Instructions: 1) Discuss how a malware can maintain persistence. What do malwares use the
SetWindowsHookEx function for? 2. Explain how process replacement works. What functions does it use?

 

 

As we know, malware becomes stealthier by somehow achieving persistence on the exploited machine. This helps malware authors to inject/exploit once, and the malware will continue to act even after restarts/reboots/log-offs, etc. 

Below are the common ways of achieving Persistence used by Malware

• Modifying Registry Keys

Modifying registry keys are often used by malware to achieve persistence on a system. Below are some of the most common registry values/locations exploited by malware.

• Run/RunOnce Keys

As stated above windows has a lot of AutoStart Extension Points(ASEP). When it comes to malware, most of them would like to achieve persistence by editing the below registry keys:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
• BootExecute Key

Since smss.exe launches before windows subsystem loads, it calls configuration subsystem to load the hive present at HKLMSYSTEMCurrentControlSetControlhivelist. Also smss.exe will launch anything present in the BootExecute key at HKEY_LOCAL_MACHINESYSTEMControlSet002ControlSession Manager. It should always have the value of autocheck autochk*. If there are more values in it, then probably the malware is likely to launch at boot.

• Keys used by WinLogon Process
• Userinit Key

Winlogon process uses the value specified in the Userinit key to launch login scripts etc. This key is location at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon. Usually, userinit key points to userinit.exe but if this key can be altered, then that exe will also launch by Winlogon.

• Startup Keys

Placing a malicious file under the startup directory is often used by malware authors. Any shortcut created to the location pointed by subkey Startup will launch the service during logon/reboot. Start up location is specified both at Local Machine and Current User.

• Services

Many windows services are required to run at boot like Workstation/server services, Windows Event Log, and other Win drivers. These are located at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservices.

Along with placing a malicious file in the above-listed registry key, there is another way to load malicious files. Malicious files can be loaded if a service fails to start. For example below screenshot shows how RDP failure can be used to run a program.

• Browser Helper Objects(BHO)

It is essentially a DLL module loaded when Internet Explorer starts up. Various data theft types malware affect BHO. They are located at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects. There are various subkeys under BHO which tell the browser to load which DLLs.

• AppInit_DLLs

Key located at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs will show the DLLs loaded by the User32.dll. As most executables load User32.dll, this is a good place for malicious DLLs to reside.

• File Association keys

Located at HKEY_LOCAL_MACHINESoftwareClasses and HKEY_CLASSES_ROOT; there are various keys which are used to specify the action when a certain type of files are open. For example below is the Command value when a txt file is opened in my system HKEY_CLASSES_ROOTtextfileshellopencommand

• DLL Search Order Hijacking

Another common method used by malware is to hijack a concept about how the OS loads DLLs. Whenever an exe loads (even explorer.exe), it follows a certain path search to load the required DLLs. Because DLLs are loaded in the order the directories are parsed, it is possible to add a malicious DLL with the same name in a directory earlier than the directory where the legit DLL resides. If Safe DLL search mode is enabled (which is by default on most versions) then OS will check whether the DLL is already loaded in memory or is it a part of Known DLLs registry key located at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerKnownDLLs.

• Shortcut Hijacking

Another simple but very effective technique is to hijack the shortcut icons Target attribute. Along with a normal application to be launched, shortcut icon can be forced to download content from an evil site.

SetWindowsHookEx can be used to inject a DLL into another process. A 32-bit DLL cannot be injected into a 64-bit process, and a 64-bit DLL cannot be injected into a 32-bit process. If an application requires the use of hooks in other processes, it is required that a 32-bit application call SetWindowsHookEx to inject a 32-bit DLL into 32-bit processes, and a 64-bit application call SetWindowsHookEx to inject a 64-bit DLL into 64-bit processes. The 32-bit and 64-bit DLLs must have different names.

The SetWindowsHookEx function will install the hook routine into the hook chain of the victim.exe process, which will be invoked whenever certain event is triggered. In our case, the event that needs to be triggered is the action that we've inputted into the SetWindowsHookEx function. Later on, we'll be using the WH_KEYBOARD action, which means that whenever we'll press some key inside the victim.exe process, the previously obtained exported function in the injected DLL will be called. When the event occurs, the OS first checks whether the required DLL is already loaded in to the process's address space. If it isn't, then the OS must load (read inject) the DLL into the process's address space upon which the DllMain function of the DLL is called. After that, the exported function we passed to the SetWindowsHookEx is also called to handle the triggered event—in our case a key press. On all subsequent key presses, the DLL need not be reloaded, because it's already loaded in the process's address space. This effectively enables us to do whatever we want in the hooked address space of the program.

Process Replacement

Rather than inject code into a host program, some malware uses a method known as process replacement to overwrite the memory space of a running process with a malicious executable. Process replacement is used when a malware author wants to disguise malware as a legitimate process, without the risk of crashing a process through the use of process injection.

This technique provides the malware with the same privileges as the process it is replacing. For example, if a piece of malware were to perform a process-replacement attack on svchost.exe, the user would see a process name svchost.exe running from C:\Windows\System32 and probably think nothing of it. (This is a common malware attack, by the way.)

Anti-malware can also prevent users from going to known compromised sites that would download malicious code without requiring the user to do anything. Prevent outbreaks (proliferation). Even if another device on a segment is compromised, antimalware software can prevent other devices from being infected.