Testing for SQL injection vulnerabilities.Spoofing your IP address using Burp Proxy match and replace.Testing for parameter-based access control.Identifying which parts of a token impact the response.PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew) įor (WORD i = 0 i FileHeader. PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0) HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL) Tdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL) HANDLE ntdllFile = CreateFileA("c:\\windows\\system32 LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll GetModuleInformation(process, ntdllModule, &mi, sizeof(mi)) There are unfortunately many IOCs in the method explained above, and in addition to this, a lot of code reviewed was found to have copied the below code for unhooking. Let’s try to see which techniques are most common for threat actors to use and why they could be better there are multiple projects available online where loaders use the unhooking method of loading a second NTDLL (which is an IOC by itself) – changing the protection of the main NTDLL to RWX via VirtualProtect, replacing the hooked section of the main NTDLL from the second one, and then again using VirtualProtect to restore the original permissions. Some of the more effective and advanced EDRs do not hook any DLLs, such as Microsoft Defender for Endpoint or Elastic. It is worth mentioning that Microsoft is not a fan of EDR companies hooking all these functions since there are other ways to approach obtaining telemetry, rather than performing shady hooks in DLLs. This is a huge subject to go into avoiding user space hooks by EDRs. Another method used more and more recently is hashing the strings and comparing them in real time – ideal for API resolving and DLL loading. We’re not going to focus too much on this issue here, but often strings can be obfuscated through encoding or encryption. In general, the most common reasons for strings within malicious binaries are DLL loading and resolving their exported functions. There are multiple ways to approach hiding strings in binaries. Some of the above are going to be addressed below, whilst others are left as an exercise for the reader. Bad OPSEC #3 – Private bytes (Patching).Bad OPSEC #1 – Strings that hint to malicious actions.Let’s review some of the choices often used by loaders. EtwTi for telemetry against specific actions like allocations on executable pages, etc….
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |