASS TECHNIQUES
Section Remapping

• [Nt]CreateFile() + NtCreateSection(…, SEC_IMAGE, …) + ZwMapViewOfSection()

• Osiris, reported by MalwareBytes


• Banking trojan
• Remaps ntdll.dll
– Process Doppelgänging\Hollowing hybrid (“Transacted Hollowing”)

14 // ENSILO.COM
BYPASS TECHNIQUES
Section Remapping

15 // ENSILO.COM
BYPASS TECHNIQUES ANALYSIS
Direct system call invocation

16 // ENSILO.COM
BYPASS TECHNIQUES
NTDLL Parsing

• Calling system calls directly

• DarkGate, reported by enSilo


• Crypto miner and stealer
• Used for Process Hollowing and writing to the registry

17 // ENSILO.COM
BYPASS TECHNIQUES
NTDLL Parsing

18 // ENSILO.COM
BYPASS TECHNIQUES
NTDLL Parsing

User Application User Application

Kernel32!ReadProcessMemory
kernel32!CreateProcessA
KernelBase!ReadProcessMemory
kernel32!CreateProcessInternalA
ntdll!NtReadVirtualMemory
kernel32!CreateProcessInternalW User wow64cpu!X86SwitchTo64BitMode
WOW64
ntdll!NtCreateUserProcess wow64!Wow64SystemServiceEx

Kernel
ntdll!NtReadVirtualMemory
ntoskrnl!...
Kernel ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!NtCreateUserProcess
ntoskrnl!... ntoskrnl!...

19 // ENSILO.COM
BYPASS TECHNIQUES
Heaven’s Gate

• Make system calls from within WOW64 emulation layer


– 32-bit application on 64-bit Windows

• GlobeImposter, reported by enSilo


• Ransomware
• Used for Process Hollowing

20 // ENSILO.COM
BYPASS TECHNIQUES
Heaven’s Gate

21 // ENSILO.COM
BYPASS TECHNIQUES
Heaven’s Gate

User Application User Application

Kernel32!ReadProcessMemory
kernel32!CreateProcessA
KernelBase!ReadProcessMemory
kernel32!CreateProcessInternalA
ntdll!NtReadVirtualMemory
kernel32!CreateProcessInternalW User wow64cpu!X86SwitchTo64BitMode
WOW64
ntdll!NtCreateUserProcess wow64!Wow64SystemServiceEx

Kernel
ntdll!NtReadVirtualMemory
ntoskrnl!...
Kernel ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!NtCreateUserProcess
ntoskrnl!... ntoskrnl!...

22 // ENSILO.COM
BYPASS TECHNIQUES ANALYSIS
Code splicing

23 // ENSILO.COM
BYPASS TECHNIQUES
Code Splicing (a.k.a. Byte Stealing)

• Rebuild function stubs elsewhere


• Commonly used by packers

• CodeFork’s Gamarue, reported by Radware


• Downloader for bots, spamming, miners…
• Copies the first instruction of library functions it uses

24 // ENSILO.COM
BYPASS TECHNIQUES
Code Splicing (a.k.a. Byte Stealing)

25 // ENSILO.COM
BYPASS TECHNIQUES
Code Splicing (a.k.a. Byte Stealing)

26 // ENSILO.COM
BYPASS TECHNIQUES
Comparison

Technique Runtime Indicators Forensic Artifacts Drawbacks


Manually Load DLL Callstacks missing relevant Significantly different from the
Floating PE copy in memory
From Disk DLLs norm
Changes to file system
Callstacks with unexpected
Clone DLL DLLs
Identical PEs in memory Lower level\dependencies can be
hooked
Section Remapping Multiple mappings of same PE Multiple mappings of same PE Can’t be used for complex code

NTDLL Parsing Callstacks missing ntdll.dll Limited functionality

Callstacks missing WOW64


Heaven’s Gate system DLLs
Limited functionality
Internal\lower level\dependencies
Code Splicing
can be hooked

27 // ENSILO.COM
BYPASS TECHNIQUES
Summary

• Used by all sorts of malware families


• Sophisticated actors, though not necessarily APTs
• Usually to mask the initial steps and establishing foothold

• None of the techniques are actually new


• Some techniques are not as commonly used in the wild
– Unhook Flashbang\ReflectiveDLLRefresher: detectible and reversible
– Bring Your Own Indexes (BYOI): version dependent

28 // ENSILO.COM
ANALYSIS AND DETECTION TACTICS

• Events regarding system DLLs can be used as indicators


– Copy, multiple read\load operations
• Check the callstacks

• Place hooks\breakpoints at non-trivial locations


• Randomize as much as you can

• Hook many different layers (“mine” the path)


• Correlate user-mode and kernel-mode data

• Use information provided by the OS (ETW)

29 // ENSILO.COM
CLOSING REMARKS

• These are only a handful of examples

• Trivial to implement, simple to use (most have source code available)


• Hardly any recent innovations, yet still very effective

• MITRE ATT&CK doesn’t reference hook bypassing as defense evasion

• Using user-mode hooks for security is not enough

30 // ENSILO.COM
QUESTIONS?
www.breakingmalware.com

[email protected] in/omri-misgav

[email protected] in/udiyavo @UdiYavo

31 // ENSILO.COM
THANK YOU
www.breakingmalware.com

[email protected] in/omri-misgav

[email protected] in/udiyavo @UdiYavo

You might also like