What do I need to understand Hallowing?

First of all, there are a bunch of concepts that one has to grasp very well before even proceeding any further through this technical guideline

  • Memory Forensics:
    • A computer memory’s dump could adhere to a type of forensics analysis referred to as Memory Forensics.
    • For your information, the mentioning of the word forensics definitely refers to that sort of criminal investigation, which aims at underlining criminal and civil laws within applied science.
    • Standards of admissible evidence and criminal procedure are those standards which govern such forensics.
    • In the same regard, computer attacks are being investigated even though they could be advanced in this case.
    • Such attacks are at times hidden very well such that data is not left on the computer’s hard drive.
    • However, the Read Only Memory (RAM) is in accordingly up to be investigated through the Memory forensics process.
  • Process:
    • On the other hand, this is any part of a program or an instance of it which resides in memory.
    • The Operating System (OS) is usually responsible for a process execution.
    • Tasks like playing a movie or video, playing a game or even running a text editor are all responsible for process execution as well.
    • A program essentially can have several processes, yet one process could be considered as a program on its own as well.
    • To illustrate, a basic program to display a string could be built in its program file.
  • Process Hallowing
    • A legitimate process has the capability to get replaced with a duplicate process
    • A malicious code is inserted and hidden within it according to this concept, being covered by some legitimate processes
    • The image name, path and command lines remain unchanged, such that the similarity between the legitimate and malicious codes become extremely high.
  • exe
    • It is the Local Security Authority Subsystem Service in Microsoft Windows
    • It has the file description LSA shell
    • This file is locatedint the following directory:

c:\windows\system32 or c:\winnt\system32

  • It is a crucial component of Microsoft Windows security policies, authority domain authentication, and Active Directory management on one’s computer.

How to do Process Hallowing?

As we mentioned before, Process Hallowing aims to hide some malicious code inside duplicates of legitimate processes. In order to know how to protect ourselves against such malicious code, and in order to further get an insight on the method to use to accomplish such a deed, I will go through the basic steps to follow to perform Process Hallowing.

  1. Use CreateProcess with a CREATE_SUSPENDED option for the sake of creating a target process in suspended state.
    1. Using the provided handle, the memory space of the created process changes.
    2. All of the function calls which then follow will reference to this handle.
    3. Now, one has loaded the malicious code without yet executing it since it is still in the suspended state.
  2. Depend on the helper function of ReadRemotePEB now:
    1. This will help identify the Process Environment Block (PEB section) for this recently created malicious process.
    2. The NT headers could be spotted at this point since image base address is read.
  3. Rely on the kernel function NtUnmapViewOfSection at this step:
    1. In this manner, the legitimate code in the hosted process is hollowed from memory.
    2. During runtime, GetProcAddress is usually used by the malware to get the kernel function resolved.
  4. A new block of memory should be allocated now to host malicious code.
    1. Note that the entire block is made –by default– by malware PAGE_EXECUE_READWRITE without any complications associated.
    2. Each section could have its own permissions if needed on the other hand.
  5. Utilize WriteProcessMemory at this step:
    1. With the use of this function and the last step which allowed for a new image to get placed, the new image code will be placed into where the original image code resided before.
    2. This will result in changing the base address into that of the new memory image. This change will be shown in the optional header structure.
    3. Rebase the image base of the new image again in case that the image base of the new image and image base of the original image are not identical.
  6. Make use of SetThreadContext
    1. The context of this process will be set with the help of this function.
  7. Rely on ResumeThread
    1. It is important now that you resume the process using this function.

How to discover Process Hallowing?

Well, after knowing how to implement Process Hallowing, a good question to ask now is how we could investigate it and discover it thereafter.

  1. Obtain the system image
    1. If there are multiple instances of lsass running, then this is an indicator of a problem.
    2. There should be only one instance of lsass running when the circumstances are normal.
      hallowing
  2. Use malfind
    1. The Volatility Framework has this function specialized in detecting the malicious process.
    2. This works fine if the Read, Write and Execute permission(RWX protection) is forgotten to be applied on the malicious process.
    3. A memory section having the privilege of PAGE_EXECUTE_READWRITE and cannot get mapped to the disk is detectable by malfind.
    4. This memory section gets its assembly code dumped thereafter.
    5. Afterward, if there is still any executable code in the dump code which could be analyzed, malfind could also spot it as well.
      hallowing
      hallowing
    6. If we look at the past images, one can recognize that there exists MZ header although they do not have the capability to map to the disk.
    7. If an attacker had the smart mind to manipulate the MZ header, malfind will also be able to detect that. All the possible hallowed/injected section is given by malfind where Redline miss whenever there is no MZ header in the memory.

What are the main challenges in Memory Forensics?

There are a plenty of challenges one can face when undertaking a Memory Forensics procedure:

  • Acquiring the memory in a proper manner and without any corruptions is a challenge.
  • Internal structure of Operating Systems (OS) change with each new release.
  • Image creator software and VM’s could be incompatible with each other requiring a demanding task.
  • Understating the internal structures and expected OS or process’s behavior is a must to accomplish the task efficiently.
  • The role of Reverse Engineering arises effectively because it helps with essential analysis of Memory Forensics results and procedures.

References

http://resources.infosecinstitute.com/memory-forensics/

http://resources.infosecinstitute.com/memory-forensics-power-part-2/

https://en.wikipedia.org/wiki/Memory_forensics

http://resources.infosecinstitute.com/process-hallowing/#gref

https://www.computerhope.com/issues/ch000913.htm

finally, take a look at my other article on Packet analysis and let me know what you think.

LEAVE A REPLY

Please enter your comment!
Please enter your name here