blackout what really happened
play

Blackout: What Really Happened Jamie Butler and Kris Kendall - PDF document

Mar 16, 2024 •296 likes •901 views

Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics User Mode Injection Techniques Example Malware Implementations Kernel Mode Injection Techniques Advanced Code Injection Detection via

  1. Blackout: What Really Happened Jamie Butler and Kris Kendall

  2. Outline � Code Injection Basics � User Mode Injection Techniques � Example Malware Implementations � Kernel Mode Injection Techniques � Advanced Code Injection Detection via Raw Memory Analysis 1-2

  3. Code Injection Basics � “Code Injection” refers to techniques used to run code in the context of an existing process � Motivation: • Evasion: Hiding from automated or human detection of malicious code � IR personnel hunt for malicious processes • Impersonation: Bypassing restrictions enforced on a process level � Windows Firewall, etc � Pwdump, Sam Juicer 1-3

  4. User Mode Injection Techniques � Techniques • Windows API • AppInit_Dll • Detours 1-4

  5. Injecting code via the Windows API � Somewhat surprisingly, the Windows API provides everything you need for process injection � Functions: • VirtualAllocEx() • WriteProcessMemory() • CreateRemoteThread() / • GetThreadContext() SetThreadContext() • SetWindowsHookEx() 1-5

  6. 1. OpenProcess evil.exe (pid = 2222) iexplore.exe (pid = 3333) payload = 0xCC hProc = 400 3 Handle = 400 1 2 OpenProcess(3333) Kernel (via kernel32) 1-6

  7. 2. VirtualAllocEx evil.exe (pid = 2222) iexplore.exe (pid = 3333) New section payload = 0xCC 3 Base address = 0x4000 Size = 256 bytes hProc = 400 5 base = 0x4000 2 VirtualAllocEx( hProc, base = 0x4000 0x4000, 1 4 256, . . .) Kernel (via kernel32) 1-7

  8. 3. WriteProcessMemory evil.exe (pid = 2222) iexplore.exe (pid = 3333) New section payload = 0xCC Base address = 0x4000 Size = 256 bytes hProc = 400 3 0xCC base = 0x4000 2 WriteProcessMemory( hProc, base, 1 payload, 1, …) Kernel (via kernel32) 1-8

  9. 4. CreateRemoteThread evil.exe (pid = 2222) iexplore.exe (pid = 3333) New section payload = 0xCC Base address = 0x4000 Size = 256 bytes hProc = 400 0xCC base = 0x4000 5 ThreadId = 11 New Thread 3 Id = 11 Start Address = 0x4000 CreateRemoteThread( hProc, ThreadId = 11 SecAttribs = NULL, 2 1 4 StackSize = 1024, 0x4000 …) Kernel (via kernel32) 1-9

  10. #Inject an infinite loop into a running process import pydbg k32 = pydbg.kernel32 payload = ‘\xEB\xFE’ pid = int(args[0]) ... h = k32.OpenProcess(PROCESS_ALL_ACCESS,\ False, pid) m = k32.VirtualAllocEx(h, None, 1024,\ MEM_COMMIT,\ PAGE_EXECUTE_READWRITE) k32.WriteProcessMemory(h, m, payload,\ len(payload), None) k32.CreateRemoteThread(h, None, 1024000, m, None, 0, None) 10

  11. Better Payloads � Breakpoints and Loops are fun, but what about real payloads? � If we directly inject code it must be “position independent” � Any addresses that were pre-calculated at compile time would be wrong in the context of a new process 1-11

  12. Better Payloads � Building large position independent payloads is possible, but not trivial � However, DLL injection is much simpler � DLLs are designed to be loaded in a variety of processes, addresses are automatically fixed up when the DLL is loaded 1-12

  13. DLL Injection � Use the basic process we just described � DLLs are loaded using kernel32!LoadLibrary � kernel32 is at the same address in every process � we know its address in the remote process (ignoring ASLR) � Allocate space for the name of the DLL to be loaded, then create a thread with a start address that points to LoadLibrary 1-13

  14. #DLL Injection Excerpt import pydbg k32 = pydbg.kernel32 pid = int(args[0]) dllname = args[1] ... h = k32.OpenProcess(PROCESS_ALL_ACCESS,\ False, pid) m = k32.VirtualAllocEx(h, None, 1024,\ MEM_COMMIT,\ PAGE_EXECUTE_READWRITE) k32.WriteProcessMemory(h, m, dllname,\ len(dllname), None) k32.CreateRemoteThread(h, None, 1024, k32.LoadLibrary, m, 0, None) 14

  15. User Mode API Variants � Rather than create a new remote thread, we can hijack an existing thread using GetThreadContext , SetThreadContext � SetWindowsHookEx can also be used to inject a DLL into a single remote process, or every process running on the current Desktop 1-15

  16. SetWindowsHookEx � SetWindowsHookEx defines a hook procedure within a DLL that will be called in response to specific events � Example events: WH_KEYBOARD, WH_MOUSE, WH_CALLWNDPROC, WH_CBT � Whenever the hooked event is first fired in a hooked thread, the specified DLL is be loaded 1-16

  17. Permissions and Security � To open a process opened by another user (including SYSTEM), you must hold the SE_DEBUG privilege � Normally SE_DEBUG is only granted to member of the Administrator group � However, even if you are running as a normal user, malware can still inject into another process that you own 1-17

  18. Injecting code via AppInit_DLLs � The AppInit_DLLs registry value provides another convenient method of DLL injection 1-18

  19. Injecting code via Detours � Detours is a library developed by Microsoft Research in 1999 � The library uses the same techniques already described, wrapped up in slick package 1-19

  20. Detours Features � Function hooking in running processes � Import table modification � Attaching a DLL to an existing program file � Detours comes with great sample programs: • Withdll • Injdll • Setdll • Traceapi 1-20

  21. Setdll � Detours can add a new DLL to an existing binary on disk. How? � Detours creates a section named “.detours” between the export table and debug symbols � The .detours section contains the original PE header, and a new IAT � Detours modifies the PE header to point at the new IAT (reversible) 1-21

  22. 1-22 Setdll Demo

  23. 1-23 Setdll Demo

  24. Avoiding the Disk � When we perform DLL injection, LoadLibrary expects the DLL to be on the disk (or at least an SMB share) � The Metasploit project eliminates this requirement using a clever hooking strategy � By hooking functions that are involved in reading the file from disk, they fool Windows into thinking the DLL is on disk 1-24

  25. Meterpreter � Hook � Call LoadLibrary � Unhook � Hooked functions: • NtMapViewOfSection • NtQueryAttributesFile • NtOpenFile • NtCreateSection • NtOpenSection � See remote_dispatch.c and libloader.c in MSF 3.0 1-25

  26. 1-26 Meterpreter Demo

  27. Poison Ivy RAT � Tons of malware uses Code Injection � We’ll quickly dig into the details of one example 1-27

  28. 1-28 Poison Ivy Capabilities

  29. Step 1: Inject to Explorer � Poison Ivy client immediately injects to Explorer and then exits � Output from WinApiOverride32 for pi.exe 1-29

  30. Step 2: Inject again to msnmsgr.exe � Explorer.exe injected code then injects again… � Interestingly, PI does not grab the SE_DEBUG privilege, so we can’t inject in many existing processes � Output from WinApiOverride32 for explorer.exe 1-30

  31. 1-31 Did it Work?

  32. 1-32 Where is the evil?

  33. 1-33 Kernel Process Injection

  34. Two Halves of the Process � User land processes are comprised of two parts • Kernel Portion � EPROCESS and KPROCESS � ETHREAD and KTHREAD � Token � Handle Table � Page Tables � Etc. 1-34

  35. Two Halves of the Process � User land Portion • Process Environment Block (PEB) • Thread Environment Block (TEB) • Windows subsystem (CSRSS.EXE) • Etc. 1-35

  36. Kernel Process Injection Steps � Must find suitable target • Has a user land portion • Has kernel32.dll and/or ntdll.dll loaded in its address space • Has an alterable thread (unless hijacking an existing thread) � Allocate memory in target process � Write the equivalent of “shellcode” that calls LoadLibrary � Cause a thread in the parent to execute newly allocated code • Hijack an existing thread • Create an APC 1-36

  37. Allocate memory in parent process � Change virtual memory context to that of the target • KeAttachProcess/KeStackAttachProcess • ZwAllocateVirtualMemory � (HANDLE) -1 means current process � MEM_COMMIT � PAGE_EXECUTE_READWRITE 1-37

  38. Creating the Shellcode � “shellcode” that calls LoadLibrary • Copy function parameters into address space • Pass the address of function parameters to calls • Can use the FS register � FS contains the address of the TEB � TEB has a pointer to the PEB � PEB has a pointer to the PEB_LDR_DATA � PEB_LDR_DATA contains all the loaded DLLs 1-38

  39. Creating the Shellcode � As an alternative to using the FS register • Find the address of ntdll.dll from the driver • Parse its exports section • Does not work with all DLLs � Only address of ntdll.dll returned by ZwQuerySystemInformation 1-39

  40. Thread Hijacking � Cause a thread in the parent to execute newly allocated code - Hijack an existing thread • Locate a thread within the parent process • Change its Context record • Change Context record back when done � Problems: • Low priority threads • Blocked threads • Changing Context back 1-40

Recommend

I mpacts and Actions Resulting from the August 14, 2003 Blackout David W. Hilt P.E. July 29,

I mpacts and Actions Resulting from the August 14, 2003 Blackout David W. Hilt P.E. July 29,

I mpacts and Actions Resulting from the August 14, 2003 Blackout David W. Hilt P.E. July 29, 2006 Illinois Society of Professional Engineers August 14, 2003 What Happened? O ttawa Montreal Toronto Buffalo Detroit Toledo Cleveland

724 views • 59 slides
Station Blackout and Advanced Accident Mitigation (B.5.b) Overview Pat Hiland, Director

Station Blackout and Advanced Accident Mitigation (B.5.b) Overview Pat Hiland, Director

Station Blackout and Advanced Accident Mitigation (B.5.b) Overview Pat Hiland, Director Division of Engineering Office of Nuclear Reactor Regulation April 28, 2011 Station Blackout Background WASH-1400, Reactor Safety Study, issued

250 views • 24 slides
KRISTA BOAN WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT,

KRISTA BOAN WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT,

KRISTA BOAN WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? WAIT, WHAT JUST HAPPENED? 1 in 5 children have mental health problems 43% increase in ADHD 37% increase in teen

552 views • 19 slides
Outline What is a blackout? and how do we deal with them? What is Resource Adequacy?

Outline What is a blackout? and how do we deal with them? What is Resource Adequacy?

Power Plant Investment and Electricity Restructuring James Bushnell University of California Energy Institute www.ucei.berkeley.edu Outline What is a blackout? and how do we deal with them? What is Resource Adequacy? whos

357 views • 6 slides
What- -Really Really- -Happened Happened What according to most people, history is

What- -Really Really- -Happened Happened What according to most people, history is

What- -Really Really- -Happened Happened What according to most people, history is what really happened in the past but our understanding of history is often based on the testimony of witnesses and different people see

290 views • 18 slides
What Happened to me Neuromyelitis Optica happened to me that's what! Diagnosed Edinburgh

What Happened to me Neuromyelitis Optica happened to me that's what! Diagnosed Edinburgh

Irene Wilson - Group Leader UK Mastocytosis Charity What Happened to me Neuromyelitis Optica happened to me that's what! Diagnosed Edinburgh January 2013 Aguaporin 4 antibody positive 6 lots of Plasma Exchange now on Azathioprine

349 views • 5 slides
New Regulations Under Sarbanes-Oxley Retirement Plan Blackout Periods: Trading Prohibition and

New Regulations Under Sarbanes-Oxley Retirement Plan Blackout Periods: Trading Prohibition and

BUSINESS DEPARTMENT E-NEWS ALERT FEBRUARY 25, 2003 New Regulations Under Sarbanes-Oxley Retirement Plan Blackout Periods: Trading Prohibition and Notice Requirements On July 30, 2002, President Bush signed into law the Public Company

368 views • 4 slides
Equity Awards: Design Tips for Navigating Blackout Periods Presentation for: Presentation by:

Equity Awards: Design Tips for Navigating Blackout Periods Presentation for: Presentation by:

Equity Awards: Design Tips for Navigating Blackout Periods Presentation for: Presentation by: Executive Compensation Webinar Series Anthony J. Eppert February 14, 2019 AnthonyEppert@HuntonAK.com 713.220.4276 Housekeeping: Technical Issues

791 views • 24 slides
Blackout Poetry The act of redacting words from printed sources to purposely create new

Blackout Poetry The act of redacting words from printed sources to purposely create new

Blackout Poetry The act of redacting words from printed sources to purposely create new meaning. Requirements The words have to make sense together, or have been chosen for emphasis. If the page from the book is small, the

268 views • 8 slides
75 # What happened What went well What needs improvement To your questions Additional Q&A

75 # What happened What went well What needs improvement To your questions Additional Q&A

75 # What happened What went well What needs improvement To your questions Additional Q&A if time permits How might we Curated Q&A per the questions received from What happened IxDA Berlin delivered their fj rst virtual event

1.06k views • 68 slides
Area Marquee Hire Spring Conference 2009 Birmingham 10/03/2009 CC Hire Stock 3m Bay

Area Marquee Hire Spring Conference 2009 Birmingham 10/03/2009 CC Hire Stock 3m Bay

Area Marquee Hire Spring Conference 2009 Birmingham 10/03/2009 CC Hire Stock 3m Bay Blackout & Starlight 6m, 9m, 12m & 15m span 5m Bay Blackout & Starlight 5m Bay Blackout & Starlight 15m, 20m 25m & 30m

717 views • 30 slides
Joint U.S.-Canada Power System Outage Investigation Interim Report Causes of the August 14 th

Joint U.S.-Canada Power System Outage Investigation Interim Report Causes of the August 14 th

Joint U.S.-Canada Power System Outage Investigation Interim Report Causes of the August 14 th Blackout in the United States and Canada 1 Overview The report What caused the blackout? Reliability management What didnt cause

462 views • 28 slides
The Invest in Kids Act: Tax Credit Scholarships What happened on January 31 st ? What is the

The Invest in Kids Act: Tax Credit Scholarships What happened on January 31 st ? What is the

The Invest in Kids Act: Tax Credit Scholarships What happened on January 31 st ? What is the recovery plan? OCS Leadership Day University of St. Mary of the Lake February 16, 2018 Agenda Review what happened on January 31 st

761 views • 29 slides
2016 legislative update what happened? whats next? What happened? K12 F UNDING 2017 General

2016 legislative update what happened? whats next? What happened? K12 F UNDING 2017 General

B O A L R O D O S H A C S S S O A SCHOOL 2016 C N I A I W L T O I LA O R N A C H CONFERENCE 6 T U 1 0 O 2 S , 8 2 A - 7 U 2 G T U S 2016 legislative update what happened? whats next?

548 views • 15 slides
So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele

So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele

So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele Spagnuolo Senior Information Security Engineer rosettaflash.com bitiodine.net Recap what happened last year Summary CSP is mostly used to

591 views • 47 slides
1 What happened Spring 2020? Moved to virtual visits some institutions having only a few

1 What happened Spring 2020? Moved to virtual visits some institutions having only a few

HLC Guidance in the COVID Era Information for the Michigan Community College Data and Evaluation Committee Conference Linnea A. Stenson, Ph.D. VP for Accreditation Relations Higher Learning Commission| August 4, 2020 1 What happened at HLC?

496 views • 7 slides
1. What happened? 2. What was the response? 3. What were the impacts? 4. What was learnt?

1. What happened? 2. What was the response? 3. What were the impacts? 4. What was learnt?

1. What happened? 2. What was the response? 3. What were the impacts? 4. What was learnt? Prepared by Gavin Fisher, EPA Victoria for NSW health workshop 4 th March2015 Here we will cover.

712 views • 50 slides
1 Suicides in old and new EU Member States: 2007=1 1.35 1.3 1.25 1.2 1.15 We estimate

1 Suicides in old and new EU Member States: 2007=1 1.35 1.3 1.25 1.2 1.15 We estimate

The health effects of a financial crisis: epidemiology on a large scale Martin McKee Hong Kong, August 2016 Twitter: @martinmckee What happened? GDP per capita (2007=1) 1.10 1.05 1.00 0.95 Germany What happened to health? United States

515 views • 12 slides
Fukushima Nuclear Disaster By Andrew Perryman, Caizhi Ming, Ruoheng Pan, William Mitchell, Zan

Fukushima Nuclear Disaster By Andrew Perryman, Caizhi Ming, Ruoheng Pan, William Mitchell, Zan

Fukushima Nuclear Disaster By Andrew Perryman, Caizhi Ming, Ruoheng Pan, William Mitchell, Zan Zhu September 16, 2013 1 Contents 1. What happened? 2. Why it happened? 3. How we prevent it in the future? 2 What happened? 3 Why it

491 views • 13 slides
What will What will we be covering we be covering Who set up the Society What happened

What will What will we be covering we be covering Who set up the Society What happened

What will What will we be covering we be covering Who set up the Society What happened after World War 2 The Society grows Publications The committee and its make up Website A gr A grou oup p of ent of enthu husias

720 views • 47 slides
Whatever Happened To The Indians Not Taxed? And When Did The Congress Say That State

Whatever Happened To The Indians Not Taxed? And When Did The Congress Say That State

Whatever Happened To The Indians Not Taxed? And When Did The Congress Say That State And Local Governments Can Collect Taxes In Our Territories? Tribal Self-Governance Conference Spokane, WA Henry Cagey Lummi Nation Council M +1

191 views • 7 slides
What Happened to D.A.R.E.? Kris Glunt, Prevention Coordinator,

What Happened to D.A.R.E.? Kris Glunt, Prevention Coordinator,

What Happened to D.A.R.E.? Kris Glunt, Prevention Coordinator, EPISCenter Dr. Michael Hecht, Penn State University, Distinguished Professor of Communication Arts

415 views • 18 slides
Washington Water Rights after the Hirst Fix: What Just Happened? And Where Do We Go from

Washington Water Rights after the Hirst Fix: What Just Happened? And Where Do We Go from

Washington Water Rights after the Hirst Fix: What Just Happened? And Where Do We Go from Here? Prepared by Anne Udaloy, LHG 46 th District Democrats Environment and Climate Caucus February 10, 2018 Where to Begin? Water is

275 views • 26 slides
What Do You Know? What do you know about the Roman empire? What happened during the Roman

What Do You Know? What do you know about the Roman empire? What happened during the Roman

What Do You Know? What do you know about the Roman empire? What happened during the Roman invasions? Can you name any key people from the Roman era? What Do You Know? In 55 BC, the Romans already ruled the country that we know today as

151 views • 14 slides

More recommend