Professional Documents
Culture Documents
ENSILO.COM
ABOUT US
• Omri Misgav
– Security Research Team Leader @ enSilo
– Reverse Engineering, OS internals
• Udi Yavo
– CTO & Co-Founder @ enSilo
– Former CTO, Rafael Cyber Security Division
– Past speaker in Blackhat and RSA
2 // ENSILO.COM
AGENDA
3 // ENSILO.COM
INTRO
• Hooking is used to intercept function calls in order to alter or augment their behavior
• User-mode hooks are used in many security products and tools
– AVs\NGAVs
– EDRs
– Sandboxes
– DLPs
– And more…
• Why?
– Stable, simple (nevertheless, not without faults)
– Lack of Patch Protection
– Full context
• Bypasses exist for a very long time
• Last ~1.5 years there’s an increasing number of reports (malware and pentesters)
4 // ENSILO.COM
HOOKING BACKGROUND
Kernel32!ReadProcessMemory
kernel32!CreateProcessA
KernelBase!ReadProcessMemory
kernel32!CreateProcessInternalA
ntdll!NtReadVirtualMemory
kernel32!CreateProcessInternalW User wow64cpu!X86SwitchTo64BitMode
WOW64
ntdll!NtCreateUserProcess wow64!Wow64SystemServiceEx
Kernel
ntdll!NtReadVirtualMemory
ntoskrnl!...
Kernel ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!NtCreateUserProcess
ntoskrnl!... ntoskrnl!...
5 // ENSILO.COM
HOOKING BACKGROUND
Inline Hooks
function_B: function_B:
0x403000: 55 push ebp 0x403000: cc int 3
0x403001: 89 e5 mov ebp, esp 0x403001: 89 e5 mov ebp, esp
0x403003: 83 ec 50 sub esp, 0x50 0x403003: 83 ec 50 sub esp, 0x50
0x403006: … 0x403006: …
6 // ENSILO.COM
BYPASS TECHNIQUES ANALYSIS
Secondary DLL mapping
7 // ENSILO.COM
BYPASS TECHNIQUES
Manually Load DLL From Disk
8 // ENSILO.COM
BYPASS TECHNIQUES
Manually Load DLL From Disk
9 // ENSILO.COM
BYPASS TECHNIQUES
Manually Load DLL From Disk
10 // ENSILO.COM
BYPASS TECHNIQUES
Clone DLL
• CopyFile() + LoadLibrary()
11 // ENSILO.COM
BYPASS TECHNIQUES
Clone DLL
12 // ENSILO.COM
BYPASS TECHNIQUES
Clone DLL
13 // ENSILO.COM
BYPASS TECHNIQUES
Section Remapping
14 // ENSILO.COM
BYPASS TECHNIQUES
Section Remapping
15 // ENSILO.COM
BYPASS TECHNIQUES ANALYSIS
Direct system call invocation
16 // ENSILO.COM
BYPASS TECHNIQUES
NTDLL Parsing
17 // ENSILO.COM
BYPASS TECHNIQUES
NTDLL Parsing
18 // ENSILO.COM
BYPASS TECHNIQUES
NTDLL Parsing
Kernel32!ReadProcessMemory
kernel32!CreateProcessA
KernelBase!ReadProcessMemory
kernel32!CreateProcessInternalA
ntdll!NtReadVirtualMemory
kernel32!CreateProcessInternalW User wow64cpu!X86SwitchTo64BitMode
WOW64
ntdll!NtCreateUserProcess wow64!Wow64SystemServiceEx
Kernel
ntdll!NtReadVirtualMemory
ntoskrnl!...
Kernel ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!NtCreateUserProcess
ntoskrnl!... ntoskrnl!...
19 // ENSILO.COM
BYPASS TECHNIQUES
Heaven’s Gate
20 // ENSILO.COM
BYPASS TECHNIQUES
Heaven’s Gate
21 // ENSILO.COM
BYPASS TECHNIQUES
Heaven’s Gate
Kernel32!ReadProcessMemory
kernel32!CreateProcessA
KernelBase!ReadProcessMemory
kernel32!CreateProcessInternalA
ntdll!NtReadVirtualMemory
kernel32!CreateProcessInternalW User wow64cpu!X86SwitchTo64BitMode
WOW64
ntdll!NtCreateUserProcess wow64!Wow64SystemServiceEx
Kernel
ntdll!NtReadVirtualMemory
ntoskrnl!...
Kernel ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!NtCreateUserProcess
ntoskrnl!... ntoskrnl!...
22 // ENSILO.COM
BYPASS TECHNIQUES ANALYSIS
Code splicing
23 // ENSILO.COM
BYPASS TECHNIQUES
Code Splicing (a.k.a. Byte Stealing)
24 // ENSILO.COM
BYPASS TECHNIQUES
Code Splicing (a.k.a. Byte Stealing)
25 // ENSILO.COM
BYPASS TECHNIQUES
Code Splicing (a.k.a. Byte Stealing)
26 // ENSILO.COM
BYPASS TECHNIQUES
Comparison
27 // ENSILO.COM
BYPASS TECHNIQUES
Summary
28 // ENSILO.COM
ANALYSIS AND DETECTION TACTICS
29 // ENSILO.COM
CLOSING REMARKS
30 // ENSILO.COM
QUESTIONS?
www.breakingmalware.com
omri@ensilo.com in/omri-misgav
31 // ENSILO.COM
THANK YOU
www.breakingmalware.com
omri@ensilo.com in/omri-misgav