Malware Development: System Calls

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right so picture this you're taking a hot shower one day and all of a sudden your schuma addicted friend calls you let's call him I don't know what's a really stupid name befitting a perilous Heathen um zedi so zi who's a terrible influence by the way calls you and says C def con zero traffic light protoc what the death conon zero traffic light protocol red I used your ntapi video to test my organization and it immediately got caught now we're under cyber lockdown uh okay so obviously one your parietal bone imploded or something you must have missed a 30 quadrillion disclaimers I put in my videos or descriptions or whatever and two listen this is just a borked engagement it happens sometimes you know just let them know oh about that you see they actually know that someone would be testing and we didn't really have an official engagement planned okay so right all right zti basically what you've done here is the whole threat emulation thing without the emulation part huh you fing convict you fing Bandit what no I said earlier that there's so much more to malware development and it only starts getting deeper and more interesting after we pass the realm of win API that isn't to say that win API in itself is boring there's a lot of stuff you can do still but we start getting really Advanced when we leave that road behind you know maybe it's my own fault for uploading once a decade oh [Applause] well I guess today is the day where we learned to peel back another layer on The Moldy onion that is Mal word development and really make something that's pretty cool and for the most part actually pretty capable now expanding on that last claim these techniques aren't zero days or some stupid [ __ ] like that these techniques have been around for a while and you won't find some sort of clandestine quote fully undetectable end quote techniques here especially not from a head ass like me there's also a claim to be made that the idea of fud in itself is somewhat paradoxic IAL but hey this is hacking time not Dr Phil philosophy time thank you I I won't be here all night there's just so much to consider When developing your malware too many things to list here attempting to do so would be like holding a grain of sand to the Stars showing just how much actually goes into all of this and how many compositions of techniques researching experimentation and more is required however these techniques are for the most part techniques that we can employ that will bring us up from that beginner skill level all the way up to the lower inter media is level of malware development you know maybe even really close to Advanced so congratulations you're officially not a beginner anymore C there's too much where the hell do I even begin man there's too many techniques I I need a structured approach to learn all of this hey man I get you and I come bearing gifts as well what what gifts well 10% off the sponsor of today's video of course malev Academy what better way to learn the ins and outs of malware than a platform made solely for that purpose and made with an efficient and structured learning method in mind where you can go from zti to mob boss you really can't go wrong here there are constant updates always happening so much content already on the site as well as so much more planned you remove the hassle of setting up a development machine because these gods have so graciously gifted Us One to begin developing code right away with no extra setup required you're given modules with extra objectives so that after you finish a module you can apply what you've learned practically or solidify your learning you can also download the code of the modules and see if you on the right track or expand upon what you've learned and if you need more of a challenge then the challenges tab is your best friend providing you with real practical scenarios that you can Implement in your code or help crystallize your skills one of the biggest draws about this entire platform is the Discord server where you can find gods of exploitation and beginners all in one place constantly helping each other out having a laugh and requesting features with the incredible Founders so eager to implement them you wish there was something on the site in ter terms of content or features or heal even in the server or request away that's how certain modules even came to be it's a very community-driven project and the community itself is very tightly knit I love you guys we love you too CR oh yes especially me I love you the most thanks Havoc author spider so please find the pin comment below or the first link in the description to get 10% off your order and start developing them out where you want to and you deserve to today let's get back to the video and so in this video we're going to cover what happens in the of Colonel land will Implement an ejector that uses direct CIS calls and finally make an injector that uses indirect CIS calls TC mandatory disclaimer for the two lead to care thugs watching this video like that blasted zti character let me remind you that doing any of what you may see here against anything you do not own is illegal like crazy illegal I'm not going to be held responsible if one day your prefrontal cortex misses a quick Time Event and you end up attacking someone or something without their explicit written permission that's on you we're doing this strictly to understand how certain samples of malware employ these techniques so it's solely for educational purposes with that out of the way let's do a little [Music] recap starting off in userland we know that most of our functions that we've been using up to this point come from a library called kernel32.dll functions we've been using like open process virtual outlock create remote thread X sequester your soul whatever it is we call those functions from our programs when we issue out that call within our program what happens next is the following the call gets forwarded down to an intermediary module called kernelbase.dll which we already know sort of just acts like a proxy after a stupid little function goes on with its belligerent ass Journey inside of Kel base it eventually finds itself jumping into antd if you will recall this is a library where the native API functions are exported from and the native API is the unobstrusive ndl the function moves in its dedicated CIS call number or system service number into the eax register it then does a quick check to see if the Legacy instruction is going to be used or the newer and hotter CIS call instruction is to be used which we already know is decided by what value is inside of the system call member in the K user shared data kernel structure finally it's entered into the threshold of the kernel by using the CIS call instruction where it's then actually ran at a little side note about step three we know that this instruction gets chosen over the CIS call instruction if we're on 32 bits systems but we also have to remember that there exists a CIS enter and CIS exit pair you know they're preferred but that's more on that later so yeah we know that it only happens if we're on 32-bit systems which is why we sometimes refer to it as a Legacy instruction but that's only part of the picture the hex 2E interrupt can actually be set on your machine for a couple of different reasons the most obvious or predominant reason for its invocation being that yeah your machine is on the 32-bit architecture another way this can be set though is if you have credential guard enabled we'll talk about credential guard in another video it's too beefy a subject to cover out a passing glance credential guard utilizes the hypervisor so it's virtualized which can actually handle the Legacy hex2 interrupt instruction a lot easier than it can a CIS call instruction even though the CIS call instruction is much faster like three times faster if I remember correctly the Legacy instruction for the hypervisor is just easier to process so that's just something to keep in the back pocket of your malev trousers which you should really really wash by the way now I'm not sure if you've ever tried reading about CIS calls or kernel internals for hours or days on end from various obscure resources but severe Insanity would probably be the best possible outcome honestly it kind of explains why some of you are the way that you are but now I've become one of you haven't I but worry not I'm nothing if not a vessel who depletes his own sanity for the masses thus I'll try my best to explain my [Music] findings the first thing that happens after CIS call instruction is issued is that the address directly after the CIS call instruction in this case the return instruction is placed into the rcx register this is done so that once we're in kernel mode we can return back to user line and continue our execution in the user space and we can also see this in real time with a debugger and we can see that this is also the expected behavior from the 5,000 page Behemoth that is the Intel manual so we're looking good here after this a really cool sounding register called The Long system Target address register or the I a32 lar places the value that it holds into the instruction pointer r IP now asides from sounding like something theing Avengers would have to fight it belongs to a group of certain registers which are called the model specific registers or MSR and there's a lot of them like hey let's just turn this into its own volume kind of a lot from the sections we see that there's two sort of subsections we have the architectural msrs and then from that downwards we have the actual specific msrs for each model you can think of the first section as the common msrs that you might find amongst all models or are most models and then the other sections being you know specific to a model so these msrs they're used for a lot of different things they were first introduced by Intel on the Pentium processor and because Intel added in these new kinds of registers they needed a way in order to perform operations on these registers such as reading or writing and so at the very least they had to add into new instructions for these msrs which would let us read and write to them and they're called the read MSR instruction and they write MSR instruction respectively you might be tempted to go out and run the instructions right away right now to see what you can get or set but you can at least not yet these two instructions belong to a group of instructions called the system instructions or privileged instructions and so you actually can't even run these unless you have ring zero permissions in other words you can only execute these instructions if you're in the criminal if you do try to execute these instructions from userland or when you don't have the necessary permissions a general protection exception is going to be generated basically Intel's way was saying so now getting a really small idea of what these msrs are and what the kind of used for we can go back to the lstar MSR you know that butter robot from Rick and Morty was like oh what's my purpose yeah the L star's entire purpose on this planet is just existing so that it can place the value that it holds into the RP register once a CIS call has been invoked oh my God now if you take a second to take this in that means that this MSR holds within it the first address or function that we will ever run as soon as we step inside of the kernel space and even better we can see this address well not from userland but we can see it so let's head over to a kernel debugger and actually read the value that's inside of here to see what our first steps in the kernel is going to be now before reading this though we need to find out the address of the i32 lstar these msrs have specific addresses in which you access them the Intel manual which I think I've started to love even more than the msdn at this point actually a lot more tells us that this register specific address is this that's how we read or write to it this is the address of that register now Pop Quiz we're attempting to read the value from i83 to lstar which is an m MSR which instruction do we use to do this and from where I know it seems like a very random address and I know I said you should visit my blog for the nitty quitty details but I can't help myself where the does this address come from why this specific address okay so it along with a couple of other msrs get initialized to specific addresses during boot time by the colonel the Ki system startup is the entry point routine of our kernel it's responsible for some basic initialization and to do that it in turn calls the Ki initialized boot structures routine which is responsible for setting our msrs if we disassemble this routine either through assembly or just see some code for it we can see that at these exact lines where our msrs get their funky addresses which will remain constant for us to read until we decide that we hate computers and Chuck ours against the wall just so it's less of a mystery seeing like all these instructions the way that the right MSR instruction itself works is it takes what's in the eax and edx register and writes that into the MSR register that we specify with ECX all right so we have this address what is it doing some quick little magic we can see that this is the Ki system 64 routine ah so this is the first thing we run after we invoke a CIS call yeah this is the first thing what this function does it's really cool we won't go super in- depth into it but I'll talk about what it does now before continuing we must look at the the CIS call number itself have you ever wondered what its deal is I mean we know it's sort of like an api's ID card right but we must ask ourselves the age-old question is there more to this seemingly uncomplex hex piece of text Bo yeah there's actually a lot more it keeps with it the index value which is the value we're going to be using to index the array of Kernel routines which we'll get to but that's very important because without it the colel won't know what the hell to run but there's also this thing called a table identifier which will fall into one of two categories either a guey function or a regular routine function now please do me a favorite and just read this incredible blog that can better outline the entire process way better than I could it's been my Saving Grace multiple times on my journey understanding this process and even now I still come back to it from time to time and I am completely in awe this is so well written and every time you read it you get something new from it so please check it out it's still one of my favorite pieces to read from time to time as well as these I'll have all of these Linked In the description should you wish to read more which you're heavily encouraged to do so So eventually our Ki system call function will end up calling the Ki system server this start routine in which a couple of things are taken from our SSN that we've stored in eax back in userland this routine retrieves a table identifier to determine if it's going to be a guey function or a regular old native function and it also extracts the system call index from our SSN as well all this is done so that we could provide this extracted system call index and use it as an actual index to the long array of Kernel routines so that we run what we're actually intending to run now this is done in the Ki system service repeat routine and the rout itself starts off by loading in the address which is what the Lea load effective address instruction does to the r10 and R11 registers the K service descriptor table is a kernel structure that's comprised of four system service table or SST structures these ssts that make up the service descriptor table looks like this and since we know that this is an array of a bunch of Kernel routines that the anpi is eventually going to execute in kernel land we can start looking into this to see these routines and how they're laid out starting off with the first routine we can find we know that in standard C programming the first element of an array is the same as the address of an array because well that's where the array starts from it's first element now dumping the first result we get the following which is the first routine that we'll see here and if we dump some more that we'll see that these are separated in four byte offsets so every four bytes we get a new routine so this is the index that we access and if we do some magic we can actually find out what function this is for 64-bit we have to do a little bit more work than in 32bit because in 64-bit we have some relative addressing involved but it's not too bad if we take a random CIS called number for example and add that to the address of the * 4 because of the 4X offset we'll find our function or we'll find the the routine that our function is going to call and then we can dump that to see that it matches up it's really cool now once all this is done the cisr instruction sups in to unfuck up everything that the call has [ __ ] up and from the Glorious manual we'll see that it does this by loading in the RP that we previously saved in the rcx register way back when we first issued out that's his called yeah we're back in userland ready to continue our execution now the especially malicious of you maybe thinking the following okay so if I just overwrite the addresses of let's say the i32 star with the ssdt then can't I just control the entire universe make the criminel run my code or intercept anything I want how nefarious of you yeah you could or at least you used to be able to it was really common for Security Solutions and now we're alike to place hooks on these execution flow directors but with the Advent of Microsoft's kernel patch protection kpp or as it's called by the cool kids patch guard any attempt now to overwrite or or hook these things will result in now patch card is not perfect of course and many cool bypasses and techniques have shown up over the years things like ghost hook Infinity hook B PG just to name a few and some of them were even being used by certain Security Solutions but for the most part patard does pose a pretty big prickly thorn in the sides of the unmotivated so there's that anyways back on [Music] topic let's Now cover what direct system calls are and make injector which utilizes recall how in the last video we removed the win32 API rappers that abstracted the NT API direct CIS calls remove the whole ntapi part and just execute the system calls directly you might be asking what's the point I mean effectively we're doing the same things right there actually is a very important reason why we might do this asides from going down a bit deeper and asides from removing another Spotlight on us there's one major practical reason why and in order to understand what I mean we must really quickly discuss what hooking is we'll go into Great Lengths about API hooking and the different kinds of hooking in another video because it's really interesting stuff and really fun but let's just paint a picture here with really broad Strokes say one day you decideed you want to ethically hack company Acme Incorporated and so you use the last thing you learned from this channel now asides from the Earth being on fire and you getting stun locked by interpole you realized that holy [ __ ] your malware was not only detected it was spotted shredded massacred and now it's been given to some nerds who are about to treat your sample like a ology experiment you couldn't have ever foreseen that Acme Incorporated had employed a brand new security solution oh and it's a big one theistic driven endpoint assistance for disrupting mother theistic driven endpoint assistance for disrupting adversarial schemes and strategies or head ass for short which is an allaround EDR xdr AV blah blah blah upon running your little NT API injector this Behemoth this Paladin of scrutiny and merciless ferocity destroyed your in its word cute little process but how we were under the impression that the further we go the less heat there is on us and yes that's definitely true but only to an extent the autopsy digital friend the autopsy revealed that this demig God of defense was actually hooking your calls to the NPI huh how well it turns out it has some nasty dirty little tricks up its sleeve as well so what it does as soon as your process starts running it injects its own dll into your process and from that point on it would hook certain call to commonly abused Windows API and Native API which you were definitely using and not hiding the fact that you were be using So what had happened was You' issue out your call to let's say n open process for example and where we'd expect a regular system call stub we instead got this hooked tripwire landmine nightmare scenario instead and as much as I'm fighting myself to not go on an hourlong tangent about API hooking and all the insanely cool methods you can use to unhook your hooked functions or libraries we have to keep this brief but if you guys want wanted enough I'll make a video on hooking and unhooking as well so let's aim for like I don't know 25 quadrillion likes yeah something like that the reason this is done is we have to first of all remember that how much easier it is for head ass to intercept and examine what's going on when you don't even bother using CIS calls for example let's take create thread or virtual outlock or something each of these functions in some way or another reference our payload it's one of their parameters is literally where to start from and because they have that reference to our payload like forus examp Le with create thread we have the lp start address which is literally where we tell it to start from and because in classic scenarios we want our payload to be ran when we create a new thread the start address of of the thread is just going to be our payload now the payload could be written down in a buffer through virtual outlock which will also point to that address where it's all stored thinking like the defense here if we're a security solution like an EDR and we've hooked the win API the ant API we intercept these functions with all of their arguments meaning that oh hold on we stopped create thread from running or hey we stopped virtual outlock or virtual protect for that matter even well let's see what it's trying to [Music] do all right so over here remember this is not meant to go in depth just a really high overview over here I have a classic thread hijacking program create a little process in a suspended State change the context thread and then update the instruction pointer to point to our payload and so if we press enter here it will run and we should get a so all right so we just allocate some memory to it we get the thread context the context just has a bunch of register States for our suspended thread so we start off the thread in suspended we get its context we change out its instruction pointer and then we set its thread again and resume the thread and then when it resumes it's going to be pointing at our payload which is allocated here and then press enter so yeah you see our payload worked properly now there many different ways to hook apis you can make your own little hooking thing you can use the library like detours or Min hook if you're a student from malev Academy what you can do is come down to module 64 this is calls user line hooking thing and they give us a really cool dll which just utilizes some API hooking and so if we take the dll which you can just download here I've downloaded it quite a few times just to show you what I've done is sort of just programmed a little bit extra from what they've given what they've given you is great you can use it and it'll help you understand kind of what happens with API hooking you can work around it if you'd like to or try to and so what we want to do is when this program runs we want to actually inject this EDR dll into our malware I've just added in some little things like logging utilities for me cuz I like to be very verbose we open this up in a debugger I use my favorite one but you use the one that you want to and so we have this command prompt open to actually inject the EDR DL you come into here once that's done you want to go into MK and dll injection this gives us the ability to inject a de into a process of our choice and so once we inject it we should see that it will pronounce it's message all right there we go it's so dumb it injects it prints out a little message this is not part none of this is part of our thread hijacking function so it starts it initializes the hooking Library it creates a hook I added in this hook but we're not going to see it here so I've disabled it but the anti protect virtual memory one is enabled and that's the one that comes shipped with the malev EDR that we just downloaded I've had it so that it detects and based and this might happen in edrs some processes do utilize these apis for proper use so what we want to do is Monitor whenever something suspicious happens like page execute read by itself isn't that suspicious if we had like page read right and then it went into or if we just started with page execute read write while full permissions that's really suspicious and most edrs will just kill your program but this I'll show that if we press enter now what's going to happen is the following 3 2 1 ah we got intercepted our API was hooked it hooked it read its arguments and when it did it noticed that Holy holy [ __ ] this is msf Venom this is this is Shell Code and over here we can see this is our thread hijacking output because it's not I'll put it in my beautiful logging Library bug so this is where we actually allocate our memory this isn't over here we see that we start off with the page read right allocation type right we allocate our payload to it but to make it executable we need to like have executable rights on our buffer in order to run our payload so what I've done here is just change it to rwx but you could also change it to RX and there should be logic with this EDR or something like that that detects these changes and then will act on it rwx is almost Overkill in many things so that this detects it and just kills it and when it detects it it dumps the memory right it saw that this is suspicious as hell this is malware this is Shell Code and then it terminates it and kills it and we can see we are left with no choices here remember this is not meant to be something crazier because we can literally make an entire video dedicated on API hooking like how there's inline hooking trampolines the different ways of bypassing in or unhooking there's so much that we could do so if you want to know more there are many resources for you to learn but I will eventually be making a video on this so just hold on a little bit and we'll get there I can't believe I almost forgot the most important part let's go look at the the CIS call stub and see how it's different forgot to mention that and it's actually very very important so we've injected our EDR so it's monitoring it's intercepting suspicious calls so if we go into symbols here and we go into into DL and remember we're we're intercepting in calls to and protect spiritual memory let's look for that we see that this looks nothing like a CIS call Stu that we've been used to it starts off with a jump instruction it jumps to something that we control and you're going to see me program out a dynamic CIS call retrieving function later on in direct CIS calls that's not going to work in scenarios like this because the offsets are going to be all wrong you could start the Base address and keep iterating until you find a specific off code or something like that but if you just rely on hard set offsets this is going to bork the entire thing that's what that looks like we can see everything else is just normal I also had virtual outlock hooked but I just kind of disabled it just so we don't get overloaded we should be able to see anti allocate virtual memory which is viral Alex thing and yeah we can see that this is also hooked so I hope that provides some insight let's just trigger this because we have to now beautiful and yeah we just stack over yeah so a little bit buggy but you know it works also in regards to the hooks remember that defensive Solutions don't typically hook all functions since only a relative ly small subset of functions are even used for malware if they did hook all functions it would be very cumbersome and it would come at the cost of performance there are many ways we could Implement these CIS calls there are dedicated tools that are designed for generating all kinds of functions and headers and all the assembly that you need but as an obsessive follower and believer in the understand something before you let something else do it for you approach we'll do everything manually here and of course there are many ways to do this this you can even do this all with inline assembly but unfortunately msvc which is the default compiler that comes with Visual Studio doesn't have support for 64 bit inline assembly yeah I know I know what the fck Microsoft but there are alternatives a great friend of mine introduced me to the Intel compiler which does let you do an inline assembly for both 32bit and 64-bit but there are other options out there which you can go ahead and try to find out for us right now this will be fine we'll just program it out in separate source files he [Music] w [Music] [Music] holy moly oh for [ __ ] sake I forgot that you know we're used to the windows types and I just wrote this all using standard C types so editing magic yeah so we can see from the main file over here instead of programming out the entire logic of the direct just CS implementation directly in main we put it as its own function it's way more modular this way say like we're building an injector with multiple different techniques like what I've done here you could just call these specific functions and just have it go like that asides from modularity I don't really understand the use cases for this it's not like you're going to be machine gunning a bunch of injection methods into the same process it's not really good for obac but you know I mean honestly that will be your guys's homework for the end of this entire thing you're going to take all the techniques that we've learned thus far combined into one single file with bunch of modular ass functions and then just see how many times you can open a calculator so we start off in our main function just by allocating our actual payload into the Tex section this is just one of the ways that we can do it remember there are different placements and different sections or places we can place our payload or we can stage our payload somewhere and get it from like a web server or the Windows registry out of scope here we actually don't want to have our payloads in our files this isn't completely finished by the way we're going to program out the assembly part soon yeah so we call out the direct assist calls injection function which it's a booing type so if it fails we'll exit out but if we go into the logic of this function and you're not going to see anything new here in terms of injection logic like everything that we've done up until this point it's the exact same thing it's just with lower and lower level apis which require a little bit more setup but the exact same logic is here even for indirect syis calls which we'll work on right after this the logic is going to be the same it's just the way that we incorporate the steps it's going to be different let me scroll down and I will have the ntapi implementation and I'll put it side by side just so you can see the differences between direct sour calls and ntapi in the logic of it so here all right now the biggest thing you will see is that in the middle chunk of our function where we would have get proc address we would have our function prototypes and we'd be casting our newly defined function names to our prototypes getting that address of that function so that we can use the NT API we are not doing that here because again if this was hooked we would be calling the ntapi and that would get triggered the hooks would get triggered it would see what we're running if it detected something malicious it would kill our program what we're doing here it's very very similar but all we're doing is we're going to be extracting the system call number from our function here so that we can take this Global variable I know Global variables horrible we can take our Global variables which are defined in our header file over here and then we can use that in our assembly file which we'll create in a second so that way we never actually call n API and even in our function prototypes or whatever we can see that no longer are we type definining a function prototype for us to use explicitly by using a address from get proc address what we're doing instead we're using the extern keyword telling the solution get this from somewhere else this is externally defined which in our case it's going to be from our assembly file and in our assembly file we're just going to be recreating the CIS call stubs of these functions aside from that everything else is the exact same we can just call it directly actually whereas with the NPI implementation we'd have to mold a new function based on our function prototype and the address that we got but this you can literally call directly because we're externally providing its functionality from our assembly file and so we just go through this and this should not be new to you cuz we've covered this in past videos so now we can go into the actual logic of the get CIS call number remember there are many different ways that we can dynamically look for CIS call numbers I think hellsgate was the first thing I ever read about Dynamic CIS call retrieval it's a really cool read read it here if you can it doesn't matter if you can or can't just you have to read it the reason I haven't hardcoded it in or I'm not going to be hardcoding it in into our assembly file that we're going to create is because CIS calls are undocumented they can and most likely will change from version to version build to build and so it's not reliable this isn't a perfect function by any means okay it won't work in all scenarios because remember our offsets will be all screwed up like we saw in the API hooking section most solutions will place a five by unconditional jump instruction in the beginning of versus call stub which we've seen but it works so over here we kind of see the logic and we'll come back to this once we're debugging just so it's super duper clear first we start off by getting the function address so we are calling getp address here which is not good for IAT stuff like your import address table having this function in there our program is going to be under a lot of scrutiny for having this and it's import address table so we are using get proc address but it's very easy to program out your very own implementation of get proc address and that kind of helps in a little bit but yeah so we get the address of the function that we're looking for it could be any function any ntapi function which is in s DL which is why we specifi this module handle cuz that's how proc address works we start from the Base address of that function and then at the offset of four which is going to be here what we're going to do is just get the first bite over here in this entire series and it's going to be much Clear once we start debugging this you'll actually see this happening real time we can show you that these offsets make sense we return whatever value we get it's really cool it's so simple it's so cool oh and then in case you're wondering what this is don't worry you'll get the source code I'll upload it to GitHub you can view all of this in case I like what the hell was that CR why aren't you covering every single line is we don't have time man we don't have time you can find it in GitHub though everything here we need to program out the assembly file because without our assembly all we have here is just a bunch of ghost code that literally won't do anything and it can't because we're directly providing the functionality from that assembly file well first and foremost actually if you've watched the self-d deleting malware video we've already set up maim before or the Microsoft Macro assembler which is what we're going to need to compile our assembly file but it's very quick and easy to set up so I'll just go over it again before I click on our project settings build depend IES build customizations and make sure this is selected if it's not we won't be able to select this type for our assembly file in our source files control shift a just call it something I don't know and in here our entire objective here in our assembly file is to one recreate the assembly CIS call stubs for every single function we use and two use the dynamically harvested CIS call numbers from this function which I have included as Global variables and in our assembly file what that would look like is the following in data we initialize these variables and in code is the actual like logic and code where we program this out you can see that for every single function that we used we just set up we just set it up directly so no longer has to go into ntdll and do this the only time we go into ndl is just to retrieve the addresses of these functions which we use only to get the CIS call numbers whereas with ntapi we get the address of the function and then we start executing from that address basically just executing the function and so we transitively do CIS calls but we don't directly do them with this though we are directly invoking these CIS calls all right so we move in the values that we get remember there are different ways to do this you can do it at compile time or run time or whatever blah blah blah it's the same thing over and over and but with that done oh and actually what we have to do first is make sure this is included if this item type is not set to Microsoft Macro assembler we have to set it and I just like to explicitly say that hey this is not excluded from the build and if you don't enable the build dependencies from ASM here this is not even going to show up so that's why you have to include that now we're ready to test let's just build a solution okay and compiles without errors for once holy [ __ ] [ __ ] let's see what this can do against our unassuming notepad process all right so here's our notepad now if we run this we should see a calculator spawning 3 2 1 let's go boy cool nice yeah look this is all directs and we can actually prove this spite debugging it and we actually should debug it just so we understand the logic of that harvesting function as well as actually proving that hey this is directly invoking C so first what I'll do is just this okay I'm just pick anyone I don't know why I have two open and what I'm going to do is come into debug properties debugging in set the command line arguments to our paid of our notepad and then we're going to start debugging this so start debugging Oh [ __ ] forgot to set a break point it's okay it's okay I'll set a break point a couple of different locations in the program just so we get the best idea of what's actually happening I'll do one at this function just so we can see the logic that's happening here and then I'll do another one here where we actually make our first call to a function and then in the assembly file I'll put one right here so if we start debugging we hit our first breakpoint because we want the address and and this is called number for n open process first the address here is going to be the address of n open process and coming down into our memory view we have the address of n open process right here and so we see that it starts off at the base and we know that this is the start of the function because these bytes are present and they're present for a bunch of different other functions right here these are all NPI functions all right so these bytes represent the move rcx into r10 instruction right after that we have our movie ax instruction right but at offset 3 so if we at 93 right so it starts at 90 when we go up three the offset of three we get to this line B8 26 and 3 zos this is this line right here where we move the CIS call number into eax and at the fourth offset which is what we're looking at right here is this cuz we're at three right here one more we have this value along with the three Zer so what we do here is just get the first bite which is just 26 and if we see here the is call number that gets returned if we step forward in instruction it's 26 it's very cool all right and then we can continue let's continue until we get to the next breakpoint which is going to be when we actually issue at that call to anti openen process within our direct CIS calls function so function continue oh it's going to continue until all of them so let's just yeah all of these CIS call values are populated we have the addresses of all these functions so now when we show our first call what we're going to see is that it's going to go into our CIS step which is really good because that means it's actually going to be running from here what we've defined so if we continue let's go here and step into look we see that we landed our assembly file and we can keep on continuing and look we at theist call instruction we had another break point if we continue now assist call will have been invoked let's just run that step in an open process there we go assist call was invoked and we were return out there we go anti open process has been executed now we continue and if we just skip over this there we go I hope that provided some insight into what's been happening here and now we can look into what happens with indirect C CS which is also really cool now one of the biggest issues with direct CIS calls is actually it's better if I just show you allow me to paint you a picture pretend for a second you're a defensive solution once again and suddenly a new process spawns it looks normal enough with n a suspicious string nor calls to those pesky little Wind 32 apis or native apis that you've come to know for what feels like eons now it looks so clean that you'd be tempted to eat off of it you let out a struggled sigh as you can feel the tenseness escape from your skeptically arched eyebrows the stakes are so measurably high you can't let another incident happen again not not after last time then as a lump in your throat grows larger emitting from the program a sound you've never heard before you slowly inch closer so dreadfully slow upon examining the program you can see that the program is invoking system calls and [ __ ] inside of it directly why the are you doing that hey why the are you doing that you say as deafening silence suddenly engulfs the room terrorizing your ears ringing M says the program going back to making those jarring noises which as you've understood by now was a signature unmistakable jarring sound of it is called being made I don't know what you're talking about LOL you bring onto it a hammer of Retribution and ferocious damnation with such surging power that you make the gods of Olympus look like Little Big Planet characters each strike you Proclaim perjury and the process dies so yeah the biggest issue with direct Su caus is that there's rarely ever a case in which a program needs to be invoking a sis called within itself where it's warranted or need needed that makes your program look so suspicious much more suspicious I mean sure you can argue for the few cases with in which it's actually needed to be done or it has to be done but the genuine use cases are pretty few and far in between it's it's very neich to indirect CIS calls attempt to remedy this issue by doing the exact same thing as direct CIS calls except instead of invoking the CIS call instruction directly we perform an unconditional jump to it unconditional meaning that when it's time to jump it will jump no matter what inside of ndl you see if we do it like this look at what happens that process that you mercilessly obliterated previously will never be making that CIS call sound because it will never be directly invoking a CIS call within itself do you see the benefits of doing it this way now that's not to say that indirect CIS calls are the end all be all that's definitely not the case but this technique is pretty damn good and I must admit it's got a really special place in my heart so enough talking let's program this out if you look at the indirect sis calls example right here it's literally the exact same code except the main differen is we Define some new Global variables I know guys I know this is going to be for the CIS call instruction this is going to be the address of the CIS call instruction this is the same function as a get CIS call number except we're not just getting the CIS call number we're going to be exporting out the CIS call number yes but we're also going to be exporting out the CIS Call's address as well and so this is the logic of what's Happening Here at the offset of four that's where we reach to get our CIS call number right so and then we get the CIS call number we export it out to the global system call right we export it out here next though at the offset of 12 is where we find assist call instruction what we do when we get to the offset of 12 is we look for the CIS con instruction which is op codes 0 f05 and we do a compare to see if whatever value we land at is equal to this op code value or not and if it's equal we've just found a valid CIS call instruction and the thing is with CIS call in our indirect CIS calls we don't need to do this you literally could just have one of these because at the end of the day it's just a CIS call instruction doesn't really matter if it's for your specific function or if it's just one that you use for all of them because what we're issuing is a CIS call it's not important like how a CIS call number is because CIS call numbers are particular to the specific function that you're calling whereas a CIS call instruction is just a CIS call instruction so you can just use one if you want to I'll prove this you can see that it's the exact same logic there's nothing different aside from how we set up our parameters or our arguments or whatever and in our assembly file over here where it used to be a CIS call is now an unconditional jump to the address of a CIS call that we scrape right so yeah we are running CIS calls but indirectly because we're jumping to rather than directly invoking it and when we do it like this actually if we remove all of these and just have all the CIS instructions be a unconditional jump to the CIS call address we scrape for anti open process CIS call then you'll see that it will still work there we go look that is our first calculator open with indirect CIS calls oh my God over here we see that we get the address of the function right we get the address of where the CIS is located remember it's offset of 12 so this offset by 12 is going to be A2 this offset by 12 is going to be E2 22 blah blah blah blah right or what you could do is just take this final address subtracted by this and you'll see actually we have a calculator open right here I might as well just do it where is our programmer calculator look we have A2 minus 90 up to 12 and there we go and if we set a break point here look we reached this break point oh God I hate debugging here right and if we step into it look it doesn't issue without a CIS call like it did in direct CIS it's jumping to something that we don't have the source for but if we view the disassembly we've jumped into n this is ndl right we've jumped into NTD and we've gotten the address of the CIS call instruction which we also printed out here look at that it's the same address that's where we've jumped to and if we continue this along it's going to be really cool which you'll see let's let's go over here to anti create threat for example if this was direct CIS calls this would be in anti create thread but we're jumping to the address of anti open processes call and so if we step into this view this dis assembly we're in anti open processes stub right now we got direct assist calls working indirect assist calls working this is a great day today and we figured out the logic so it should be making a little bit of sense as to what we're doing here in terms of logic direct CIS calls we're just extracting the S call number with indirect sis calls we want to get the address of the CIS call instruction as well so we can indirectly invoke a CIS and we saw through the debugging steps that that's what was happening and now what you can do because we have these three modular as functions we can just include it in one file if you wanted to that's going to be your homework just so now if we run this you'll see it's going to look so stupid we're going to get a machine gun blast of calculator spawning this is this is not practical but it is just good to exercise your modularity programming skills and stuff like that you know just programming 3 2 1 it's so stupid it is so dumb it does look sick though I'll will give this to generate as program that yeah if we just boom boom boom soid over here we have our n API function over here we have our direct CIS calls function and over here we have indirect CIS calls and yeah we get three calculators because of it so yeah it's very cool that's going to be your homework set something like this up obviously don't use it there's no point yeah it's cool thank you so much for watching this video I'd like to extend another thank you a huge thank you to malev Academy for sponsoring this video continuing to be great friends of the channel I hope you really enjoyed this video I hope you learned a thing or two and see you on the next video and as always [Music] goodbye
Info
Channel: crow
Views: 41,283
Rating: undefined out of 5
Keywords: crow, hacking, maldev, winapi, c++, programming, malware development, malware, virus, tutorial, how to, pentesting, penetration testing, kali, windows, win32 api, security, hack, hacked, developing malware, making malware, making viruses, pentester, red teaming, red team, offsec, oscp, certification, research, developing, hacker, active directory, blue team, ad hacking, ad, binexp, binary exploitation, compsci, computer science, computer, pc, linux, os, operating system, 2023, minecraft, fun, live, memes, trending
Id: -M2_mZg_2Ew
Channel Id: undefined
Length: 44min 48sec (2688 seconds)
Published: Tue Feb 06 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.