Tuesday, October 15, 2019

Process Hollowing Notes


This post consists of notes on implementing the process hollowing code injection technique.

The main reason to use the process hollowing technique is to bypass white list application policy. Process hollowing disguises a malicious process as a legitimate one.

High Level Technique

  1. Create suspended process
  2. Deallocate executable section of the process
  3. Write our executable to the remote process
  4. Overwrite the base address in the remote process' PEB with that of our executable
  5. Change the entry point of suspended thread
  6. Resume thread


Detailed Technique

  1. Download second stage executable and store in some local buffer
  2. CreateProcess in SUSPENDED mode
  3. Retrieve thread context of the suspended process with GetThreadContext
  4. Read PEB.ImageBaseAddress to get the address where the remote process is loaded 
  5. Resolve the address of NtUnmapViewOfSection from ntdll.dll
  6. Hollow the suspended process using NtUnmapViewOfSection
  7. Now allocate memory in the suspended process at the address for which our executable wants to load (our image base)
  8. Decrypt our second stage executable (if it is encrypted) 
  9. Write the PE header of our executable into the allocated process memory
  10. Write each section of the executable file (.text, .rdata, .data) into allocated memory
  11. Overwrite PEB.ImageBaseAddress to point to our image base 
  12. Use SetThreadContext to overwrite the entry point in the suspended thread's context with our executable's entry point
  13. ResumeThread 

Limitations

The primary way that process hollowing gets detected is from unmapping the remote process' main module.

The other way to be detected is by allocating pages with PAGE_EXECUTE_READWRITE permissions. Mitigate this by allocating only READWRITE permissions first. And then change to READEXECUTE when finished copying.

If using svchost.exe, it looks suspicious for svchost.exe to not be started by services.exe
Possible solution: change parent process ID?

The size differences in our svchost vs normal svchost is suspicious.


Sources:


https://cysinfo.com/7th-meetup-reversing-and-investigating-malware-evasive-tactics-hollow-process-injection/

https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)