Blind The Kernel: Subverting Integrity Checks Via Semantic Asymmetry - Tejaswini Sandapolla

Hello everyone. Uh today I'm here to talk about blind the kernel subverting integrity checks via semantic asymmetry. So before I move on to my talk, let me just introduce myself. So my name is Tjaswini and I work as senior malware detection researcher at Sentinel 1. So I have over seven plus years of experience and my primary focus is on reverse engineering and writing detections on them. So apart from that I have written various blogs and white papers uh throughout my career till now. I've also presented at AVA 2021 and I also love to play CTF challenges. I have successfully completed uh Flareon 9 and Flareon 11 challenges if you know about Flareon. And so apart from that I also

love traveling and I would also love to explore Prague and it because this is the first time in the city. So yeah moving on let me go on to the presentation. So first before I go in depth into what uh my presentation is about let me just give you a small introduction about what a malware is. A malware can be imagined like a chocolate. So you have a chocolate to eat the chocolate you have to unwrap it right. In the same way a malware is also either packed obfiscated or encrypted and then to get the actual content you have to either unpack it deopfiscate it and decrypt it. Then after all this unpacking deopfiscation decryption you get the actual payload

and that payload performs process injection. So it's not necessarily that every malware does process injection or process hollowing. It's like a common behavior which is observed in malares. So you will understand later why am I talking about all this stuff. So moving on to the next slide. So let me discuss about process hauling which is a subtype of process injection. So there's a malware process and then there's a target process. malware process will start the target process in a suspended mode, write down its contents inside it and run from inside the target process. So this is a general overview of process injection or process hollowing. So you can see this here in this animation how the malware process

is actually replacing the target process and running from inside the target process. Now how is this process hollowing happening or what APIs it uses? So first it has to create the target process in a suspended mode. So for that it uses create process API and creates that particular target process in a suspended mode. Now what is this target process? It is a legitimate process like maybe svcchost.exe or explorer.exe or any legitimate process of Windows operating system. Now after creating the process in a suspended mode, it has to now unmap its sections. So the next API called is entmap view of section. So it follows the process by removing the original executables memory mapping. Now it has

created the process in a suspended state. It has unmapped the contents of the section. Now it has to allocate some memory space inside that particular target process. So for that it uses virtual alloc ex. So the next API used is virtual alloc ex where it allocates a memory space in the target process. Now it has created the process unmapped its uh contents. It has allocated some memory space. Now it has to write the actual payload or the actual chocolate inside that particular target process and for that it uses write process memory API. So the next API called is write process memory. Now after writing the contents into the target process or after writing the actual payload into

the target process, you have to tell the loader from which point or from which step from which line should I start executing. So for that set thread context API is used to tell which uh to tell from what is the entry point to the uh or set the EIP to the entry point of that particular payload. So for that set thread context is used and then the last API called is resume thread to actually because we created the process in a suspended state. So you call resume thread to again resume the process. So this is a basic API sequence of a process injection. Again this is a overview of the API's use. There may be

changes in the APIs. Uh it differs to from malware to malware. So now after like knowing about this process injection I have taken a sample from virus total and then I started debugging the sample. When I executed the sample in Windows 10, I have seen that it is doing process injection in explorer.ex. exe fine okay in Windows 10 that sample is performing process injection in explorer.exe I was wondering what content it was writing into so to know what content it is writing into in the explorer.exe exe I have set up a break point on write process memory API. So why on write process memory API? Because I know that the parameters of right process memory will give me the memory

address and the content being written into the injected process. Fine. I have set the break point on right process memory and I have seen that execution stop. I mean the debugging stopped over there. The breakpoint hit there. I've seen the debugger. I have seen the parameters. I've seen the registers. I saw that a PE file which is a coin miner is being loaded into explorer.exe. Fine. Now I have taken the same sample and executed in Windows 11. I have set break points on write process memory over there also. And I found something interesting happening in the debugger. Let me show you the video. Just I'll just play the video and see. So let me just play the video.

Yeah. So you can see that random.exe is executing. It is performing process injection in explorer.exe. It has stopped at write process memory. You can see the parameters that it is doing something in n manage hot patch. And then the third parameter if I can see there is some disassembly being written. I mean some assembly code being written into it. And I will disassemble it. You can see that disassembly something move ex EX and some return. So something is being I mean written into NT manage hot patch. Fine. Let me move on. Then there is another trigger at another right process memory. Here I can see a location 10 lakh. Then I can see what content it is being written. So

this is the P file which I'm talking about which I was talking about in which is the coin miner which is being injected into explorer.exe. exe. So you can see that uh from the process hacker from the memory section at 10 lakh so it is private memory rwx and then that's the p file. Now there is another trigger on write process memory and that is now on query virtual memory. So this is interesting. So let me summarize to you all till now. In Windows 10, right process memory was being hit only once in the debugger. But in Windows 11, write process memory was being called three times. Once for the injection which was happening in Windows

10 also. But there it was being called two times to patch two functions which is query virtual memory and anti- manage hot patch. So moving on to the next slide. Here we come to the core of our topic twin patch evation. So why it is patching these functions? What are these functions and how the patching is done? So let me move on and explain to you each and everything. So what is query virtual memory? Query virtual memory is an API which gives you in information of a specific memory page of a particular process. So what information do you get? it is state type and protection of a particular memory page. So you can see its parameters

here. The first is the process handle that means for which process you require the information and then the address or the memory address of that particular process for which uh address you're querying the information and the third important thing memory information class which is what type of information you want. So let me explain you via the snippet. So this is the memory map of explorer.exe. You can see all the DLS loaded here. The memory addresses and then this is the type. Type means if it is me image or me private. The state if it is committed, reserved or free. And then the protection if it is read, write, executable. So you get all this kind of

information. So if I want for the first memory address then uh you can ask for state type protection. So this is an overview of query virtual memory. Now we come to the next question. Why? What is the need for malware authors to patch this query virtual memory and that to only in Windows 11 and not in Windows 10. So you can understand that there is something new in Windows 11 that malware authors are forced to make these changes. So what are those changes? That is what we are going to talk about. So, Windows 1124H2 has introduced support for native hot patching. So, before I I talk about hot patching, what is a patch? A patch means

change or code in some function, right? So, patching means you're changing some code in some particular function. So for doing patching you're actually doing it on some core system file and that core system file might be in use and you have to restart your machine to replace the old file with the new one so that the Windows machine will again start working properly. Right? But for patching all this is needed. And one more thing why Windows does these patches to maybe to fix some security vulnerabilities or to fix some bugs or for some performance or usability upgradation right so when you're doing this patches and between the applying of a patch and between the restart so there might be a time gap in

which there might be attacks which might happen so Windows 11 has come up with the support of hot patching hot patching means you are up you're actually updating ing the code or the memory on the fly and there is no need for you to restart the machine. Now how is Windows able to do this and what how the latest versions of Windows are able to do this. So first it has introduced few new things. The first is new SCP CFG system introduced along with hot patching. Then there are four new sections in NDLL self-contained CFG functions and then the fourth one extra 4KB space reserved at the end of each DL. So let me talk

about and go through about each of them in the coming slides. So you can see the snippet of Windows 11 NDLL which is having extra four sections. So this like sections are named like SCP, CFG and stuff like that. Now this is a snippet in Windows 10 NTDL and you can see clearly that these sections are absent moving forward I was talking about SCP CFG and all right now before the slides. So what is CFG? CFG I guess most of you all might be knowing it means control flow guard. That means it will validate the indirect call if it is going to the legitimate target address or not. So this is the basic definition of cfg for

how does it validate it actually creates a bit map of all the target addresses and then it will match if it is if that indirect call is actually matching perfectly with the target address or not. Fine. So in cfg you can imagine like a guardrail like if if the call is going perfectly or not. Now hot patching also means you're making some changes to the code. That means you are actually injecting something right kind of process injection only right you're injecting something. So how will Windows or the OS understand that this is hot patching and it is not any malware performing the process injection right? So because of the cfg checks because of the strict CFG

checks this hot patching might fail. That is the reason why to allow hot patching to work properly in the latest Windows versions there is a support for SCP CFG. SCP CFG means SCP CFG means that it is a position independent functions self-contained they are present. So where are they present? How is hot patching going to work along with this? We I will discuss with you in the coming slide. So I have talked about extra 4 KB space. So in this image you can see clearly that uh I have actually taken explorer.exe uh memory map. So you can see clearly that in Windows 11 for every hot patchable DL there's an extra space reserved that is image reserved. So

there's an extra space reserved for every hot patchable DL and this is the house of SCP. So whenever there is hot patching it will directly go into this space and utilize this space and this space has all the pre-ompiled localized CF cfg versions inside that particular place. So this is the biggest change in Windows 11 that introducing the extra space reserved for the SCP. So with this you will not touch the original unmodified memory and hot patching can takes play take place properly. So this is fine. These are all the new changes in Windows 11. Now why are malware authors patching query virtual memory? How are these changes in Windows 11 linked to the patching of query virtual

memory and patching of NDLL manage hot patch? So I've talked about process injection earlier. So in process injection the last step is resume thread. So after resume thread it will go to the entry point of the payload and execute from there. So between the resume thread and going to the entry point of the payload there are few loader calls which happen. So first is LDRP initialize process which initializes the process and second is LDRP process mapped module. So when you create a process in a suspended state only entl is loaded. So for to load the other DLS when you are actually resuming the thread this API is called the then there is another call which which is

RTLP insert or remove SCP cfg function table. So this is a new API which is being called only in the Windows 11 latest versions. So this actually talks about SCP CFG function table which can should be added or not and this table can only be added in a hot patchable DL or an executable. Right? So that hot patchable DL or executable should be actually physically present on the disk. Right? So that means the memory type should be me image. But in our payload or whatever our payload we are injecting because we are virtually allocating that memory and then injecting the payload that memory type would be me private because of the conflict of me image and

mem private. This RTL insert or remove SCP cfg function table will fail. How is this API being failed and giving errors? because this API internally calls query virtual memory with E that means memory image extension information class. So it is querying information E and if if it is quering the memory address where our payload is actually loaded then this will give you an error because you cannot make a CF uh SCP CFG function table for a me private that doesn't physically exist. So because of the me image and mem private conflict this actually throws an error and you will get word fault and your payload will not execute in Windows 11. So any process that actually performs process

injection or process hauling will not execute in Windows 11 if these two functions are not patched. Now moving on how patching is done how this patching has been implemented in the malares which I was showing you. So first I have given a basic overview of how the patching is implemented. First when the query virtual memory is called is the query type memory image extension information that means is it class is that class being asked is equal to E and if the query types address is matching our payload if these two matches then please return status not supported that means you're telling that this function is not present you're actually blinding that this function is not uh not present and just return

status not supported. If the query is not related to our payload and if it is related to our payload and it is not matching to E then please proceed to the uh and execute the function query virtual memory directly. So now I will show in the next slides how this has been implemented in the malware. So first to go to that particular address you have to use the get module handle get the u handle of ndll and then you use query virtual memories uh and get the use the API get process with a parameter query virtual memory you get the address of that particular uh API. Now after that the malware actually allocates a space a 4 KB space to the

trampoline code. So let me explain you what this trample in code is. So whenever uh an API which is there like you can see the API there's query virtual memory then there is a sys call. Now the first line is actually a knob pattern. So that knob pattern is present between the APIs that's common. So this malware is targeting that knob pattern and replacing the first line with jump to patch space. So the first line will get executed before actually going to the actual call of query virtual memory. So it will jump to path space see what is present in the path space and then come back to this. So let me show you what exactly is in the path space. Now

patch code in the path space this is the actual hook logic. So I've told you in the flowchart already if the parameter is E and if it is squaring our memory address or the malware's payload if the memory address is equal to the payload then please say that this API is not present return status not supported so that move ex code which you can see there right that is the status code for status not supported otherwise please proceed and execute query virtual memory normally. normally. Now moving forward, I've talked about another evasion uh I mean another patching that is patching on anti-manage hot patch. So anti-manage hot patch is a system call that implements Windows hot patching

functionality that means the ability to run the code without restarting. So you can see the parameters here. So why is uh malware's or why are malware authors actually patching this particular function also. So here in this particular function I've talked about resume thread and uh going back to the entry point there loader also calls ldrp query current patch where the windows keeps checking like if there is any hot patches to be applied or not. So again here also it fails because of the conflict of mem versus me private and then your execution will stop. So that's the reason why malware authors are patching anti-manage hot patch. So here you can see the write process memory

call and uh the parameter entage hot patch and what actually it is writing into that call. So it is writing this particular assembly. So if you disassemble it, you can see that it is writing move ex a status code that is again status not supported and return. So let me summarize what I've told till now before and after patching of ZW query virtual memory. So first snippet which you can see is of NDLL which was normally present like in the machine. You can see that that particular file offset has the proper function for query virtual memory. The second snippet which you can see I have taken dump of NDLL of explorer.exe. So that's a memory dump of

explorer.exe is NDLL and you can see how that first line is patched there. So the same way for before and after patching of ant manage hot patch you can see the actual original function in the first snippet and in the second snippet you can see how the status not supported u assembly code has been put there. So this is about the twin patch evasion. So I have written a small rule a hunting rule basically on virus total and uh related to how it is patching like what all based on the assembly codes I have written a rule and I can see that 6,300 similar malares are found on VT on virus total and there are various families

found like agent Tesla remos snake key logger asyncrat so there were many compilers also likenet c VB. So many different compilers, many different families have adopted this patching already. So coming to the summary, evasion is like evasion is rapid. So whenever Windows makes any changes, malware authors are also updating themselves like already uh pure cryptor and go script have already implemented this bypass like just after the few weeks of 24h2 release. Then the detection focus uh detection should not rely completely on the OS level mitigation. So you should even monitor on important calls like write process memory if they are targeting system DLS such as NDLL and that too or a newly created suspended process. So that's all about the

summary. So you can see the references here and the few hashes. So first hash is about the malware I executed. So you can execute the sample check in Windows 10 and Windows 11 I have provided the samples and uh the second uh is a hazer shades uh blog. So it has a complete PC related to similar stuff. So yeah thank you. Thank you all.