TamperingSyscalls

-

TamperingSyscalls 

a proof of concept of 2 various techniques I have discovered and published a the code for. I will look to briefly describe these techniques.


The former is a syscall retrieval technique I originally discovered in June 2022 while stepping through a user-land application under a debugger in the presence of an EDR. I observed that the EDR would provide us with the correct SSN for that function in the RAX register (as it should). Thus if we set a hardware break-point before the syscall instruction, we could retrieve the SSN and use it for direct syscalls. I wrote a proof of concept for this but never bothered to utilize it as direct syscalls never did interest me.


EDRs must hook before or on the instruction that reveals the SSN (system service number). They almost always will return after determining if the nature of the call is malicious or not. They achieve this by inspecting the arguments in the registers and the stack. If the parameters passed to the function are determined to be malicious: they will terminate the application; else, they will restore the stack and registers and retrieve the SSN and restore execute the instruction after the hook.

.

 

Applying a hardware break-point on the syscall address on execution, allows us to throw an exception when we attempt to execute it. We can setup an exception handler which will namely obtain a copy of the CONTEXT, the state of various registers and other bits of information, when an exception is thrown.  As we put the break-point ON the syscall address, this means the RAX register is ours for reading and it will contain the SSN number.

This is the first technique I present which allows us to dynamically retrieve syscall numbers. Namely, there are a few NT functions we cannot retrieve as they are used to place the hardware break-point. 

The second technique I present is the ability to modify the arguments actually being used. As we have the break-point on the syscall instruction and full control over the registers and stack (as we are in our exception handler), we can modify them in order to point them to malicious instructions (subverting the user-land hooks). This will appear to be a legitimate syscall as it is! I will be interested to see what and if various detection's may come forth from this. 



There is also the opportunity to feed the EDR fake telemetry given that we can change the arguments of what is actually being called. We can pass in non-malicious arguments, hit our breakpoint, flow into the exception handler and replace them as discussed earlier.

 
I look forward to seeing what comes of this, as this is only the beginning. 


Comments

Post a Comment

Popular posts from this blog

Detecting Indirect Syscalls from Userland, A Naive Approach.

-
Image
Our goal is to detect indirect syscalls. Indirect syscalls have taken the red teaming community by storm due to the newfound ability of EDRs to detect direct syscalls. To understand how to catch them, we must first understand a bit about them. For example (have a look at SysWhispers for a pratical implmentation) mov r10, rcx mov rcx, <SSN> syscall ret Various individuals utilized instrumentation callbacks, as documented in these two blog posts.  Instrumentation callbacks are a post-op syscall hook that allows a user to execute a specified function before the kernel returns execution to the userland process. There's a great article on CodeProject which discusses this. The premise for these detections identifies where the syscall instruction comes from; if it is not NTDLL/win32u (the only 2 DLLs where syscall instructions should originate), then it is most likely a direct syscall. Indirect syscalls sought to resolve this by just going to the syscall, and what this means is onc
Read more

D-Generating EDR Internals, Part 1

-
Recently,  @JonasLyk  released  D-Generate , a polyglot that utilises DTrace to provide users with introspection into the system calls made by: the entire system, a specific application specified by the PID or image file name. It would help if the reader got set up with the  instructions and  downloaded the  associated symbols  necessary. Furthermore, if possible, the reader should set up a virtual machine without any security solutions to observe unbiased behaviour (a critical step to determine whether the observed behaviour is that of the security product or the windows kernel). Another possible step alternatively is to modify a clone of our current boot configuration entry. bcdedit /copy {current} /d "Local Debug" bcdedit /set {bd8e4076-eec8-11ec-9dec-uniqueid} dtrace on (Ensure "Local Debug" is selected on reboot) A few reasons for the express approval of such a tool include but are not limited to: It is trivial to enable DTrace with a simple  bcdedit /set dtrac
Read more