THE MALICIOUS INTELLIGENCE FROM BEHIND THE INSTRUCTION CODES AND THE ARTIFACTS IN MEMORY
Classical Windows attack vector
➡ Exploiting Registry keys, hijacking autorun properties of the system even
without user clicking on “autostart”.
➡ Exploiting DLL injection
➡ Exploiting services
➡ Exploiting .exe (lsass.exe, explorer.exe)
➡ Exploiting ATOMS TABLES
➡ Creating names using ASLR
Windows Graphical User Interface
➡ The Windows system has memory usage control features handled through a process. This methodological approach is called synchronization object.
➡ When a new process is created (threads and handles) the allocation of memory property of a mutant object is negotiated to give access to available memory.
➡ This is crucial for Windows to run and is also crucial so that malware can be persistent in the system without attracting attention. An example is the Advanced malware that use the ATOMS TABLE to persist in the Windows system.
ATOMS Table
➡ An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name.
➡ Address region 0x0001 > 0xBFFF
➡ Malware manipulates ATOMS table with empty class name “ ”
Mutex and Atom Table
➡ Mutex (mutually exclusive) are objects that negotiate synchronization of memory between threads (resume).
➡ Atoms are strings that be shared between processes in the same session.
➡ Malware persistence can be done using mutex objects or Atoms.
The malware persistence
➡ Exploitation of system resources to obtain privileges and analyzing algorithms for data capture.
➡ Research for callbacks (and change callbacks).
➡ Exploring system subclasses to create new process.
➡ Injection code in DLLs to attack explorer.exe.
➡ Enumerating object types to create new objects.
Windows internals SDV/KMDF
Windows System routines
Windows works with kernel callbacks. A simple callback implements routines to call drivers. According to Microsoft [1] PsSetCreateProcessNotifyRoutine routine adds a driver-supplied callback routine to (or removes it from) a list of routines to be called whenever a process is created or deleted.
Windows callbacks
Windows has an array of callback objects PspCreateProcessNotifyRoutine. Malware can substitute the internal pointer PspCreateProcessNotifyRoutine to remove all registered callbacks and it is free to create and terminate processes. [2]
A normal callback
NTSTATUS PsSetCreateProcessNotifyRoutine(
_In_ PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
_In_ BOOLEAN Remove
);
A not normal callback
NTSTATUS PsSetCreateProcessNotifyRoutine(
_In_ PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
_In_ BOOLEAN(“ ”) Remove_equal_0
);
Malware can manipulate callbacks
A malware can intend to clean up the number of callbacks per function.
For example: in an array, callbacks starting in address PspCreateProcessNotifyRoutine in a clean WXPSP2 the maximum callbacks is 8 per function [2] AND thread pool has a maximum of 512 threads per process [7].
Numbers of callbacks (SDV)
Compromised Windows internals SDV/KMDF
Duplicate callback code
EVT_WDF_CHILD_LIST_IDENTIFICATION_DESCRIPTION_DUPLICATE
EvtChildListIdentificationDescriptionDuplicate;
NTSTATUS EvtChildListIdentificationDescriptionDuplicate(
_In_ WDFCHILDLIST ChildList,
_In_ PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER SourceIdentificationDescription,
_Out_ PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER DestinationIdentificationDescription
)
{ ... }
Cleanup callback function
EVT_WDF_OBJECT_CONTEXT_CLEANUP EvtCleanupCallback;
VOID EvtCleanupCallback(
_In_ WDFOBJECT Object
)
{ ... }
Destroy callback function
EVT_WDF_OBJECT_CONTEXT_DESTROY EvtDestroyCallback;
VOID EvtDestroyCallback(
_In_ WDFOBJECT Object
)
{ ... }
A Typical Hijacking
A typical browser hijacking uses the callback procedure even if your browser is clean and has no historical or internet entries. But the key point is that the browser hijacking changes the Registry exploring the GUI subsystems in the key Run process.
Windows GUI Interface
Windows GUI Interface
Malware infection (Run)
Malware infection (Run Once)
Research Callbacks (Stuxnet)
NTSTATUS IoRegisterFsRegistrationChange(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PDRIVER_FS_NOTIFICATION DriverNotificationRoutine
);
Callback infected Ntifs.h
➡ To define a DriverFSNotificationRoutine callback routine that is named MyDriverNotification, you must first provide a function declaration that the Static Driver Verify (SDV) and other verification tools require, as follows:
➡ DRIVER_FS_NOTIFICATION MyDriverFSNotification;
➡ And then implement your callback routine as follows:
➡ typedef VOID DRIVER_FS_NOTIFICATION
➡ ( __in struct _DEVICE_OBJECT *.*DeviceObject, __in BOOLEAN FsActive );
➡ typedef DRIVER_FS_NOTIFICATION *.*PDRIVER_FS_NOTIFICATION;
Stuxnet vector attack
➡ Stuxnet malware uses Windows GUI architecture to create crafted names.
➡ Stuxnet creates its own process (lsass.exe).
➡ Stuxnet manipulates Windows DLLs to gain privileges and create infected processes.
Analyzing Stuxnet behavior
Volatility dlllist | findstr ASLR
Stuxnet’s infection flux
Volatility ldrmodules process lsass.exe PID 868 output
Stuxnet bypassing behavior blocking and heuristic
Volatility plugins to analyze malware persistence
Magania Enumerating object types
Magania Ransomware known as Win32/Magania was classified as a severely dangerous malware [5]. The infection attacks explore.exe object starting with ATOMS Table.
See Magania Report Debugging for full table.
Magania control over the data structure of W7x32
Magania Ransomware takes control of data structures (create/delete/rename).
Sample output in hexadecimal
Magania can enumerate objects in W7x32
Magania tries to gain privileges in Windows (create/delete/edit)
Magania can import modules in W7x32
Debugging Magania
When we try to debug Magania, some files are created in the host.
Hierarchical reg calls
In this infection experiment in a W7x32 machine we see this dll (maybe a memory crash caused by Magania -- but not sure about it. need to research more).
Classical Windows attack vector
➡ Exploiting Registry keys, hijacking autorun properties of the system even
without user clicking on “autostart”.
➡ Exploiting DLL injection
➡ Exploiting services
➡ Exploiting .exe (lsass.exe, explorer.exe)
➡ Exploiting ATOMS TABLES
➡ Creating names using ASLR
Windows Graphical User Interface
➡ The Windows system has memory usage control features handled through a process. This methodological approach is called synchronization object.
➡ When a new process is created (threads and handles) the allocation of memory property of a mutant object is negotiated to give access to available memory.
➡ This is crucial for Windows to run and is also crucial so that malware can be persistent in the system without attracting attention. An example is the Advanced malware that use the ATOMS TABLE to persist in the Windows system.
ATOMS Table
➡ An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name.
➡ Address region 0x0001 > 0xBFFF
➡ Malware manipulates ATOMS table with empty class name “ ”
Mutex and Atom Table
➡ Mutex (mutually exclusive) are objects that negotiate synchronization of memory between threads (resume).
➡ Atoms are strings that be shared between processes in the same session.
➡ Malware persistence can be done using mutex objects or Atoms.
The malware persistence
➡ Exploitation of system resources to obtain privileges and analyzing algorithms for data capture.
➡ Research for callbacks (and change callbacks).
➡ Exploring system subclasses to create new process.
➡ Injection code in DLLs to attack explorer.exe.
➡ Enumerating object types to create new objects.
Windows internals SDV/KMDF
Windows System routines
Windows works with kernel callbacks. A simple callback implements routines to call drivers. According to Microsoft [1] PsSetCreateProcessNotifyRoutine routine adds a driver-supplied callback routine to (or removes it from) a list of routines to be called whenever a process is created or deleted.
Windows callbacks
Windows has an array of callback objects PspCreateProcessNotifyRoutine. Malware can substitute the internal pointer PspCreateProcessNotifyRoutine to remove all registered callbacks and it is free to create and terminate processes. [2]
A normal callback
NTSTATUS PsSetCreateProcessNotifyRoutine(
_In_ PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
_In_ BOOLEAN Remove
);
A not normal callback
NTSTATUS PsSetCreateProcessNotifyRoutine(
_In_ PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
_In_ BOOLEAN(“ ”) Remove_equal_0
);
Malware can manipulate callbacks
A malware can intend to clean up the number of callbacks per function.
For example: in an array, callbacks starting in address PspCreateProcessNotifyRoutine in a clean WXPSP2 the maximum callbacks is 8 per function [2] AND thread pool has a maximum of 512 threads per process [7].
Numbers of callbacks (SDV)
Compromised Windows internals SDV/KMDF
Duplicate callback code
EVT_WDF_CHILD_LIST_IDENTIFICATION_DESCRIPTION_DUPLICATE
EvtChildListIdentificationDescriptionDuplicate;
NTSTATUS EvtChildListIdentificationDescriptionDuplicate(
_In_ WDFCHILDLIST ChildList,
_In_ PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER SourceIdentificationDescription,
_Out_ PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER DestinationIdentificationDescription
)
{ ... }
Cleanup callback function
EVT_WDF_OBJECT_CONTEXT_CLEANUP EvtCleanupCallback;
VOID EvtCleanupCallback(
_In_ WDFOBJECT Object
)
{ ... }
Destroy callback function
EVT_WDF_OBJECT_CONTEXT_DESTROY EvtDestroyCallback;
VOID EvtDestroyCallback(
_In_ WDFOBJECT Object
)
{ ... }
A Typical Hijacking
A typical browser hijacking uses the callback procedure even if your browser is clean and has no historical or internet entries. But the key point is that the browser hijacking changes the Registry exploring the GUI subsystems in the key Run process.
Windows GUI Interface
Windows GUI Interface
Malware infection (Run)
Malware infection (Run Once)
Research Callbacks (Stuxnet)
NTSTATUS IoRegisterFsRegistrationChange(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PDRIVER_FS_NOTIFICATION DriverNotificationRoutine
);
Callback infected Ntifs.h
➡ To define a DriverFSNotificationRoutine callback routine that is named MyDriverNotification, you must first provide a function declaration that the Static Driver Verify (SDV) and other verification tools require, as follows:
➡ DRIVER_FS_NOTIFICATION MyDriverFSNotification;
➡ And then implement your callback routine as follows:
➡ typedef VOID DRIVER_FS_NOTIFICATION
➡ ( __in struct _DEVICE_OBJECT *.*DeviceObject, __in BOOLEAN FsActive );
➡ typedef DRIVER_FS_NOTIFICATION *.*PDRIVER_FS_NOTIFICATION;
Stuxnet vector attack
➡ Stuxnet malware uses Windows GUI architecture to create crafted names.
➡ Stuxnet creates its own process (lsass.exe).
➡ Stuxnet manipulates Windows DLLs to gain privileges and create infected processes.
Analyzing Stuxnet behavior
Volatility dlllist | findstr ASLR
Stuxnet’s infection flux
Volatility ldrmodules process lsass.exe PID 868 output
Stuxnet bypassing behavior blocking and heuristic
Malware trying to replace _ETHREAD (this is not Stuxnet)
A vulnerable server code (Windows)
from threading import Thread
from socket import socket, AF_INET, SOCK_STREAM
def echo_client(sock, client_addr):
# #
sock sendall(msg)
print(‘Client closed connection’)
sock.close()
import time
def myfunc(i):
print "sleeping 5 sec from thread %d" % i
time.sleep(5)
print "finished sleeping from thread %d" % i
for i in range(10):
t = Thread(target=myfunc, args=(i,))
t.start()
while true
client_sock, client_addr = sock.accept()
t = Thread(target=echo_client, args=(client_sock, cleint_addr))
t.daemon
t.start
echo_server((‘’,15000))
This Python code is vulnerable because malware can manipulate the numbers of threads to an infinite number of threads. This causes a stack overflow in PsSetCreateThreadNotifyRoutine. This may cause BSOD.
Malware exploitation techniques
The exploitation of system resources to obtain privileges and analyze algorithms for data capture. In this case, we have gained privilege entropy:
H=(NPExAPI)/PE
PE=PORTABLE EXECUTABLE
API= affected APIs
H= entropy
Malware approach
Modern malware can search the memory address of routines in Windows system architecture. Since the memory addresses are identified the process overwriting is done by malicious code in
PsSetCreateProcessNotifyRoutine
or
PsSetCreateThreadNotifyRoutine.
Try manipulating W10 BuildNumber
}
else
{
if ((signed _int16)NtBuildeNumber != 10586 && (signed__int16)NtBuilderNumber != *.*)
return 0;
v= 0x295A
}
Try manipulating W7 BuildNumber
}
else
{
if ((signed _int16)NtBuildeNumber != 7601 && (signed__int16)NtBuilderNumber != *.* )
return 0;
v= 0x1DB1;
}
Try manipulating WXPSP2 BuildNumber
}
else
{
if ((signed _int16)NtBuildeNumber != 2600 && (signed__int16)NtBuilderNumber != 3790 )
return 0;
v4= 0xBFu;
v3= 0x57u;
}
Mutex
➡ Windows OS defines mutant objects as shared resource to multiple access threads [1]. Only one thread can
own a mutex object at the same time.
➡ HANDLE WINAPI CreateMutexEx( _In_opt_ LPSECURITY_ATTRIBUTES
lpMutexAttributes, _In_opt_ LPCTSTR lpName, _In_ DWORD
dwFlags, _In_ DWORD dwDesiredAccess );
Malware can change a DWORD size implementing an algorithm with arithmetic progression, for example, or a pattern of number, or still with a static number (+2)
➡ A security object attribute is created to control the size
typedef struct _SECURITY_ATTRIBUTES {
DWORD nLength;
LPVOID lpSecurityDescriptor;
BOOL bInheritHandle;
} SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES;
The Null size does not permit a child process to inherit a mutex handle (or, in other words, shared section).
Synchronization Object (Windows Security Model [1])
Malware can overwrite pointers when leveraging MmGetSystemRoutineAddress and hooks address in GUI creating a new module.
Volatility plugins to analyze malware persistence
Magania Enumerating object types
Magania Ransomware known as Win32/Magania was classified as a severely dangerous malware [5]. The infection attacks explore.exe object starting with ATOMS Table.
See Magania Report Debugging for full table.
Magania control over the data structure of W7x32
Magania Ransomware takes control of data structures (create/delete/rename).
Sample output in hexadecimal
Magania can enumerate objects in W7x32
Magania tries to gain privileges in Windows (create/delete/edit)
Magania can import modules in W7x32
Debugging Magania
When we try to debug Magania, some files are created in the host.
Hierarchical reg calls
In this infection experiment in a W7x32 machine we see this dll (maybe a memory crash caused by Magania -- but not sure about it. need to research more).