SlideShare a Scribd company logo

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx

Download as PPTX, PDF
null - The Open Security Community
null - The Open Security Community

Making way through DLL hollowing in spite of CFG by Debjeet Banerjee at Null/OWASP Kolkata Chapter Combined Monthly Meetup on 20th April

Technology
1 of 17
Debjeet Banerjee Researcher @ BHIS Making way through DLL Hollowing in spite of CFG
@whoami Security Intern Payatu Security Research Intern FireCompass Security Consultant Certus Cybersecurity Security Researcher BlackHills Infosec
Overview 🔎 ● DLL Hollowing ● What is CFG ● Problems posed by CFG ● Dynamically finding Targets ● Control Flow ● VirusTotal Analysis
DLL Hollowing DLL hollowing is a form of process injection, which is when an attacker inserts malicious code into known benign software. With DLL hollowing, the attacker can insert the code into the current process or into a remote process's memory space by loading a new DLL and overwriting sections of its code. The goal of the attacker is to hide from causal analysis. When looking for quick wins, researchers or Incident Response analysts will look for any process or executable that does not look normal. In most use cases, the process and the DLL are both benign. Looking at the file system of the EXE and DLL will show nothing out of the ordinary. @TRUSTEDSEC
What is CFG? Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. dumpbin /headers /loadconfig C:WindowsSystem32ntdll.dll
Problems posed by CFG The compiler does the following: ● Adds lightweight security checks to the compiled code. ● Identifies the set of functions in the application that are valid targets for indirect calls. The runtime support, provided by the Windows kernel: ● Efficiently maintains state that identifies valid indirect call targets. ● Implements the logic that verifies that an indirect call target is valid. When a CFG check fails at runtime, Windows immediately terminates the program, thus breaking any exploit that attempts to indirectly call an invalid address. https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
Dynamically Finding Targets Long live Powershell v1 and other Non CFG DLLs
Finding Target DLLs To use a DLL for this technique, a DLL must meet the following requirements: ● DLL must NOT already be loaded in memory ● DLL MUST HAVE a .text section ● DLL must NOT have CFG enabled * The most common example of these types of DLLs which I could find were the modules from Powershell v1 DLLs, Media Player DLLs and VirtualBox DLLs.
DLL already loaded in memory?
Control Flow
Jmp’ing To Shellcode AddJmp(LPVOID jmp_tgt, LPVOID src) { size_t inst_size = 12 * sizeof(unsigned char); unsigned char* inst = malloc(inst_size); RtlZeroMemory(inst, 12 * sizeof(unsigned char)); inst[0] = 0x48; inst[1] = 0xb8; inst[10] = 0xff; inst[11] = 0xd0; int i = 2; uintptr_t bytes = (uintptr_t)(jmp_tgt); while (i < 10) { inst[i] = bytes & 0xFF; bytes = bytes >> 8; i++; } AllocatePayload(src, inst, inst_size); }
Show And Tell
Show And Tell
Process Hacker’s POV
VirusTotal Analysis “It works” - Source: Trust Me.
Direct Call to Shellcode Jmp’ing to Shellcode
@whokilleddb Debjeet Banerjee twt: @whokilleddb

Recommended

Sp group7 27_53_65_66_68_ppt_dynamic linking library
Sp group7 27_53_65_66_68_ppt_dynamic linking librarySp group7 27_53_65_66_68_ppt_dynamic linking library
Sp group7 27_53_65_66_68_ppt_dynamic linking librarySagarSikchi1
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsFelipe Prado
 
Secure coding : Impact and demo
Secure coding : Impact and demoSecure coding : Impact and demo
Secure coding : Impact and demoKaisar Yousuf
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijackingD4rk357 a
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijackingD4rk357 a
 
Dll injection
Dll injectionDll injection
Dll injectionKarlFrank99
 
DLL Tutor maXbox starter28
DLL Tutor maXbox starter28DLL Tutor maXbox starter28
DLL Tutor maXbox starter28Max Kleiner
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019David Tulis
 

Recommended

Sp group7 27_53_65_66_68_ppt_dynamic linking library
Sp group7 27_53_65_66_68_ppt_dynamic linking librarySp group7 27_53_65_66_68_ppt_dynamic linking library
Sp group7 27_53_65_66_68_ppt_dynamic linking librarySagarSikchi1
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsFelipe Prado
 
Secure coding : Impact and demo
Secure coding : Impact and demoSecure coding : Impact and demo
Secure coding : Impact and demoKaisar Yousuf
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijackingD4rk357 a
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijackingD4rk357 a
 
Dll injection
Dll injectionDll injection
Dll injectionKarlFrank99
 
DLL Tutor maXbox starter28
DLL Tutor maXbox starter28DLL Tutor maXbox starter28
DLL Tutor maXbox starter28Max Kleiner
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019David Tulis
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
DLL Injection
DLL InjectionDLL Injection
DLL InjectionHossein Yavari
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
1780 1783
1780 17831780 1783
1780 1783Editor IJARCET
 
1780 1783
1780 17831780 1783
1780 1783Editor IJARCET
 
CodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsRon Munitz
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
DEFCON 23 - ionut popescu - net ripper
DEFCON 23 - ionut popescu - net ripperDEFCON 23 - ionut popescu - net ripper
DEFCON 23 - ionut popescu - net ripperFelipe Prado
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsSam Bowne
 
01 dll basics
01 dll basics01 dll basics
01 dll basicsTsu-Fen Han
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows Ron Munitz
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)abend_cve_9999_0001
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of WindowsSam Bowne
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Dll fixer
Dll fixer Dll fixer
Dll fixer dllfixerserial
 
Managed Code .NET
Managed Code .NETManaged Code .NET
Managed Code .NETMert Akcakaya
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxnull - The Open Security Community
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxnull - The Open Security Community
 

More Related Content

Similar to Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx

Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
CodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsRon Munitz
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
DEFCON 23 - ionut popescu - net ripper
DEFCON 23 - ionut popescu - net ripperDEFCON 23 - ionut popescu - net ripper
DEFCON 23 - ionut popescu - net ripperFelipe Prado
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsSam Bowne
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows Ron Munitz
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)abend_cve_9999_0001
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of WindowsSam Bowne
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 

Similar to Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx (20)

Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
 
DLL Injection
DLL InjectionDLL Injection
DLL Injection
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
1780 1783
1780 17831780 1783
1780 1783
 
1780 1783
1780 17831780 1783
1780 1783
 
CodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallows
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
DEFCON 23 - ionut popescu - net ripper
DEFCON 23 - ionut popescu - net ripperDEFCON 23 - ionut popescu - net ripper
DEFCON 23 - ionut popescu - net ripper
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
01 dll basics
01 dll basics01 dll basics
01 dll basics
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Dll fixer
Dll fixer Dll fixer
Dll fixer
 
Managed Code .NET
Managed Code .NETManaged Code .NET
Managed Code .NET
 

More from null - The Open Security Community

Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdf
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdfImmutable Desktop using Container Orchestration By Mohammed Danish Amber .pdf
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdfnull - The Open Security Community
 
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdf
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdfDigital Personal Data Protection Act 2023 by S Ramakrishnan.pdf
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdfnull - The Open Security Community
 
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...null - The Open Security Community
 
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptx
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptxReverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptx
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptxnull - The Open Security Community
 
Get Started with Cyber Security and Its Landscape Null Community Presentation...
Get Started with Cyber Security and Its Landscape Null Community Presentation...Get Started with Cyber Security and Its Landscape Null Community Presentation...
Get Started with Cyber Security and Its Landscape Null Community Presentation...null - The Open Security Community
 
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptxDemystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptxnull - The Open Security Community
 

More from null - The Open Security Community (18)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Hardware-Hacking-101 By Asutosh Kumar.pdf
Hardware-Hacking-101 By Asutosh Kumar.pdfHardware-Hacking-101 By Asutosh Kumar.pdf
Hardware-Hacking-101 By Asutosh Kumar.pdf
 
Demystifying-DNS-Attack-by-Rakesh Seal.pdf
Demystifying-DNS-Attack-by-Rakesh Seal.pdfDemystifying-DNS-Attack-by-Rakesh Seal.pdf
Demystifying-DNS-Attack-by-Rakesh Seal.pdf
 
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdf
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdfImmutable Desktop using Container Orchestration By Mohammed Danish Amber .pdf
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdf
 
Recon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfRecon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdf
 
A talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda TamlyA talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda Tamly
 
The Mysterious Paradigm of Fuzzing by Rakesh Seal
The Mysterious Paradigm of Fuzzing by Rakesh SealThe Mysterious Paradigm of Fuzzing by Rakesh Seal
The Mysterious Paradigm of Fuzzing by Rakesh Seal
 
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdf
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdfDigital Personal Data Protection Act 2023 by S Ramakrishnan.pdf
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdf
 
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...
 
Cyber_Forensics_in_the_New_Age_of_Cyber_Security.pdf
Cyber_Forensics_in_the_New_Age_of_Cyber_Security.pdfCyber_Forensics_in_the_New_Age_of_Cyber_Security.pdf
Cyber_Forensics_in_the_New_Age_of_Cyber_Security.pdf
 
GSM-CallFlowAndSecurity Features (2G-3G-4G).pptx
GSM-CallFlowAndSecurity Features (2G-3G-4G).pptxGSM-CallFlowAndSecurity Features (2G-3G-4G).pptx
GSM-CallFlowAndSecurity Features (2G-3G-4G).pptx
 
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptx
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptxReverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptx
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptx
 
Get Started with Cyber Security and Its Landscape Null Community Presentation...
Get Started with Cyber Security and Its Landscape Null Community Presentation...Get Started with Cyber Security and Its Landscape Null Community Presentation...
Get Started with Cyber Security and Its Landscape Null Community Presentation...
 
Evolution of Hacking- Ronit Chakraborty .pptx
Evolution of Hacking- Ronit Chakraborty .pptxEvolution of Hacking- Ronit Chakraborty .pptx
Evolution of Hacking- Ronit Chakraborty .pptx
 
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptxDemystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
 
C&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptxC&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptx
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx

  • 1. Debjeet Banerjee Researcher @ BHIS Making way through DLL Hollowing in spite of CFG
  • 2. @whoami Security Intern Payatu Security Research Intern FireCompass Security Consultant Certus Cybersecurity Security Researcher BlackHills Infosec
  • 3. Overview 🔎 ● DLL Hollowing ● What is CFG ● Problems posed by CFG ● Dynamically finding Targets ● Control Flow ● VirusTotal Analysis
  • 4. DLL Hollowing DLL hollowing is a form of process injection, which is when an attacker inserts malicious code into known benign software. With DLL hollowing, the attacker can insert the code into the current process or into a remote process's memory space by loading a new DLL and overwriting sections of its code. The goal of the attacker is to hide from causal analysis. When looking for quick wins, researchers or Incident Response analysts will look for any process or executable that does not look normal. In most use cases, the process and the DLL are both benign. Looking at the file system of the EXE and DLL will show nothing out of the ordinary. @TRUSTEDSEC
  • 5. What is CFG? Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. dumpbin /headers /loadconfig C:WindowsSystem32ntdll.dll
  • 6. Problems posed by CFG The compiler does the following: ● Adds lightweight security checks to the compiled code. ● Identifies the set of functions in the application that are valid targets for indirect calls. The runtime support, provided by the Windows kernel: ● Efficiently maintains state that identifies valid indirect call targets. ● Implements the logic that verifies that an indirect call target is valid. When a CFG check fails at runtime, Windows immediately terminates the program, thus breaking any exploit that attempts to indirectly call an invalid address. https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
  • 7. Dynamically Finding Targets Long live Powershell v1 and other Non CFG DLLs
  • 8. Finding Target DLLs To use a DLL for this technique, a DLL must meet the following requirements: ● DLL must NOT already be loaded in memory ● DLL MUST HAVE a .text section ● DLL must NOT have CFG enabled * The most common example of these types of DLLs which I could find were the modules from Powershell v1 DLLs, Media Player DLLs and VirtualBox DLLs.
  • 9. DLL already loaded in memory?
  • 11. Jmp’ing To Shellcode AddJmp(LPVOID jmp_tgt, LPVOID src) { size_t inst_size = 12 * sizeof(unsigned char); unsigned char* inst = malloc(inst_size); RtlZeroMemory(inst, 12 * sizeof(unsigned char)); inst[0] = 0x48; inst[1] = 0xb8; inst[10] = 0xff; inst[11] = 0xd0; int i = 2; uintptr_t bytes = (uintptr_t)(jmp_tgt); while (i < 10) { inst[i] = bytes & 0xFF; bytes = bytes >> 8; i++; } AllocatePayload(src, inst, inst_size); }
  • 15. VirusTotal Analysis “It works” - Source: Trust Me.
  • 16. Direct Call to Shellcode Jmp’ing to Shellcode