name: water class: center, middle ## User-mode API hooks ## & .color[.stroke[bypasses]] https://dumpco.re/slides/api-hooks --- name: subway class: middle ## intro ### - @magnusstubman ### - pentester / red teamer @ improsec --- background-size: cover background-image: url(spot.jpg) class: middle ## .color[agenda] ### - why? / background ### - memory / OS architecture / API 101 ### - hooks ### - bypasses --- class: middle name: spot ### One goal of security products: monitor behavior by having complete .color[surveillance] of processes --- exclude: true name: shibuya class: middle ## .grey[cannot] survey everything --- name: stealth class: middle ### we cannot achieve goals without .grey[stealth] --- background-size: contain background-image: url(notepad.png) --- background-size: contain background-image: url(writefile-doc1.png) --- background-size: contain background-image: url(winarch.png) --- background-size: contain background-image: url(load.png) --- background-size: contain background-image: url(winarch2.png) --- background-size: contain background-image: url(winarch3.png) --- background-size: contain background-image: url(winarch4.png) --- background-size: contain background-image: url(winarch5.png) --- background-size: contain background-image: url(winarch6.png) --- background-size: contain background-image: url(winarch7.png) --- background-size: contain background-image: url(writefile-doc1.png) --- background-size: contain background-image: url(writefile-doc2.png) --- background-size: contain background-image: url(notepad-modules.png) --- background-size: contain background-image: url(kernel32-exports.png) --- exclude: true background-size: contain background-image: url(ghidra-kernel32-writefile.png) --- name: kiwi1 class: center, middle # Mimikatz credential theft --- name: kiwi2 "The Local Security Authority Subsystem Service (.grey[LSASS]) .color[stores credentials in memory] on behalf of users with active Windows sessions. The stored credentials let users seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service. LSASS can store credentials in multiple forms, including: - Reversibly encrypted plaintext - Kerberos tickets (ticket-granting tickets (TGTs), service tickets) - .grey[NT hash] - LAN Manager (LM) hash" ##### from https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication#BKMK_LSA --- name: kiwi2 "The stored credentials are directly associated with the Local Security Authority Subsystem Service (LSASS) logon sessions that have been started after the last restart and have not been closed. For example, .color[LSA sessions with stored LSA credentials are created when a user does any of the following]: - .grey[Logs on to a local session] or .grey[Remote Desktop Protocol (RDP) session on the computer] - Runs a task by using the RunAs option - Runs an active Windows service on the computer - Runs a scheduled task or batch job - Runs a task on the local computer by using a remote administration tool" ##### from https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication#BKMK_LSA --- background-size: contain background-image: url(taskmgr-lsass.png) --- background-size: contain background-image: url(mimikatz.png) --- background-size: contain background-image: url(ph-ntread.png) --- background-size: contain background-image: url(ntdll.dll.png) --- background-size: contain background-image: url(ntdll-ntreadvirtualmemory.png) --- background-size: contain background-image: url(ca3-taskmgr.png) --- background-size: contain background-image: url(windbg-hooked-process.png) --- name: road class: center, middle # Bypasses --- ## .color[Overwrite the hook] ##### overwrite the modified bytes in NtReadVirtualMemory with the correct ones Pros - relatively simple - ensures that all functions that call NtReadVirtualMemory will benefit Cons - needs to be OS version specific - security products can detect integrity violations Examples - https://github.com/outflanknl/Dumpert - https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher --- ## .color[Overwrite entire module] ##### instead of just overwriting certain bytes, just overwrite the entire module! Pros - more simple than before - ensures that all functions that call NtReadVirtualMemory will benefit - .grey[No possibility of forgetting to unhook some things] Cons - security products can detect integrity violations - more noisy than previous method Example - https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++ --- ## .color[Go around the hook] ##### Try to .grey[detect hooks at runtime, and jump to the real function] instead of following hook e.g. the *FireWalker* technique Pros - will work on most/all OS versions - original hooks are left in place Cons - Significant performance slowdown - Significantly complex to implement Example - https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking/ --- ## .color[Bring your own] ##### .grey[Don't call NtReadVirtualMemory], call your own function that does the same! Pros - Ensures that the hooks are left in place - no tampering with the hooks Cons - OS version specific - Only my own code wil benefit - other libs will still call the real, hooked function Example - https://github.com/magnusstubman/MagnusKatz/blob/main/ConsoleApplication3/ConsoleApplication3/ConsoleApplication3.cpp#L188-L230 --- background-size: contain background-image: url(ntdll-ntreadvirtualmemory.png) --- exclude: true <pre> // Opcodes of NtReadVirtualMemory unsigned char opcodes[] = "\x4c\x8b\xd1\xb8\x3f\x00\x00\x00\xf6\x04\x25\x08\x03\xfe\x7f\x01\x75\x03\x0f\x05\xc3"; // allocate executable memory for opcodes void* executableMemory = VirtualAlloc(0, sizeof opcodes, MEM_COMMIT, PAGE_EXECUTE_READWRITE); // move opcodes over from stack to executable memory memcpy(executableMemory, opcodes, sizeof opcodes); // make a real function pointer to the memory containing opcodes, such that we can actually call it fpNtReadVirtualMemory NtReadVirtualMemory = reinterpret_cast<fpNtReadVirtualMemory>(executableMemory); </pre> --- background-size: contain background-image: url(bringyourown.png) --- background-size: contain background-image: url(magnuskatz.png) --- background-size: 30% background-image: url(client-side-validation.png) ## Conclusion - Security products .color[should not rely on user-mode API hooks] as a security mechanism - security mechanisms should be implemented in a privileged context, e.g. .grey[kernel mode] - kernel mode also has it problems: malicious drivers https://github.com/br-sn/CheekyBlinder --- class: center, middle # ty @magnusstubman