nccgroup / detectwindowscopyonwriteforapi Goto Github PK

Enumerate various traits from Windows processes as an aid to threat hunting

License: GNU Affero General Public License v3.0

C++ 62.04% C 37.96%

detectwindowscopyonwriteforapi's Introduction

Windows Process Property Enumeration Tools for Threat Hunting

Background

The purpose of these tools is to enumerate traits of Windows processes that support the detection of process injection tradecraft used by threat actors.

Tools

d-cow - Windows Copy on Write Detector for shared Windows APIs (e.g. EtwEventWrite) to detect in memory patching
d-criticalsections - Enumerates how many critical sections a Windows process has
d-dr-registers - Enumerates processes which have debug registers set indicating hardware breakpoints
d-nonmodulecallstack - Enumerates the call stack and associated modules and functions for all threads
d-peb-dll-loadreason - Enumerates the reason and the date/time stamp along with a delta from the main binary for DLL loading
d-teb - Enumerate threads which are impersonating other users
d-threat-start - Enumerate the starting address and which module that points to for each thread
d-vehimplant - Enumerate the Vectored Exception Handlers and which modules they point to
d-vehlab - sandbox for the VEH work

detectwindowscopyonwriteforapi's People

Stargazers

Watchers

detectwindowscopyonwriteforapi's Issues

Just a few questions

Hello,

According to the README:

Validate that NTDLL.dll is loaded and that EtwEventWrite is within the .text segement
Ntdll exports EtwEventWrite, does it mean that this function is always within .text segment?

Use QueryWorkingSetEx to check the page is shared OR not
I think this step alone is enough to detect if dll was patched

process handle leak if enumerating modules fails in AnalyzeProc ()

The function AnalyzeProc opens a process handle hProcess but if EnumProcessModules fails it does not release the handle

void AnalyzeProc(DWORD dwPID)
{
	DWORD dwRet, dwMods;
	HANDLE hProcess;
...
	// Get process handle by hook or by crook
	hProcess = OpenProcess(PROCESS_ALL_ACCESS | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID);
...
	// Enumerate the process modules
	if (EnumProcessModules(hProcess, hModule, 4096 * sizeof(HMODULE), &dwRet) == FALSE)
	{
		DWORD dwSz = MAX_PATH;
		if (QueryFullProcessImageName(hProcess, 0, cProcess, &dwSz) == TRUE) {
			fwprintf(stdout, _TEXT("[i] [%d][%s] not analysed %d\n"), dwPID, cProcess, GetLastError());
			dwOpen++;
		}
		else {
			fwprintf(stdout, _TEXT("[i] [%d][%s] not analysed %d\n"), dwPID, _TEXT("UNKNOWN"), GetLastError());
			dwOpen++;
		}

		if (GetLastError() == 299) {
			//fprintf(stderr, "64bit process and we're 32bit - sad panda! skipping PID %d\n", dwPID);
		}
		else {
			//fprintf(stderr, "Error in EnumProcessModules(%d),%d\n", dwPID, GetLastError());
		}

		dwCountError++;
+		CloseHandle(hProcess);
		return;
	}

DetectWindowsCopyOnWriteForAPI/d-vehimplant/Engine.cpp

Line 385 in 9460ab3

return;

Stack buffer overrun in GetModuleNameFromAddress due to byte count/ character count mismatch

GetModuleNameFromAddress contains a stack buffer overrun because it calls _tcscpy_s with a byte count instead of a character count. On UNICODE compilations this will cause a stack buffer overrun.

BOOL GetVEHfromProc(HANDLE hProcess, ULONGLONG VEHAddress, TCHAR* cProcess, DWORD dwPID, ULONG Cookie) {
...
!		TCHAR strModule[MAX_PATH];    <<< stack buffer of size MAX_PATH characters

		if (GetModuleNameFromAddress(hProcess,MemDecodePointer(entry.VectoredHandler3, Cookie),strModule) == FALSE) {
			_tcscpy_s(strModule, MAX_PATH * sizeof(TCHAR), _T("UNKNOWN"));
		}

BOOL GetModuleNameFromAddress(HANDLE hProcess,  PVOID pvPoint, TCHAR *modName) {

	DWORD dwRet, dwMods;
	HMODULE hModule[4096];

	// Enumerate the process modules
	if (EnumProcessModules(hProcess, hModule, 4096 * sizeof(HMODULE), &dwRet) == FALSE)
	{
		fprintf(stderr, "Couldn't enum modules\n");
		return FALSE;
	}
	dwMods = dwRet / sizeof(HMODULE);

	// fwprintf(stdout, _TEXT("[d] VEH handler #1 hunt 0x%p %d\n"), pvPoint,dwMods);
	
	DWORD dwCnt = 0;
	for (dwCnt = 0; dwCnt < dwMods; dwCnt++) {

		TCHAR cModule[MAX_PATH]; // Process name
		GetModuleBaseName(hProcess, hModule[dwCnt], cModule, MAX_PATH);

		MODULEINFO modNFO;

		if (GetModuleInformation(hProcess, hModule[dwCnt], &modNFO, sizeof(modNFO)) == TRUE) {
			//fwprintf(stdout, _TEXT("[i]  -//-> %p - %d\n"), modNFO.lpBaseOfDll,modNFO.SizeOfImage);

			DWORD64 dwAddress = (DWORD64)pvPoint;

			// Make sure the function is the expected range						
			if (dwAddress > (DWORD64)modNFO.lpBaseOfDll && dwAddress < ((DWORD64)modNFO.lpBaseOfDll + modNFO.SizeOfImage)) {
				//fwprintf(stdout, _TEXT("\n........................\n"));
!				_tcscpy_s(modName, MAX_PATH * sizeof(TCHAR), cModule);  <<<  in UNICODE compilations this passes in MAX_PATH * sizeof WCHAR which is a byte count not a character count. 
				return TRUE;
			}

		}
	
	}
	return FALSE;
}

The documentation for _tcscpy_s says the dest_size parameter takes a unit count aka a character count, not a byte count.

dest_size
Size of the destination string buffer in char units for narrow and multi-byte functions, and wchar_t units for wide functions. This value must be greater than zero and not greater than RSIZE_MAX. Ensure that this size accounts for the terminating NULL following the string.

https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/strcpy-s-wcscpy-s-mbscpy-s?view=msvc-170

DetectWindowsCopyOnWriteForAPI/d-vehimplant/Engine.cpp

Line 131 in 9460ab3

_tcscpy_s(modName, MAX_PATH * sizeof(TCHAR), cModule);

SetPrivilege leaks handle to `hToken` in error path

Low sev bug: SetPrivilege leaks handle to hToken in error path. There are other copies of this function in the project.

BOOL SetPrivilege(HANDLE hProcess, LPCTSTR lPriv)
{
	LUID luid;
	TOKEN_PRIVILEGES privs;
	HANDLE hToken = NULL;
	DWORD dwBufLen = 0;
	char buf[1024];

	ZeroMemory(&luid, sizeof(luid));

	if (!LookupPrivilegeValue(NULL, lPriv, &luid)) return false;

	privs.PrivilegeCount = 1;
	privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	memcpy(&privs.Privileges[0].Luid, &luid, sizeof(privs.Privileges[0].Luid));


!	if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken)) <<< hToken acquired
		return false;

	if (!AdjustTokenPrivileges(hToken, FALSE, &privs,
		sizeof(buf), (PTOKEN_PRIVILEGES)buf, &dwBufLen))
+		CloseHandle(hToken)
		return false;

	CloseHandle(hProcess);
	CloseHandle(hToken);

	return true;
}

DetectWindowsCopyOnWriteForAPI/d-dr-registers/Engine.cpp

Line 63 in 7bb1a6f

return false;

nccgroup / detectwindowscopyonwriteforapi Goto Github PK

detectwindowscopyonwriteforapi's Introduction

Windows Process Property Enumeration Tools for Threat Hunting

Background

Tools

detectwindowscopyonwriteforapi's People

Stargazers

Watchers

Forkers

detectwindowscopyonwriteforapi's Issues

Just a few questions

process handle leak if enumerating modules fails in AnalyzeProc ()

Stack buffer overrun in GetModuleNameFromAddress due to byte count/ character count mismatch

SetPrivilege leaks handle to `hToken` in error path

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent