blackout what really happened
play

Blackout: What Really Happened Jamie Butler and Kris Kendall - PDF document

Mar 16, 2024 •296 likes •901 views

Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics User Mode Injection Techniques Example Malware Implementations Kernel Mode Injection Techniques Advanced Code Injection Detection via

  1. Blackout: What Really Happened Jamie Butler and Kris Kendall

  2. Outline � Code Injection Basics � User Mode Injection Techniques � Example Malware Implementations � Kernel Mode Injection Techniques � Advanced Code Injection Detection via Raw Memory Analysis 1-2

  3. Code Injection Basics � “Code Injection” refers to techniques used to run code in the context of an existing process � Motivation: • Evasion: Hiding from automated or human detection of malicious code � IR personnel hunt for malicious processes • Impersonation: Bypassing restrictions enforced on a process level � Windows Firewall, etc � Pwdump, Sam Juicer 1-3

  4. User Mode Injection Techniques � Techniques • Windows API • AppInit_Dll • Detours 1-4

  5. Injecting code via the Windows API � Somewhat surprisingly, the Windows API provides everything you need for process injection � Functions: • VirtualAllocEx() • WriteProcessMemory() • CreateRemoteThread() / • GetThreadContext() SetThreadContext() • SetWindowsHookEx() 1-5

  6. 1. OpenProcess evil.exe (pid = 2222) iexplore.exe (pid = 3333) payload = 0xCC hProc = 400 3 Handle = 400 1 2 OpenProcess(3333) Kernel (via kernel32) 1-6

  7. 2. VirtualAllocEx evil.exe (pid = 2222) iexplore.exe (pid = 3333) New section payload = 0xCC 3 Base address = 0x4000 Size = 256 bytes hProc = 400 5 base = 0x4000 2 VirtualAllocEx( hProc, base = 0x4000 0x4000, 1 4 256, . . .) Kernel (via kernel32) 1-7

  8. 3. WriteProcessMemory evil.exe (pid = 2222) iexplore.exe (pid = 3333) New section payload = 0xCC Base address = 0x4000 Size = 256 bytes hProc = 400 3 0xCC base = 0x4000 2 WriteProcessMemory( hProc, base, 1 payload, 1, …) Kernel (via kernel32) 1-8

  9. 4. CreateRemoteThread evil.exe (pid = 2222) iexplore.exe (pid = 3333) New section payload = 0xCC Base address = 0x4000 Size = 256 bytes hProc = 400 0xCC base = 0x4000 5 ThreadId = 11 New Thread 3 Id = 11 Start Address = 0x4000 CreateRemoteThread( hProc, ThreadId = 11 SecAttribs = NULL, 2 1 4 StackSize = 1024, 0x4000 …) Kernel (via kernel32) 1-9

  10. #Inject an infinite loop into a running process import pydbg k32 = pydbg.kernel32 payload = ‘\xEB\xFE’ pid = int(args[0]) ... h = k32.OpenProcess(PROCESS_ALL_ACCESS,\ False, pid) m = k32.VirtualAllocEx(h, None, 1024,\ MEM_COMMIT,\ PAGE_EXECUTE_READWRITE) k32.WriteProcessMemory(h, m, payload,\ len(payload), None) k32.CreateRemoteThread(h, None, 1024000, m, None, 0, None) 10

  11. Better Payloads � Breakpoints and Loops are fun, but what about real payloads? � If we directly inject code it must be “position independent” � Any addresses that were pre-calculated at compile time would be wrong in the context of a new process 1-11

  12. Better Payloads � Building large position independent payloads is possible, but not trivial � However, DLL injection is much simpler � DLLs are designed to be loaded in a variety of processes, addresses are automatically fixed up when the DLL is loaded 1-12

  13. DLL Injection � Use the basic process we just described � DLLs are loaded using kernel32!LoadLibrary � kernel32 is at the same address in every process � we know its address in the remote process (ignoring ASLR) � Allocate space for the name of the DLL to be loaded, then create a thread with a start address that points to LoadLibrary 1-13

  14. #DLL Injection Excerpt import pydbg k32 = pydbg.kernel32 pid = int(args[0]) dllname = args[1] ... h = k32.OpenProcess(PROCESS_ALL_ACCESS,\ False, pid) m = k32.VirtualAllocEx(h, None, 1024,\ MEM_COMMIT,\ PAGE_EXECUTE_READWRITE) k32.WriteProcessMemory(h, m, dllname,\ len(dllname), None) k32.CreateRemoteThread(h, None, 1024, k32.LoadLibrary, m, 0, None) 14

  15. User Mode API Variants � Rather than create a new remote thread, we can hijack an existing thread using GetThreadContext , SetThreadContext � SetWindowsHookEx can also be used to inject a DLL into a single remote process, or every process running on the current Desktop 1-15

  16. SetWindowsHookEx � SetWindowsHookEx defines a hook procedure within a DLL that will be called in response to specific events � Example events: WH_KEYBOARD, WH_MOUSE, WH_CALLWNDPROC, WH_CBT � Whenever the hooked event is first fired in a hooked thread, the specified DLL is be loaded 1-16

  17. Permissions and Security � To open a process opened by another user (including SYSTEM), you must hold the SE_DEBUG privilege � Normally SE_DEBUG is only granted to member of the Administrator group � However, even if you are running as a normal user, malware can still inject into another process that you own 1-17

  18. Injecting code via AppInit_DLLs � The AppInit_DLLs registry value provides another convenient method of DLL injection 1-18

  19. Injecting code via Detours � Detours is a library developed by Microsoft Research in 1999 � The library uses the same techniques already described, wrapped up in slick package 1-19

  20. Detours Features � Function hooking in running processes � Import table modification � Attaching a DLL to an existing program file � Detours comes with great sample programs: • Withdll • Injdll • Setdll • Traceapi 1-20

  21. Setdll � Detours can add a new DLL to an existing binary on disk. How? � Detours creates a section named “.detours” between the export table and debug symbols � The .detours section contains the original PE header, and a new IAT � Detours modifies the PE header to point at the new IAT (reversible) 1-21

  22. 1-22 Setdll Demo

  23. 1-23 Setdll Demo

  24. Avoiding the Disk � When we perform DLL injection, LoadLibrary expects the DLL to be on the disk (or at least an SMB share) � The Metasploit project eliminates this requirement using a clever hooking strategy � By hooking functions that are involved in reading the file from disk, they fool Windows into thinking the DLL is on disk 1-24

  25. Meterpreter � Hook � Call LoadLibrary � Unhook � Hooked functions: • NtMapViewOfSection • NtQueryAttributesFile • NtOpenFile • NtCreateSection • NtOpenSection � See remote_dispatch.c and libloader.c in MSF 3.0 1-25

  26. 1-26 Meterpreter Demo

  27. Poison Ivy RAT � Tons of malware uses Code Injection � We’ll quickly dig into the details of one example 1-27

  28. 1-28 Poison Ivy Capabilities

  29. Step 1: Inject to Explorer � Poison Ivy client immediately injects to Explorer and then exits � Output from WinApiOverride32 for pi.exe 1-29

  30. Step 2: Inject again to msnmsgr.exe � Explorer.exe injected code then injects again… � Interestingly, PI does not grab the SE_DEBUG privilege, so we can’t inject in many existing processes � Output from WinApiOverride32 for explorer.exe 1-30

  31. 1-31 Did it Work?

  32. 1-32 Where is the evil?

  33. 1-33 Kernel Process Injection

  34. Two Halves of the Process � User land processes are comprised of two parts • Kernel Portion � EPROCESS and KPROCESS � ETHREAD and KTHREAD � Token � Handle Table � Page Tables � Etc. 1-34

  35. Two Halves of the Process � User land Portion • Process Environment Block (PEB) • Thread Environment Block (TEB) • Windows subsystem (CSRSS.EXE) • Etc. 1-35

  36. Kernel Process Injection Steps � Must find suitable target • Has a user land portion • Has kernel32.dll and/or ntdll.dll loaded in its address space • Has an alterable thread (unless hijacking an existing thread) � Allocate memory in target process � Write the equivalent of “shellcode” that calls LoadLibrary � Cause a thread in the parent to execute newly allocated code • Hijack an existing thread • Create an APC 1-36

  37. Allocate memory in parent process � Change virtual memory context to that of the target • KeAttachProcess/KeStackAttachProcess • ZwAllocateVirtualMemory � (HANDLE) -1 means current process � MEM_COMMIT � PAGE_EXECUTE_READWRITE 1-37

  38. Creating the Shellcode � “shellcode” that calls LoadLibrary • Copy function parameters into address space • Pass the address of function parameters to calls • Can use the FS register � FS contains the address of the TEB � TEB has a pointer to the PEB � PEB has a pointer to the PEB_LDR_DATA � PEB_LDR_DATA contains all the loaded DLLs 1-38

  39. Creating the Shellcode � As an alternative to using the FS register • Find the address of ntdll.dll from the driver • Parse its exports section • Does not work with all DLLs � Only address of ntdll.dll returned by ZwQuerySystemInformation 1-39

  40. Thread Hijacking � Cause a thread in the parent to execute newly allocated code - Hijack an existing thread • Locate a thread within the parent process • Change its Context record • Change Context record back when done � Problems: • Low priority threads • Blocked threads • Changing Context back 1-40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

I mpacts and Actions Resulting from the August 14, 2003 Blackout David W. Hilt P.E. July 29,

I mpacts and Actions Resulting from the August 14, 2003 Blackout David W. Hilt P.E. July 29,

I mpacts and Actions Resulting from the August 14, 2003 Blackout David W. Hilt P.E. July 29, 2006 Illinois Society of Professional Engineers August 14, 2003 What Happened? O ttawa Montreal Toronto Buffalo Detroit Toledo Cleveland

724 views • 59 slides
Station Blackout and Advanced Accident Mitigation (B.5.b) Overview Pat Hiland, Director

Station Blackout and Advanced Accident Mitigation (B.5.b) Overview Pat Hiland, Director

Station Blackout and Advanced Accident Mitigation (B.5.b) Overview Pat Hiland, Director Division of Engineering Office of Nuclear Reactor Regulation April 28, 2011 Station Blackout Background WASH-1400, Reactor Safety Study, issued

250 views • 24 slides
KRISTA BOAN WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT,

KRISTA BOAN WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT,

KRISTA BOAN WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? 1 in 5 children have mental health problems 43% increase in ADHD 37% increase in teen

552 views • 19 slides
Outline What is a blackout? and how do we deal with them? What is Resource Adequacy?

Outline What is a blackout? and how do we deal with them? What is Resource Adequacy?

Power Plant Investment and Electricity Restructuring James Bushnell University of California Energy Institute www.ucei.berkeley.edu Outline What is a blackout? and how do we deal with them? What is Resource Adequacy? whos

357 views • 6 slides
What- -Really Really- -Happened Happened What according to most people, history is

What- -Really Really- -Happened Happened What according to most people, history is

What- -Really Really- -Happened Happened What according to most people, history is what really happened in the past but our understanding of history is often based on the testimony of witnesses and different people see

290 views • 18 slides
What Happened to me Neuromyelitis Optica happened to me that's what! Diagnosed Edinburgh

What Happened to me Neuromyelitis Optica happened to me that's what! Diagnosed Edinburgh

Irene Wilson - Group Leader UK Mastocytosis Charity What Happened to me Neuromyelitis Optica happened to me that's what! Diagnosed Edinburgh January 2013 Aguaporin 4 antibody positive 6 lots of Plasma Exchange now on Azathioprine

349 views • 5 slides
New Regulations Under Sarbanes-Oxley Retirement Plan Blackout Periods: Trading Prohibition and

New Regulations Under Sarbanes-Oxley Retirement Plan Blackout Periods: Trading Prohibition and

BUSINESS DEPARTMENT E-NEWS ALERT FEBRUARY 25, 2003 New Regulations Under Sarbanes-Oxley Retirement Plan Blackout Periods: Trading Prohibition and Notice Requirements On July 30, 2002, President Bush signed into law the Public Company

368 views • 4 slides
Equity Awards: Design Tips for Navigating Blackout Periods Presentation for: Presentation by:

Equity Awards: Design Tips for Navigating Blackout Periods Presentation for: Presentation by:

Equity Awards: Design Tips for Navigating Blackout Periods Presentation for: Presentation by: Executive Compensation Webinar Series Anthony J. Eppert February 14, 2019 AnthonyEppert@HuntonAK.com 713.220.4276 Housekeeping: Technical Issues

791 views • 24 slides
Blackout Poetry The act of redacting words from printed sources to purposely create new

Blackout Poetry The act of redacting words from printed sources to purposely create new

Blackout Poetry The act of redacting words from printed sources to purposely create new meaning. Requirements The words have to make sense together, or have been chosen for emphasis. If the page from the book is small, the

268 views • 8 slides
75 # What happened What went well What needs improvement To your questions Additional Q&A

75 # What happened What went well What needs improvement To your questions Additional Q&A

75 # What happened What went well What needs improvement To your questions Additional Q&A if time permits How might we Curated Q&A per the questions received from What happened IxDA Berlin delivered their fj rst virtual event

1.06k views • 68 slides
Area Marquee Hire Spring Conference 2009 Birmingham 10/03/2009 CC Hire Stock 3m Bay

Area Marquee Hire Spring Conference 2009 Birmingham 10/03/2009 CC Hire Stock 3m Bay

Area Marquee Hire Spring Conference 2009 Birmingham 10/03/2009 CC Hire Stock 3m Bay Blackout & Starlight 6m, 9m, 12m & 15m span 5m Bay Blackout & Starlight 5m Bay Blackout & Starlight 15m, 20m 25m & 30m

717 views • 30 slides
Joint U.S.-Canada Power System Outage Investigation Interim Report Causes of the August 14 th

Joint U.S.-Canada Power System Outage Investigation Interim Report Causes of the August 14 th

Joint U.S.-Canada Power System Outage Investigation Interim Report Causes of the August 14 th Blackout in the United States and Canada 1 Overview The report What caused the blackout? Reliability management What didnt cause

462 views • 28 slides
The Invest in Kids Act: Tax Credit Scholarships What happened on January 31 st ? What is the

The Invest in Kids Act: Tax Credit Scholarships What happened on January 31 st ? What is the

The Invest in Kids Act: Tax Credit Scholarships What happened on January 31 st ? What is the recovery plan? OCS Leadership Day University of St. Mary of the Lake February 16, 2018 Agenda Review what happened on January 31 st

761 views • 29 slides
2016 legislative update what happened? whats next? What happened? K12 F UNDING 2017 General

2016 legislative update what happened? whats next? What happened? K12 F UNDING 2017 General

B O A L R O D O S H A C S S S O A SCHOOL 2016 C N I A I W L T O I LA O R N A C H CONFERENCE 6 T U 1 0 O 2 S , 8 2 A - 7 U 2 G T U S 2016 legislative update what happened? whats next?

548 views • 15 slides
So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele

So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele

So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele Spagnuolo Senior Information Security Engineer rosettaflash.com bitiodine.net Recap what happened last year Summary CSP is mostly used to

591 views • 47 slides
1 What happened Spring 2020? Moved to virtual visits some institutions having only a few

1 What happened Spring 2020? Moved to virtual visits some institutions having only a few

HLC Guidance in the COVID Era Information for the Michigan Community College Data and Evaluation Committee Conference Linnea A. Stenson, Ph.D. VP for Accreditation Relations Higher Learning Commission| August 4, 2020 1 What happened at HLC?

496 views • 7 slides
50 YEARS OF PTH RESEARCH AT MGH: John T. Potts, M.D. Massachusetts General Hospital Harvard

50 YEARS OF PTH RESEARCH AT MGH: John T. Potts, M.D. Massachusetts General Hospital Harvard

A PERSONAL PERSPECTIVE ON 50 YEARS OF PTH RESEARCH AT MGH: John T. Potts, M.D. Massachusetts General Hospital Harvard Medical School Lawrence Raisz Memorial New England Bone Club October 31 st , 2014 Historical Overview Hyperparathyroidism

620 views • 34 slides
Writing in plain English North West Medicines Information Centre Plain English? A singular

Writing in plain English North West Medicines Information Centre Plain English? A singular

Writing in plain English North West Medicines Information Centre Plain English? A singular specimen of the scientific class aves contained within the boundaries of the upper prehensile is equivalently valuable as a doubled inventory of that

1.63k views • 40 slides
Share Buybacks July 24, 2018 Agenda Stock repurchase alternatives and an overview Rule

Share Buybacks July 24, 2018 Agenda Stock repurchase alternatives and an overview Rule

Share Buybacks July 24, 2018 Agenda Stock repurchase alternatives and an overview Rule 10b-18 basics Accelerated share repurchases Securities law issues Accounting treatment Conclusion 2 Repurchase Options Overview

659 views • 52 slides
LABEL PRESENTATION Mexico Never Stop Music is a Mexico City-based independent electronic record

LABEL PRESENTATION Mexico Never Stop Music is a Mexico City-based independent electronic record

GENRE CONTACT Techno, Electro House, Indie Dance. Never Stop Music Dalias #21 04890 Mexico City LABEL PRESENTATION Mexico Never Stop Music is a Mexico City-based independent electronic record label focused princi- Phone: pally on genres

332 views • 5 slides
Cascading Failures in Power Grids - Analysis and Algorithms Saleh Soltan 1 , Dorian Mazaruic 2 ,

Cascading Failures in Power Grids - Analysis and Algorithms Saleh Soltan 1 , Dorian Mazaruic 2 ,

Cascading Failures in Power Grids - Analysis and Algorithms Saleh Soltan 1 , Dorian Mazaruic 2 , Gil Zussman 1 1 Electrical Engineering, Columbia University 2 INRIA Sophia Antipolis Cascading Failures in Power Grids Power grids rely on

866 views • 37 slides
Go-Live Kickoff Presentation Friday, January 22, 2010 Capitol Theatre January 22, 2010 MITS

Go-Live Kickoff Presentation Friday, January 22, 2010 Capitol Theatre January 22, 2010 MITS

Go-Live Kickoff Presentation Friday, January 22, 2010 Capitol Theatre January 22, 2010 MITS Go-Live Kickoff Presentation 1 Agenda 1. Welcome and Introductions ODJFS Director Doug Lumpkin OBM Director Pari Sabety State CIO

488 views • 30 slides
Voucher and Payment Processing State Expenditures Sam Blumenthal, Alexis Bolesky, Janel

Voucher and Payment Processing State Expenditures Sam Blumenthal, Alexis Bolesky, Janel

10/17/2019 Voucher and Payment Processing State Expenditures Sam Blumenthal, Alexis Bolesky, Janel Carey, Jenna Hanzel, Cullen Spang, Rachel Zendran 1 1 Voucher Audit Team Who are we? What do we do? voucherauditmailbox@osc.ny.gov 2

86 views • 8 slides
Virginia Housing Development Authority Our Mission is to help low and moderate-income Virginians

Virginia Housing Development Authority Our Mission is to help low and moderate-income Virginians

Virginia Housing Development Authority Our Mission is to help low and moderate-income Virginians attain quality, affordable housing. 877-VHDA-123 | vhda.com Virginia Housing Development Authority This PowerPoint presentation will be posted

788 views • 54 slides

More recommend