In Your Mems — Windows AV Evasion Using in Memory Techniques

so good afternoon everybody I my digital flame this is in your MEMS windows memory or Windows AV evasion using memory techniques or in memory techniques so Who am I I my digital flame a penetration tester and digital friends analyst for a company called Essex tech I'm programmer a security researcher in my part-time and a raspberry pi enthusiast and I love popping boxes hacking video games and sending phishing emails especially those are really really really fun to do and Python his life best program language ever so feeling over what we're going to cover today so the current weight of the need to bypass antivirus why we want to do it the waves antivirus does catch mal

we're just going to go over how any of ours does what it does so we get it understanding how we actually bypass any bars we're going to go into current bypass processes and windows memory injection also some of the API methods windows uses for that Amy trust and then be finally the AV bypass hi detected how you remediated and I'm going to release the source code to this exploit once I finish this talk so antivirus you might have seen it you might have used it a lot of times on many of the three operating system platforms such as Windows and if you're a Windows user your kind of grunt you're like oh it's you know have a necessity

of life I need antivirus or else you know I'm screwed not always but then if you use Linux you like uh what's antivirus I don't need this what even the better thing is if you're on a Mac you're like antivirus my operating system is super secure but then this happens and you see but secure operating system doesn't need any virus so and also with antivirus being so effective how come this happens you know we have ransomware it's on the rise and we have computers getting affected by many different types antivirus not just 0 days but different types of ransomware we'd have ran swear that encrypts hard drives themselves and people still get affected by the little things that a

virus apparently does not catch so why do we need to bypass any of ours well penetration testers need it red teamers need it and the bad guys need it now if you ask Google Images what bad hacker is apparently he looks like that I mean I was going to dress like that but then I realized I could just cover my webcam i don't need the face mask but I i might need glove that's a good point I should have bring those oh so why do we want about by passing a virus well one it saves us frustration you know if we're running you know Mimi cats was a very popular penetration testing app you know

it's detected by any of ours so you know I mean I personally myself on and engagement turn off antivirus on a client's computer just so i can run mimi cats so you know to be able to evade that completely and not to worry about like editing something on clients environment you know I don't do that anymore it also successful tillery payloads you know last thing I need is an IDs or even just an H IDs a host intrusion detection system to be blocking anything I'm trying to run or I'm trying to compile code that you know for some reason is flagged you know cuz its shell code or you know celibates I don't know like a process hijack or

anything like that and like I said before it's better than turning off antivirus now granted you can easily do these three simple steps what click the taskbar to just click the little semantic icon or whatever AV I didn't say Samantha whatever AV and click this disable antivirus protection but as you can see you know that causes a lot of problems and myself personally have been getting kicked out of boxes because it has created a log event that admin has seen and they're like that's not right and I've got shut out boxes before that's something I don't want to do and that a lot of penetration testers don't want to either so getting caught by universe so how

does antivirus really catch viruses so it works on signature detection and you think about a signature it's like a fingerprint of any virus just sell people have fingerprints that identify who they are anti virus or malware really has signatures of each individual variant and that's cool and all it's based on the file content or can be based on the hash of the file and how it works is very simple so say we have a file here and we want to determine if it's malicious or not our antivirus engine will compute a signature of it and it will compare it against the current the current current internal virus signature database and if it meets a signature matches all rights

malicious let's get rid of it however it doesn't it's not it's a not malicious or at least we think so and one of the while con one of the issues I had expected this PowerPoint really but also proves the file content power power of antivirus is I'm going to submit I'm going to send this put this PowerPoint up on my website to download try to send try to send us an email to anybody the reason you cannot send this and I've actually tried to do this it gets blocked because of the string right here and if anybody doesn't know if it's on the board really but this is the Eco the aircar standard antivirus test file

basically if you put this in right now on notepad I mean it's kind of like impossible to type but have you put this in notepad and saved it it would actually come up as a virus it's not really like a malicious virus but this is what vendors use a test to make sure their fire system is working well like I said because this is in this PowerPoint you can't send it it thinks it's that virus so other ways antivirus will catch you it does real time does current schedule scanning of malware and it also does real time scanning and real-time scanning is basically when you try to access a file you try to open up a word

document whatever we're trying to run a process it says hey before you get that person access let me look at this first and it goes it scans it and then if it's bad says no you can't open this as have you ever seen before trying to open up like any malware you know for testing or something that you might not think as malicious and it blocks and this is hey you can't do that but if it's not malicious it just let you open it you don't even notice it happening it's not as reliable as you think it is problem is if there's not a signature for that antivirus or that malware I'm sorry then it won't get detected so basically if

there's a new piece of matter with it just came out yesterday and your advisor has not updated your signatures or you just didn't update your signatures because you didn't feel like it you're going to get infected really quickly there's also a feature that's very old in any of ours but it's really had not much use until now it's got a heuristic attention tection basically it detects the actions of processes so depending on like what it opens what it does it tries to see the process is acting malicious and it's kind of useful because you don't need a signature to detect if that's a malicious process if this process is you know I'm opening like 30

files at once alright that seems kind of weird when does the process ever do that normally there are some cases but it's better method detection and it is fast response to emerging threats so if any bar serif of malware p smart comes out today and it does something that's commonly known as malicious her istic detection will lease say hey you know that's malicious let's stop that even though i don't have a signature for it and you know like i said doesn't it also detects non signature-based malware or not listed as well and this can be seen in a couple of products that have been out recently malwarebytes has a new anti ransomware program and this is kind of what i was getting to

with a 30 files open is that this program doesn't have any signatures for ransom we're all it does is says hey is process a opening a buttload of files if it is it's got to be ransomware let's at least stop it or kill it and the same thing patrick wordle a OS secure OS X security researcher also released a program called ransomware and it really does the same thing it doesn't look at the signature of each process and say hey is this malware is it not just hey is this process acting fishy there's something weird about it and in the case of ransomware is it opening a buttload of files so now we kind of know how antivirus

works there is some ways concurrently right now to bypass any bars one is encoding an encryption or encryption and if you ever use metasploit one of the options when you generate a payload and metasploit as you can say hey what encoder should i use there's a couple ones like XOR polymorphic and basically what they do is they change the underlying machine code that it looks like but your code that you want to run is exactly the same so if you have I don't know shellcode that shuts down the system really simple shellcode it will look different even if you use a different encoder which is the same thing always and I used to work really

really well what the problem is signatures have caught up with them so any piece of shell code really even you know the basic vine shell will upload it to the virus header will come back with like 30 hits automatically you also have loaders they're commonly used in ransomware that a non malicious or a non detective file when we download to your system and your run and it'll download the malware without with basically so it avoids being detected by handles like by real-time scanning because you're not opening the file yourself a program is downloading it for you and running it now can get picked up so it's not super successful but in New k in cases of new mauer like ransomware

you know it's a little bit easier for them yes thank you also custom written malware so you're zero days you know from like any other country or even United States the NSA for example anything that's not mainstream wassa fall into this category it's not a real protection but it's one way to get around it by coding your own malware and then sending it out as quick as quick as possible lastly the other popular veil framework the veil framework actually has a lot of payloads including ones in Python see go and powershell and actually you can do memory injection with as well which we'll get into soon what it does allow you to create undetectable executives so

if you do have a piece of malware that's detectable you can't use the veil framework to encode it in a payload that will at least render somewhat undetectable so we're going to what is memory injection so like I said veil framework does use memory injection so memory injunction is the processor the procedure of adding your own code to a current running process it's not always malicious as you might think it's actually used in a lot of PC modding programs debuggers window system processes do use it and other extensions the windows programs do use this as well it also allows your your custom code to run in the same context as the process that injects into meaning of a process

is PID 1000 and you inject code into PID 1000 you are now PID 1000 so you are now that process even though you're not that processes code you're your own custom code and basically this is how the memory injection works so i chose kalki XE because besides Las Vegas this year was actually their motto was popping calc exe since 2008 so I thought it was you know kind of good to choose kalki XE so we have our process proc to exe and we have calc exe now you'll notice that including in the instruction code you have a block of free space and every windows process leads on 32-bit systems is given up to least four gigs of

virtual located space not not to have that much space and ram but it can virtually allocate that much so what'll first happen is our process will call the windows api call process open to try to attempt to get a handle to that process and if we have access rights we will get one back and we will get a handle to calculate and it's basically a pointer into memory where calc exe is next we're going to call virtual okie X what this does it allows us to allocate a space in memory from what we decide so if we were like we want you know thousand bytes in memory if we have a handle we have access rights we can do

that so we call virtual look and we create some space in the process so now we got this new free space and we got the handle to the memory block given to us and then we call right process memory and like the methods name is it allows us to write our own code into this free space of the process so now our own codes residing in somebody else's process and then we call create remote thread now here is really where it all happens great remote threat now allows us to trigger our own code at the instruction pointer of our new code in a new threat under that process basically what it means is now we can start our own code

under whatever the process kalki XE is running apps so once it happens kalki XE is now pwned we now are running our own code under kalki XE and unless you're looking at it really closely you're not going to notice that cocky XE is now doing something malicious now one important things in memory injection is that you need to have right to that process I can't just go and inject into svchost.exe because I feel like I'm really cool doesn't work that way if I don't have access right so that can't do it also mount does since it's using malware any virus does pick this up it's called a process hijacker a lot of common in device products will

immediately red flag this like hey that's not possible the one benefit of it it does evade real-time and file scanning as there's nothing written to the disk all this is happening in memory so we're not making any changes anything physically on this that can be accessed forensic Lee except for memory and we'll get to that so one of the ways you can practice memory injection is with Python these two great books black hat Python and grey hat Python cover this in detail and its really awesome the only downsides this is python has to be installed on air on the computer you're targeting and python 3 has a lot of issues with it I've tried python3 personally and it

does not work python 2.7 is the best one that works with this you can't compile it for compatibility however one of my favorites wit ur status is the worst part about compiling Python into Windows binaries apart when you get repeatedly punched in the throat and I feel like that is really true and compiling a Python executive all its kind of difficult I mean it works but it doesn't really work super well you get an exact you don't get just a single exe and you're like okay cool i'm just going to email this and pop somebody's box doesn't work you get like nine files and a zip file so you have to email nine files to your target like hey can you

download these put them in the same directory for me and then just execute that one that's right there thanks but like and you can do it in a self-extracting archive so if you have like a seven zip sfx or use auto it which is another program that allows you to do something like this it doesn't look a little bit suspicious when you download extract a bunch of files to temp and then you know start executing a bunch of stuff from there so one way to kind of combat this is called process local memory injection what this does is injecting malicious code into our own running process so we're not targeting somebody else we're targeting ourselves and it sounds kind

of weird at first it's not detected as a process hijacker we do to the context meaning that since we're affecting our own process any viruses like hey you're not messing with anybody else I'll just let you alone and it's also payload type in the veil framework and actually this is one of the main processor shell code injection vectors in the veil framework itself so this is kind of a little representation of how local memory injection works so you have your own stack here of your own process and you basically call the same functions that we called in our previous example you know open process braciola x-rite process memory and you know we can write on your coats here

and then bang our process is now running malicious code and you think well wait a minute why would I want to run a malicious code in my own process well one thing it does it does evade AV and I'll show you so this for example is just me running with server so I create up a ball i created a box that had a bunch of antibiotics programs on it as much as I can possibly put on there without them failing or crash in the box so first of all I try to do meterpreter which is highly picked up by virus on every single antivirus program there is so this is just an encoded meterpreter shell as you can see as soon as I run it

to pick up immediately I get to not the ability to run it so now oh and this is the virus of scan of that file that I just ran just for kind of context and this how bad it is being detected so this is local injection so this code i'm going to upload a github as well this is a python file that has shellcode for immature peter shell inside of it and it's the same boxer running Sam antivirus programs so I'm gonna go ahead and I ran it so I'm objecting code in my own process and I go over to my cali box and i get at ER burnin show my antivirus did not pick that up at all so i'm now

running meterpreter session freely now the one caveat to that is I will say semantics which is one of the virus products that we did test does have a very good firewall that does pick up meterpreter no matter what so even if you use HTTPS or you use bond she'll reverse shell anything it will pick it up that's the one caveat the only one that was able to pick it up but once we disable the semantic fire we're going to get past that so what does local injection work well like I said before we're not touching any other process in memory at all so any Barse is like hey cool no matter what anybody you're messing with

yourself and also this does happen processes do do this themselves does happen naturally and also anti virus doesn't actually scan memory of many processes at all there's only a couple that do scan it and a lot of this isn't picked up now why local injection sucks the reason it kind of sucks is you're still running your own process so if you download a file that's stupid file Exe and it does this stupid file actually still running on your system that might be even doing Melissa stuff so as soon as you do something malicious like you migrate meterpreter or I don't know you try to do an LS a dump and dump like hatches from windows or dump credentials or

anything like that it's going to pick it up and soon say hey wait a minute that doesn't seem right and your file is going to get deleted and your shells going so basically it works really well but the execution is not really there so this is base this is because of AV heuristic detection and I kind of went over a little bit what it really looks at what the process is doing so there's a known process is it a system process is it explorer.exe is a reg out of the exit is that no Pat exe is who's the user running is a system running it is NT at the network service running it is Bob running it you know is Joe running

it also the execute path so you know where's Explorer running from where Skov who is running from where is no pattern and it also looks at network connections made I mean you know if you have notepad.exe having a network connection out to I don't know China that does kind of look suspicious I mean notepad does even connect to anything on the network so that already does look suspicious already and its really level as threat intelligence as well so for example I have a bunch of processes on this board so there's a couple process on here that are completely not good they're malicious just by looking at what the information I gave you can you think you

could spot any process that I'm RELIGIOUS

so if you got these two you got them right notepad never runs a system and the funny thing is a lot of pen testers will actually start notepad from interpreter and migrate into it and that's what you'll see this from as well this one looks really suspicious I mean a lot of malware does do that where it drops a file that looks like it has the same name of a common windows process such as svchost and then when you go an attached manager you don't see the exact executable path like oh that's fine you know I got scoped us running not a big deal but it's running from the temp directory so basically going back over it you know

as you can see process path skill host is never located in temp it's always in C windows system32 and you have no pads running a system which never happens so maybe windows API is are also called checked by antivirus as well so anti virus does is look at API calls that you make and it checks the context to see if that looks malicious and what I mean by context is this so if you have windward exe which is the process name for microsoft word and it tries to open a handle to windward microsoft word so it's opening a handle to itself you think antivirus is gonna let that happen it is this is opening handle to itself

it's like okay whatever you can do that so now we have our process called now proc exe it tries to open up a handle to windward again I think antivirus gonna let that happen that would be nope it's not gonna happen what that's a process hijacker right there they're saying okay you want to inject memory into windward we're not gonna let you do that now we have run dll 32 then it once to open up a handle to windward exe you think this will be allowed if you said yes you are right the reason being is this a system process it's like hey this is system it's obviously does this so why would I disallow it from

doing what's supposed to do so in going over really quickly before we get in to the exploit the API calls these are some of the impact calls that are actually monitored by ourself and these are the ones that actually can do the most damage so we have create remote thread which i use my earlier examples and then like I said it allows you to create a thread in another process that is not yours I mean or it can be your process if you want it to be antique rate 30 X this is the beauty of Microsoft we're here people this funk this method is not documented anywhere and any of Microsoft's documentation it's not and it's actually the most

affected the best working method for doing memory injection and write calling an antique writ empty crate 30x does the same thing as great remote thread except for some reason antique create 30x works on 64-bit systems and it doesn't work or create more threat does not but it's also undocumented so I have no idea why Microsoft did that right parts is memory but I also use them a preview sample like I said it allows you to write content to process memory I need an open process I've also used for open a handle this one's a little bit a new one this is used in mature / a little bit its load library a and you can also have load library w

what i use a on this example and basically when you call that you call it with a dll path and allows you to load any dll into your current process and we're going to use that in one of our examples so back to our one example where we talked about context is that we notice that run dll was allowed to open a handle to windward and that's because of a be trust JV inherently trusts system files and the reason being a 2008 I can't mention the vendor but if you go to the link you can look it up this vendor had a signature that detected a windows native program as malware I don't like okay what's the big deal in

that we detected it deleted a critical system file and everybody that was like oh I'm cleaning malware my system could no longer boot their operating system anymore so to prevent that AV does prevent you prevent system processes and maybe data files especially because it gotta save itself from being malware so it's like hey if you know explorers trying to do something malicious but it's just opening a handle or it's writing memory okay that's fine whatever I don't care so orphan evening program file is doing it as well summary leads us to our exploit so you know right now as you can see we have a couple of things that in combination could kind of work together so we have

memory injection that could hide our code currently we can only do it in our current process we're thinking okay whatever that's cool but also AV has an inherent trust in system processes and actions my system processes are trusted all right so really all we need is a system process that can run our malicious code for us all at the same time looking like a system process and acting like a system process so and our answer is before is run dll 32 XD so and just to on our next exploit I had to use bind tcp just because matter per was having issues my example the one good thing is is I tried to generate a

bind tcp exe to show you how if AV will pick it up I couldn't even copy it over to my vm that's how bad it picked it up as soon as I copied it or even touched it it was like nope you can't do that so that's how easily the code we're about to run is being picked up by any virus so and I have sysinternals open in the background they can't see it very well but I sysinternals open in the background that's going to show my connection so right now why doesn't quality so bad he fix it sorry about that guys I don't know why it looks really crappy I look a little better

so we got our compiled exe over here so now we notice we clicked it in a ramp nothing happened our process closed so i'm sitting here waiting I got over my box my cali box and look at that I got a bunch are I got a reverse shell open completely even though antivirus was in the system did not pick it up at all so in the greatest thing I look where I'm running as and I don't know if you can see it but I infected the antivirus process so my code infected antivirus so not only am i running shell on detecting the system actually infected the own area virus product and honestly I did not deliberately attack

the antivirus process but I thought it was kind of ironic that any virus was now doing my bidding

no well because the fact I'm well because I'm housing it a V process it wouldn't know if I was housed in like I don't know uh java update scheduler yeah when do that so that's my video comes up so what happened what oh there it goes it doesn't i think i infected the projector I might've did that by accident so what happened so what do we do that allowed us to get to where we are now so our main process takes itself and dumps it into a dll into the temp directory and that DLL contains our shell code and instructions to do its next job which what it does is it gets launched by run deal a 32 so my

main process hall is run d low 32 with our drop or drop dll and now our process is now running as run dll 32 so our dll now enumerates all running processes and it's like okay I want that one so we pick a process that's not going to make the system crash which I have done that I blue screen to box a couple times and testing this but once we pick our process that meets our recommendations we're going to inject shellcode into it and because we are running as rundll32 antivirus doesn't pick it up it says okay you want to do that go go ahead and then the shellcode runs so in a little graph because

they're kind of step-by-step this is we create a dll file we call run deal of 32 to execute that file our file then enumerates all processes and it picks out a specific process and then we inject code into it and then start are malicious right and then we now have malware on your machine without being detected and as a bonus video I'm not I i don't i'm not supposed to call ops for the antivirus matters but if any of you guys heard of Microsoft Emmett the enhanced mitigation experience toolkit it's supposed to detect from buffer overflows and injections and a lot of things for Windows and it's constantly updated problem is I test it this morning and we

wrote a bypass it it's our little bonus videos we have Emmett here running and we have our code again so let's run our code this time again with Emmett running in the background all right when foreground really and you'll notice once it takes a couple seconds to load

that goes so you notice we fected powershell the powershell process that was running we now infected that and now I have another reverse shell in the system completely bypassing all technical controls put in place to prevent something like this from happening

so incompatibility I did test this on numerous version windows I kind of said screw windows 8 because who really uses windows 8 my main test bed was windows 7 it works fine and I also test it on Windows NT even though i don't know if anybody really likes Windows 10 either and worked on winter sent as well so now we get to detection and prevention so how can we detect this it's actually very hard no have you caught it nope so detection one of the ways we can detect it is I use a program called red line redline it does analysis of memory currently running it has to dump it first and you can use it to analyze

memory red line did see it in there so if you do a red line installed on your machines it will pick it up not directly in real time which you will be able to delete the text something like this going on volatility the volatility and after kind of action you know process so if i happen to be dumping memory of the host as i was doing this exploit then volatility would definitely work i would have to run I don't have to tell look for injects in volatility but I can definitely see that and any memory don't really to take would be able to see this because this is really a memory only thing prevention how can we prevent something

this for happening how can we prevent someone even getting affected like this one thing we can do we can flag the dll itself or the loader is infected now this isn't a permanent solution as one little code change little bite immediately will change the signature these two files and you know we're just doing it all over again it's like cat and mouse one thing we could do with windows to bolster security in itself we could force dll's to be signed to have to run so I couldn't run a deal out or injected yellow into a process unless it was signed by an appropriate signing vendor and this would prevent you know a lot of these attacks are happening now

state-sponsored you know would maybe have the money to buy CA to do this but you know Joe Blow that wants to infect you with ransomware won't have the money to do that we can also disable loading dll's from non-program directories I think that's the most important one I loaded this dll from 10 I don't see a real reason to load dll's from temp ever there's no real reason to do that and if you do it's kind of bat program d la should only be loaded from see windows system32 or CSIS while 64 or windows just while 64 or the Program Files records that's it shouldn't be loading from your tent file from your app data

roaming it should just be loaded from those directories and prevent some like this because we'd also we don't need admin access to run this exploit in order for us to be able to drop a dll into windows system32 we need the admin rights so at least would you know control our surface area just a little bit that way unless we happen to find administrator not granted that's even worse but it would lower the normal users from being able to be excellent about it second or the last one really is a big one as well run run gala 32 specify that the allows the running application this one is kind of big if you ever open

up windows 7 and you open up a photo in windows photo viewer it says run dll 32 it doesn't actually say windows photo viewer because windows photo viewer is a dll it's not a actual program and that's kind of one of the problems is that when you run a dll you only see your on dl l 32 you don't see the program that's behind it or the dll that's behind it really controlling the show so if we had it run dll so that way it says i don't know temp dll or dll 1579 dll is running and you be like okay that's kind of weird that's a weird name for yellow that shouldn't be running or if you have

like shell32.dll is running then maybe you know you can see kind of what's running on your computer instead of just five processes of run dll 32 running and you not knowing what's actually there lastly once i finish this i'm going to post the code to github it's it says currently but I don't have the chance right this moment to post it but once I will I post the Python code I don't post the C code I'm removing the shell code on it just to prevent myself from liability but feel free to put your own shell code in it I don't care you can also get more information to cut my links at the link right there IDF La

eme / iy m it'll take it to a page that has a link to github and the links that i put in previously on the other slides and actually I've read a little bit fast so does anybody have any questions I know it's kind of a lot good

now i'm using pi txc I mean I don't know what that person was using I mean I thought it was really fun it's uh but yeah oh you can't do that that's a good idea okay I didn't know that thank you off the off the talk to you after write that down any other questions good yeah I mean I could but I don't want to you know yeah I mean basically a great number of AV products and I've tested have not picked this up so you know I mean there's antivirus products I don't even know this probably ones like in not even in English just like there's like fifty thousand browser so there I mean

the maybe one that picks it up but everything I've tested the average nothing so any other questions

yeah it's a windows only tool it's I think it's made by fire I yeah and a questions cool appreciate you guys for listening thank you very much [Applause]