Security
Reader small image

You're reading from  Windows APT Warfare

Product typeBook
Published inMar 2023
Reading LevelIntermediate
PublisherPackt
ISBN-139781804618110
Edition1st Edition
Languages
C++
Tools
MiniGW
Concepts
Cybersecurity
Right arrow
Author (1)
Sheng-Hao Ma
Sheng-Hao Ma
author image
Sheng-Hao Ma

Sheng-Hao Ma is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan. He has served as a speaker and instructor for various international conferences and organizations such as Black Hat USA, DEFCON, CODE BLUE, HITB, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education.
Read more about Sheng-Hao Ma

Right arrow

Application Loader Design

In this chapter, we will learn how a simple application loader can execute EXE files in memory without creating a child process. We will learn how to import an address table in a PE structure and write C programs to analyze them. We will then learn how to hijack Windows API calls, replace API behaviors with malicious code, and do DLL side-loading using examples.

In this chapter, we’re going to cover the following main topics:

  • Import Address Table in PE
  • Import API analyzer example
  • Examples of IAT hijack
  • DLL side-loading example

Import Address Table in PE

As we mentioned in Chapter 1, From Source to Binaries – The Journey of a C Program, when a program is executed, the following procedure is performed. First, a new process is created and the static contents are loaded into it as a file map; the first thread of this process then calls the loader function located in ntdll.dll. After the necessary corrections have been made to the PE module mounted in memory, the entry function of the EXE module can be executed and the program will run normally as a process.

In this chapter, we will look more closely at the application loader that comes by default with the operating system. This variation can be used to develop a program packer, fileless attacks, staged payloads (such as staged payloads in Metasploit), and so on.

Let’s go back to the basics first. Figure 5.1 is identical to Figure 1.3 and illustrates a program that will pop up a message with MessageBoxA:

Figure 5.1 – NativeCode generation

Figure 5...

Import API analyzer example

The following example is the iat_parser.cpp source code under the Chapter#5 folder of the GitHub project. In order to save space, this book only extracts the highlighted code. Please refer to the complete source code to read the full project.

Let’s try writing tools to analyze which system functions are imported into EXE programs. Figure 5.4 shows the entry function of iat_parser.cpp:

Figure 5.4 – The main function of iat_parser.cpp

Figure 5.4 – The main function of iat_parser.cpp

At lines 44-50 of the code, we first read the entire program into memory by fopen, and get the size of the global IAT and its RVA from the 13th item (i.e., IMAGE_DIRECTORY_ENTRY_IAT) in DataDirectory. Since each field in the global IAT is the correct system function address that is referenced in the .text section, and will point to the RVA of the system function name storage structure (IMAGE_IMPORT_BY_NAME) on the INT, each field is therefore an IMAGE_THUNK_DATA variable. We simply...

Examples of IAT hijack

Since each IMAGE_THUNK_DATA in an IAT holds the system function address, wouldn’t it be possible to monitor and hijack a program’s active behavior if we could overwrite the contents of IMAGE_THUNK_DATA with a function for monitoring purposes? The answer is yes. Let’s try it out with a sample program.

The following example is the source code of iatHook.cpp in the Chapter#5 folder of the GitHub project. In order to save space, this book only extracts the highlighted code; please refer to the full source code to read the full project:

Figure 5.10 – The iathook function

Figure 5.10 – The iathook function

Figure 5.10 shows the source code of the iatHook function, which reads in four parameters:

  • module: Points to the loaded module to be monitored
  • szHook_ApiName: The name of the function to be hijacked
  • callback: The function for monitoring purposes
  • apiAddr: The original correct address of the hijacked function

At...

DLL side-loading example

DLL side-loading or DLL hijacking is a classic hacking technique that is documented in MITRE ATT&CK® as the attack technique Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 (attack.mitre.org/techniques/T1574/002/).

The core principle is to replace the loaded system DLL with one designed by the hacker to take control of the execution of a process. This means that by precisely placing the right malicious DLL module, the hacker can run it as any EXE process, for example, by pretending to be a system service process with a digital signature.

Many antivirus software rules treat programs with digital signatures as benignware in their detection engines. This is why APT groups use this technique extensively to avoid static antivirus scanning, active defensive monitoring, or UAC prompting for privilege escalation. For more details on this, you can refer to the arms vendor FireEye’s public disclosure report, DLL Side-Loading: Another...

Summary

In this chapter, we explained how the application loader is executed through the IAT in the PE structure and explained in detail the various fields in the IAT. We also learned about attacks such as directly calling programs in memory, IAT hijacking, and DLL side-loading. These techniques are often used by attackers to develop deshells, fileless attacks, and staged payloads to escalate privileges, bypass antivirus software, or hide backdoors. By understanding how these techniques work, you will be able to develop techniques for red team testing or blue team defending in the future.

In the next chapter, we will look at a more in-depth question: what if the PE binary cannot be placed in the memory location (image base) desired by the compiler? The redirection design of the PE module can help! Simply apply the redirection correction, which will allow us to place the PE module on any image base that is not assumed by the compiler. Therefore, in the next chapter, we will be able...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 8 of 17
Next Chapter
You have been reading a chapter from
Windows APT Warfare
Published in: Mar 2023Publisher: PacktISBN-13: 9781804618110
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Sheng-Hao Ma

Sheng-Hao Ma is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan. He has served as a speaker and instructor for various international conferences and organizations such as Black Hat USA, DEFCON, CODE BLUE, HITB, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education.
Read more about Sheng-Hao Ma

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages