Win32 APIs

MSOffice Malware in Memory
1. Macros
  1. Useful Win32 APIs
    1. 3 from Kernel32.dll
      1. VirtualAlloc
      2. RtlMoveMemory
      3. CreateThread
      4. Check MSDN Function Prototypes
  2. Good To Know
    1. LPDWORD
      1. (C) Pointer or Ref to a DWORD
    2. LPSTR
      1. (C) Pointer to a String
  3. Download Cradle + IEX
    1. Powershell
      1. Win32 APIs
      2. (C#) DllImportAttribute
      3. C data types to C# data types translation
      4. P/Invoke APIs
      5. System namespace
      6. System.Runtime.InteropServices namespace
      7. www.pinvoke.net might help
      8. Add-Type
      9. RtlMoveMemory
      10. System.Runtime.InteropServices.Marshal
      11. .NET Copy
      12. Allows data to be copied from a managed array to an unmanaged memory pointer
      13. WaitSingleObject
      14. Artifacts
      15. CSC: C# Command Line Compiler
      16. List loaded assemblies
      17. Add-Type
      18. [appdomain]::currentdomain.getassemblies()
      19. In this case, could be flagged by antivirus
      20. Dynamic Lookup
      21. Add-Type
      22. System.dll
      23. Microsoft.Win32.UnsafeNativeMethods class
      24. GetModuleHandle
      25. GetProcAddress
      26. Create the .NET assembly in memory instead of writing code to disk and compiling it. These methods are only meant to be used internally by the .NET code. Therefore it's impossible to call them directly from Powershell or C#. - Check UnsafeNativeMethods branch -
      27. Create New Assemblies
      28. GetAssemblies
      29. ForEach-Object
      30. GetTypes
      31. Get-Member
      32. Static Flag
      33. Where-Object
      34. Unsafe Keyword in TypeName
      35. Search for preloaded assemblies that could match our criteria
      36. UnsafeNativeMethods
      37. Assembly filtering
      38. GlobalAssemblyCache
      39. Location
      40. List of all native and registered assemblies on Windows: this is what we want
      41. Last part of the file path must be “System.dll”
      42. Reference to System.dll
      43. GetType
      44. $dllvar.GetType('Microsoft.Win32.UnsafeNativeMethods')
      45. GetMethod
      46. Invoke
      47. GetMethod function to obtain a reference to the internal GetModuleHandle method
      48. Use the internal Invoke method to call GetModuleHandle and obtain the base address of an unmanaged DLL
      49. .NET Reflection
      50. GetMethods vs GetMethod
      51. GetProcAddress
      52. Locate GetProcAddress to resolve arbitrary APIs
      53. Delegate Type Reflection
      54. (C#) delegate
      55. Creation using Reflection
      56. Create New Assembly
      57. AssemblyName Class
      58. Access mode
      59. DefineDynamicAssembly
      60. System.Reflection.Emit.AssemblyBuilderAccess namespace - Value set to RUN
      61. Access mode configuration: no disk access and executable
      62. Creating Content
      63. DefineDynamicModule
      64. DefineType
      65. Custom Name
      66. Attributes
      67. Class
      68. Public
      69. Sealed
      70. AnsiClass
      71. AutoClass
      72. Check MS Doc
      73. MulticastDelegate class
      74. Inside an assembly the main building bloc is a Module
      75. DefineType takes 3 args
      76. Construct our Custom Delegate Type
      77. DefineConstructor
      78. MethodAttributes Enum
      79. [System.Reflection.CallingConventions]::Standard
      80. Types of the Constructor
      81. Constructor Call
      82. SetImplementationFlags
      83. Runtime
      84. Managed
      85. Invoke
      86. DefineMethod
      87. Method Name
      88. Method Attributes
      89. Return Type
      90. Array of Arg Types
      91. Takes 4 args
      92. MethodImplAttributes Enum
      93. Delegate Type Instantiation
      94. CreateType
      95. 2004 Blog post
      96. Generate Shellcode
      97. ps1 format
      98. 32bit architecture (cf. MS Office arch)
      99. Use of msfvenom (shortcut)
      100. Copy it with .NET Copy method
      101. Use System Proxy (optional)
      102. Natively not accessible in Powershell. Thank you .NET -> C#
      103. Invoke functions in unmanaged dynamic link libraries
      104. Once translation done: use of the .NET framework to compile and create objects containing the structures, values, functions, or code inside the Add-Type statement
      105. Avoid Powershell termination before Shell fully executed.
  4. Be aware, closing MSOffice will kill the Shellcode - Check advanced attack with Powershell
Client Side Code Execution With Windows Script Host
1. Must Read
  1. TrickBot
  2. Emotet
2. Jscript
  1. DotNetToJscript
3. C#
  1. Win32 APIs
    1. C data types to C# data types translation
      1. pinvoke
    2. dllImport
      1. System.Diagnostics namespace
      2. System.Runtime.InteropServices namespace
      3. Mandatory
  2. Shellcode
    1. dllImport
      1. VirtualAlloc
      2. CreateThread
      3. WaitForSingleObject
      4. Back Link To First Topic
      5. Back Link To First Topic
    2. Marshal.Copy
    3. Back Link To First Topic
Process Injection and Migration
1. Shellcode Home
  1. explorer.exe
  2. svchost.exe
  3. Or any other Process that is unlikely to Terminate
2. Win32 APIs
  1. OpenProcess
    1. Security Descriptor
    2. Integrity level
  2. VirtualAllocEx
  3. WriteProcessMemory
  4. CreateRemoteThread
  5. Be aware of Security Permission when it comes to call OpenProcess
  6. Note the "Ex" - Stand for Expanded - Mandatory to reach any Process, under our control, outside the current Process
3. Build the Injection
  1. pinvoke
    1. Opening the Channel
      1. System.Runtime.InteropServices namespace
      2. OpenProcess Args
      3. dwDesiredAccess
      4. bInheritHandle
      5. dwProcessId
      6. Targeted Access Rights
      7. Created child process can inherit this handle (y/n)
      8. Process ID of the Shellcode Home
    2. Allocating Memory
      1. VirtualAllocEx Args
      2. hProcess
      3. lpAddress
      4. (dwSize, flAllocationType, flProtect)
      5. Handle to the process obtained from OpenProcess
      6. Address of the allocation in the remote process
      7. Mirror the VirtualAlloc API
    3. WriteProcessMemory
      1. hProcess
      2. lpBaseAddress
      3. lpBuffer
      4. nSize
      5. lpNumberOfBytesWritten
      6. Shellcode/Malicious Program
      7. Size of the Shellcode/Mal
      8. Pointer to a location in memory to output how much data was copied. - arg prepended by the "out" keyword
    4. Executing the Shellcode
      1. CreateRemoteThread
      2. hProcess
      3. lpThreadAttributes
      4. dwStackSize
      5. lpStartAddress
      6. lpParameter
      7. dwCreationFlags
      8. lpThreadId
      9. = address of the buffer allocated for our Shellcode
      10. Parameters of our Shellcode if required
      11. Ignore this
      12. Allowed stack size: set it to 0 to accept default value
DLL Injection
1. Writing the DLL
  1. C
  2. C#
  3. Unmanaged
  4. Restrictions
2. LoadLibrary API
  1. Remote Process
  2. lpLibFileName
  3. Recall CreateRemoteThread
    1. lpStartAddress
    2. lpParameter
    3. Address of LoadLibraryA given as the fourth argument to CreateRemoteThread
    4. Allocate a buffer inside the remote process and copy the name and path of the DLL into it. Address of this buffer is given as the fifth argument to CreateRemoteThread
  4. Call of DllMain
    1. fdwReason
    2. lpvReserved
    3. Put the Shellcode within the DLL_PROCESS_ATTACH switch case, where it will be executed when LoadLibrary calls DllMain - Read again MSDN doc
    4. Ignore this
  5. Only one parameter required
3. Injecting the DLL
  1. new WebClient();
  2. Resolve Shellcode home address
  3. Allocate memory in the remote process
  4. Copy the path and name of the DLL into the allocated memory
  5. Resolve the memory address of LoadLibrayA inside the remote process
    1. GetModuleHandle
    2. GetProcAddress
    3. Recall GetModuleHandle from MSOffice deception topic
    4. Recall GetProcAddress from MSOffice deception topic
  6. Invoke CreateRemoteThread
    1. lpStartAddress
    2. lpParameter
    3. Return of VirtualAllocEx
    4. Return of GetProcAddress
  7. The DLL must be written to disk (once created, download it to the victim machine)
  8. Recall OpenProcess
  9. Recall VirtualAllocEx
  10. Recall WriteProcessMemory
4. Reflective DLL Injection: avoid disk writing
  1. MUST READ - Parsing the fields: DLL's Portable Executable (PE)
  2. PowerShell reflective DLL injection code
Process Hollowing
1. Avoid Network Noise
  1. svchost.exe
    1. Migration
    2. SYSTEM integrity level restriction
    3. Launch and modify before it starts executing
2. Important Step
  1. Process Creation
    1. CREATE_SUSPENDED flag
3. Process.Start
4. CreateProcess API
  1. Creates the virtual memory space for the new process
  2. Allocates the stack along with
    1. Thread Environment Block (TEB)
    2. Process Environment Block (PEB)
  3. Loads the required DLLs and the EXE into memory
  4. Thread Creation to execute code starting at the EntryPoint of the executable
    1. Supplying CREATE_SUSPENDED flag
      1. Thread execution halted before it runs the EXE’s first instruction
    2. Locating the EntryPoint
      1. Overwrite its content
      2. Continue execution with our Shellcode
5. Locating the EntryPoint
  1. ASLR
  2. ZwQueryInformationProcess API
    1. Various info
    2. ProcessInformationClass
      1. ProcessBasicInformation
      2. PebBaseAddress (PEB)
      3. Points to a PEB structure
      4. Process Base Address
      5. Parsing the PE headers
      6. Locating the EntryPoint
  3. Read the EXE base address
    1. REMOTE: ZwQueryInformationProcess -> address of the PEB
    2. ReadProcessMemory API
  4. Analyzing the remote process PE header
    1. ReadProcessMemory
      1. e_lfanew field
      2. EntryPoint Relative Virtual Address (RVA)
      3. Offset from the beginning of the PE to the PE Header
      4. RVA is just an offset: it helps to obtain the absolute virtual memory address of the EntryPoint
6. Overwriting the Content of the EntryPoint with our Malicious Code
  1. WriteProcessMemory
  2. Let the execution of the thread in the remote Process
7. C# Code Building Steps
  1. DllImport
  2. CreateProcessW
    1. System.Threading namespace
    2. 10 arguments
      1. lpApplicationName
      2. lpCommandLine
      3. lpProcessAttributes
      4. lpThreadAttributes
      5. dwCreationFlags
      6. lpEnvironment
      7. lpCurrentDirectory
      8. lpStartupInfo
      9. lpProcessInformation
      10. Name of the application to be executed - can be set to NULL
      11. Full command line to be executed
      12. Security descriptor: go with the default
      13. Ignore this: false
      14. 0x4 for CREATE_SUSPENDED
      15. Ignore this: NULL
      16. Process window configuration
      17. Structure that is populated by CreateProcessW
  3. Invoke the Call to the API
    1. Object Instantiation
      1. STARTUPINFO
      2. PROCESS_INFORMATION
      3. Supplied to CreateProcessW
  4. disclosing the PEB
    1. ZwQueryInformationProcess
      1. Nt
      2. Zw
      3. Low Level API in ntdll.dll
      4. Indicates that the API can be called by either a user-mode program or by a kernel driver
      5. Returns an hexadecimal value directly from the kernel
  5. Pointer to Image Base
  6. ReadProcessMemory
    1. hProcess
    2. lpBaseAddress
    3. lpBuffer
    4. nSize
    5. lpNumberOfBytesRead
    6. Process handle
    7. Address to read from
    8. Buffer to copy the content into
    9. Number of bytes to read
    10. Variable to contain the number of bytes actually read
  7. Pointer to svchost
    1. Bit Conversion Required
    2. Then IntPtr cast
    3. Code Sample
    4. Pointer
  8. Locating the EntryPoint
    1. PE Header Parsing
      1. ReadProcessMemory
      2. 0x200 bytes buffer size
      3. PE Start
      4. e_lfanew at Offset 0x3C
      5. PE Start + e_lfanew + 0x28
      6. PE header: offset from the image base to the PE header structure
      7. Code EntryPoint: offset from the image base to the EntryPoint
    2. EntryPoint Full Memory Address =
      1. EntryPoint RVA
      2. Image Base
      3. +
  9. Triggering the Malicious Code
    1. Overwriting the existing code at the EntryPoint
      1. WriteProcessMemory
  10. CreateRemoteThread
    1. ResumeThread API
    2. Let the suspended thread of a remote process continue its execution
      1. Recall PROCESS_INFORMATION
      2. hThread
  11. Variable that should contain a pointer to the image base of svchost.exe in the suspended process
8. Avoid: do not allow us to create a suspended process