![Reflective DLL Injection
▪ DLL that maps itself into memory - original design and code by Steven Fewer [1]
▪ Handy from attacker perspective - makes for a ‘dumb’ injector
▪ No longer have to code in assembly (like PI)
▪ Very common technique (ex: meterpreter, powershell empire)
▪ Allocate memory, map sections, resolve imports, fixup relocations, call entry
[1] https://github.com/stephenfewer/ReflectiveDLLInjection](https://image.slidesharecdn.com/desimoneatkinson-170612214426/85/Taking-Hunting-to-the-Next-Level-Hunting-in-Memory-11-320.jpg)
![Memory Module
▪ Similar to Reflective technique, except loader does all the work [1]
▪ Payload DLL doesn’t need any special modifications
▪ Loader re-implements LoadLibrary(), but works on a buffer in memory
▪ Can map into local or remote process [2]
▪ Typical implementations avoid RWX
[1] Memory Module - https://github.com/fancycode/MemoryModule
[2] Manual Map - https://github.com/DarthTon/Blackbone](https://image.slidesharecdn.com/desimoneatkinson-170612214426/85/Taking-Hunting-to-the-Next-Level-Hunting-in-Memory-14-320.jpg)
Taking Hunting to the Next Level: Hunting in Memory
- 1. June 12, 2017 Hunting In Memory Jared Atkinson, Joe Desimone
- 2. Who are we ▪ Jared Atkinson • Defensive Service Technical Director - Specter Ops • Microsoft Cloud and Datacenter Management MVP (PowerShell) • Lead Developer PowerForensics ▪ Joe Desimone • Senior Malware Researcher - Endgame • Developer, Hunter, Reverse Engineer
- 3. Overview ▪ Why hunting in memory is important ▪ Memory based attacker techniques ▪ Existing tools and approaches ▪ New powershell tool for hunting at scale
- 4. Importance of Memory Hunting ▪ Memory resident malware has been in use for over a decade, and is now ubiquitous ▪ Once a staple of ‘APT’; now commonplace for crimeware ▪ Designed to evade PSPs and YOU ▪ Great signal to noise ratio; easy button hunting
- 5. Attacker Techniques ▪ Classic memory/shellcode injection ▪ Reflective DLLs ▪ Memory Module ▪ Process and Module Hollowing ▪ PEB Unlinking ▪ Gargoyle (ROP/APCs)
- 6. Classic Injection ▪ OpenProcess - Grab handle to target process ▪ VirtualAllocEx - Allocate a new chunk of memory in targe ▪ WriteProcessMemory - Write the shellcode/payload into target ▪ CreateRemoteThread - Start a new thread to execute the payload
- 7. Classic Injection - Poison Ivy
- 8. Poison Ivy
- 9. Poison Ivy
- 11. Reflective DLL Injection ▪ DLL that maps itself into memory - original design and code by Steven Fewer [1] ▪ Handy from attacker perspective - makes for a ‘dumb’ injector ▪ No longer have to code in assembly (like PI) ▪ Very common technique (ex: meterpreter, powershell empire) ▪ Allocate memory, map sections, resolve imports, fixup relocations, call entry [1] https://github.com/stephenfewer/ReflectiveDLLInjection
- 12. Meterpreter ▪ Classic DLL Reflection, such as meterpreter, is easy to find
- 13. Meterpreter
- 14. Memory Module ▪ Similar to Reflective technique, except loader does all the work [1] ▪ Payload DLL doesn’t need any special modifications ▪ Loader re-implements LoadLibrary(), but works on a buffer in memory ▪ Can map into local or remote process [2] ▪ Typical implementations avoid RWX [1] Memory Module - https://github.com/fancycode/MemoryModule [2] Manual Map - https://github.com/DarthTon/Blackbone
- 15. NetTraveler - Memory Layout ▪ Uses legitimate looking permissions
- 16. NetTraveler - Active Thread
- 17. Winnti - Memory Layout
- 18. Winnti - Header Wipe
- 19. Process Hollowing ▪ Create new, suspended process ▪ Allocate new memory, unmap (hollow) existing code ▪ Write payload ▪ Redirect execution - SetThreadContext() and ResumeThread() ▪ Stealthy variants • Create/Map sections to avoid WriteProcessMemory • Modify entry point instead of SetThreadContext
- 20. DarkComet - Process Hollowing
- 21. DarkComet
- 22. Module Overwriting ▪ Up until now, all examples have lead to non-image backed code executing ▪ Module Overwriting avoids this, making it more difficult to detect ▪ Flame and Careto are examples ▪ Map an unused module into target process ▪ Overwrite legitimate module with payload ▪ Odinaff had a similar trick but overwrote its own executable Image Credit: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
- 23. Odinaff In Memory On Disk
- 24. PEB Unlinking ▪ Not an in memory technique, but rather an evasion ▪ Hide loaded DLL from security products, admins, hunters ▪ HackingTeam used this technique in their RAT ▪ Flame also unlinked shell32.dll ▪ To find peb unlinking, you could compare what the Win32 API reports as ‘loaded’ versus what you find is actually loaded with VirtualQuery/GetSectionName
- 25. Gargoyle ▪ Technique developed by Josh Lospinoso to hide injected code from security products ▪ Payload lies dormant, with read only permissions ▪ Periodically ‘wakes up.’ Sets payload executable with an asynchronous procedure call and ROP. Permissions reverted, cycle repeats. ▪ https://jlospinoso.github.io/security/assembly/c/cpp/developing/sof tware/2017/03/04/gargoyle-memory-analysis-evasion.html
- 26. Available Tools ▪ Volatility / malfind ▪ GRR ▪ Rekall ▪ inVtero
- 28. ▪ PowerShell module written by Matt Graeber (@mattifestation) • https://github.com/mattifestation/PSReflect ▪ Avoids the compilation artifacts associated with P/Invoke • IMO the cleanest way to deal with Win32 API from PowerShell ▪ Library to abstract the complexities of calling Win32 functions via Reflection ▪ Intuitive “domain specific language” for defining enums, structs, and P/Invoke function signatures ▪ Must include PSReflect code in your scripts/modules PSReflect
- 29. ▪ Built on PSReflect ▪ PowerShell function to identify injected threads via detection methodology: • Use Windows Toolhelp API to get all threads • Iterate through each thread • Identify the thread’s Base (Memory) Address • Query the memory page for which the Base Address belongs to • Check if the memory page’s state is MEM_COMMIT • Check if the memory page’s type is not MEM_IMAGE ▪ Returns details regarding offending process and thread • Check memory page permissions • Look for unnecessary privileges or integrity level • Identify abnormal user tokens Get-InjectedThread
- 30. ▪ Injected Process Information • Process Id • Name • File Path (PEB and EPROCESS) • Command Line ▪ Thread Information • Thread Id • Unique Thread Token • Base Priority • Does thread have unique token? ▪ Memory Segment • Base Address • Size • Protection • State • Type • First 100 Bytes ▪ Token (Thread or Process) • Integrity Level • Enabled Privileges • SID / UserName • Logon Session Start Time • Logon Type • Authentication Package Get-InjectedThread Output
- 31. ▪ Delivered as .zip file via Google Drive ▪ Zip archive contains one file • 2nd Myanmar Industrial Resource Development Symposium.exe • File has PowerPoint icon to trick users into opening ▪ Drops files upon execution • %USERPROFILE%<random>RealNetwork.exe (Legitimate Application) • %USERPROFILE%<random>main.dll (Loaded by MPAMedia.dll) • %USERPROFILE%<ramdom>mpapluginsMPAMedia.dll (DLL Side Loading) • Ppt ∙ Opened in PowerPoint to keep up the ruse Our Threat - 9002 Trojan http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/
- 32. Response ▪ Kill Thread • Stop-Thread • Built on Window’s TerminateThread API ▪ Process Minidump • Out-Minidump (PowerSploit) • https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1 ▪ Thread Dump • Dump-Thread
- 33. Questions?