Tuesday, October 15, 2019

Process Doppelganging Notes

This post consists of notes on the process doppelganging technique.

One of the limitations of the Process Hollowing technique is its use of API calls: NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. Process doppelganging eliminates the need to make these API calls nor unmap the main module of a process.

The process doppelganging technique was first presented at blackhat Europe 2017 by researches from enSilo. It is a method for PE injection. It leverages Windows Transactional NTFS (TxF), which was introduced as a way to perform safe file operations.

The main reasons to use process doppelganging is that it bypasses whitelisting policies, does not unmap code,  does not need manual mapping, can be used to load DLLs. For these reasons, process doppelganging appears highly promising as a first stage loader.

Transactional NTFS (TxF) Concepts

TxF is essentially an implementation that solves the readers-writer problem as applied to file systems. The possible parties involve are the transacted writer, non-transacted writers, transacted readers and non-transacted readers.

TxF binds a file handle to a transaction. TxF allows only one transacted writer at a time. All other attempts to open the file are blocked. Non-transacted writers are always blocked.

Non-transacted readers will not see changes until the transacted writer completes the transaction. They see the changes since the last transaction on the file. When the transacted writer commits the transaction, non-transacted readers will receive the updated file. Non-transacted readers are the AV processes.

In contrast, transacted readers see the last commit to the file even if the transacted writer has not completed the transaction. In contrast to the non-transacted readers, transacted readers see a consistent view of the file. They do not receive updates when the transacted-writer completes the transaction unless they close and reopen the handle.

Process doppelganging leverages the fact that nontransacted readers can only see the file since the last transaction. By rolling back changes, our changes to the transacted file will not be saved to disk.

Also CreateProccess creates sections with PAGE_EXECUTE. AV scans for sections with PAGE_EXECUTE. We create with PAGE_READ.

Process Doppelganging as presented at blackhat

High Level

  1. Open the legit executable and overwrite it with ours
  2. Load malicious executable by creating a section in the transacted file
  3. Rollback to get original executable
  4. Resume Thread

Details

  1. Use CreateTransaction to create a transaction
  2. Get the transacted file handle with CreateFileTransacted 
  3. Write our executable into the transacted file
  4. Use NtCreateSection to create section from the transacted file to point to our executable
  5. RollbackTransaction to remove our changes
  6. NtCreateProcessEx, NtCreateThreadEx (using our entry point - this is Windows XP CreateProcess)
  7. RtlCreateProcessParametersEx 
  8. VirtualAllocEx with PAGE_READWRITE
  9. Write parameters to remote process
  10. NtResumeThread
Windows XP uses NtCreateProcessEx to create a process. This function takes a handle to a section (as oppose to a handle to the file path of the executable). Also, the user is responsible for setting up process parameters. The Windows 10 loader uses NtCreateUserProcess, which takes a file path. However, NtCreateProcessEx is still available because Windows creates minimal processes with it.

Avoid AV Hooks

NTDLL is the usermode wrapper for syscalls. AV will often monitor functions exported by NTDLL. One solution is to load our own copy of NTDLL. The authors of the Osiris Banking Trojan loaded the ntdll.dll file from disk as a section. This maps the DLL as an image, which is good because manually loading DLLs makes them stand out from normally-loaded DLLs.
  1. NtCreateFile to open ntdll.dll
  2. NtCreateSection
  3. ZwMapViewOfSection to map the section to the our address space

Process Doppelganging and Process Hollowing loader

The Osiris Banking Trojan uses a combination of process doppelganging and process hollowing.

  1. Create the suspended process (use CreateProcessInternal from Kernel32)
  2. Map the image of the suspended process to our address space (using same ntdll technique)
  3. Create the transaction with ZwCreateTransaction from NTDLL
  4. Open the transacted file by calling RtlSetCurrentTransaction and ZwCreateFile
  5. Write our executable to the file with RtlSetCurrentTransaction and ZwWriteFile
  6. Create a section from the transacted file (ZwCreateSection)
  7. Rollback the file with ZwRollbackTransaction 
  8. ZwQuerySection
  9. NtClose, NtClose handles
  10. ZwMapViewOfSection to map the section from the transacted file to the suspended process
  11. ZwProtectVirtualMemory, ZwWriteVirtualMemory to patch PEB.ImageBase
  12. ZwProtectVirtualMemory, ZwWriteVirtualMemory to patch Entry Point
  13. If Entry Point patch does not work, then do ZwGetThreadContext, ZwSetThreadContext
  14. ZwResumeThread

Limitations

TxF is technically deprecated although it is still enabled as of Windows 10.

The CreateTransaction, CreateFileTransacted, RollbackTransaction calls are not commonly used. AV might detect this technique by monitoring these functions.

Original method requires the Windows XP NtCreateProcessEx and NtCreateThreadEx functions.

Other Notes

Sandboxing may be detected if the executable is not launched from its original directory.

Clear event logs with EvtOpenChannelEnum, EvtNextChannelPath, EvtClearLog from Wevtapi.dll.


Sources

https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/

https://attack.mitre.org/techniques/T1186/

https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)