Malware Execution¶
Malware as a Process¶
- Malware starts as a process similar to legitimate programs.
- Detection involves identifying malicious processes among legitimate ones.
- Example: Cerbu malware with a fake name, unusual path, and lack of signature.
Code Signing¶
- Ensures software authenticity by verifying with a public key.
- Relies on certificates to establish trust.
- Not all signed binaries are trustworthy due to potential key theft or malicious intent.
- NSRL (National Software Reference Library) hashes can also be useful
Process Anomaly Indicators¶
- Unsigned executables
- Suspicious paths
- Misspelled names
- Too many instances
- Incorrect parent process
- Packed binaries
Code Injection Techniques¶
- Injects malicious code into legitimate processes to hide, inherit privileges, or manipulate the victim process.
- Types include:
- Direct code injections
- Process hollowing
- DLL injection
Direct Code Injections¶
- Involves writing code into a victim process's memory.
- The malware launcher program often is found on disk. The injected code is stored in encrypted form in the launcher to avoid AV. It is decrypted in memory upon execution, and then injected.
- Uses APIs like
CreateToolhelp32Snapshot
,OpenProcess
,VirtualAllocEx
, andWriteProcessMemory
. - Does not show up as a process or DLL but leaves traces in the virtual memory map, tracked by the OS. Also memory regions with PE files are an indicator.
- Need to implement their own loader to load the malicious DLLs
Process Hollowing¶
- Replaces the main executable of a process while keeping its legitimate appearance.
- Steps include:
- Suspending a process
- Unmapping the main executable
- Allocating new memory
- Injecting code
- Resuming the process
Detection
- Since PEB is untouched, the path of the main image (e.g., lsass.exe) will remain visible in the PEB.
- Since the main image is unmapped, the VAD (which keeps track of memory allocations and mapped files) will have no entry for the main image.
- Open process in Process Hacker, go to "modules" and get memory address of
.exe
, go to memory address, there is a RWX memory block (with a PE file) instead of the exe or dll
DLL Injection¶
- The launcher process runs for a short time. Its sole purpose is to inject the DLL into the victim, thereafter it exits and is no longer visible as a process.
- The malware launcher “tricks” the victim process to load
abc.dll
from disk. - DLL contains the malicious code to be injected
- DLL it is loaded into victim process using “normal DLL loading” techniques.
- Therefore the injected DLL will show up in the list of loaded DLLs in ProcessHacker and other tools.
- old school technique, not so often today
Runnings DLLS¶
- Some malware is delivered as a DLL rather than an executable (EXE).
- DLLs cannot be executed directly by double-clicking; they require a command-line tool like
rundll32.exe
to start. - DLLs provide functions that can be invoked when starting a DLL. These functions are called exports / exported functions. When running a DLL, we need to specify which export to execute.
rundll32.exe <full path to dll>,<export function> <optional arguments>