Introduction:
Hello everyone, I am back with another blog, this time it's a little different it's more of a blue team blog rather than a offensive blog. Few months ago when I started learning to develop shellcode and different types of injection attacks I became curious on how blue teamers actually detect shellcode since it is injected in the memory space of a process and executed from there, I asked this question from a few blue teamers but the problem was that they were telling me that they were detecting these types of attacks using an EDR, but I wanted to know about how we can detect it without an EDR solution, and so the struggle began.
The Struggle:
In order to figure out how we can detect shellcode injection first we need to know how shellcode actually gets injected, usually malwares or hackers use windows API such as OpenProcess which opens the process objects and gets the process handle, VirtualAlloc which allocates the shellcode space in the process and changes that space to read, write and executable, WriteProcessMemory to write the bytes in to that memory space and finally call the shellcode using CreateRemoteThread. This is a very basic example how shellcode is injected there are other functions that could be used to inject code that requires a separate article.
In all the examples of code injection I noticed something that when the shellcode is injected the memory space is changed to executable that immediately clicked why not check for executable memory and I came across 2 tools that checked exactly for that:
1. Moneta
2. PESieve
Moneta basically scans live memory to identify hooked function, hollowed DLLs/PEs, strange allocations etc. Let's first inject the shellcode into a notepad process and see if moneta detects it:
After successfully injecting the shellcode and changing the memory space to executable let's run moneta and see does it detect it or not.
And it indeed detected it nice.
PE-sieve helps to detect malware running on the
system, as well as to collect the potentially malicious material for
further analysis. Recognizes and dumps variety of implants within the
scanned process: replaced/injected PEs, shellcodes, hooks, and other
in-memory patches.
Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc. (From github)
Let's run the same test with PESieve:
Run the inject.exe program again:
From the above screenshot we can see that PE-Sieve has indeed detected the shellcode nice.
One more tool I wanted to explore was vmmap it is a sysinternal tools (Microsoft signed toolkit) which is used for vritual and physical memory analysis. What it does it that it attaches itself to a process and shows the memory of that particular process, from vmmap we can determine that the memory space has been injected and is executable.
Let's run vmmap and attach the program with notepad and inject the shellcode:
In the above screenshot we have private memory spaces, from here we can see the memory mapping.
Let's inject the shellcode and see what happens
after injecting the shellcode vmmap show that there was another thread created with Execute/Read/Write permissions, that is our shellcode.
Similarly we can do the same thing with process hacker as well. I'll leave that for you guys to explore :).
In the next blog I'll be covering how we can bypass moneta and pe-sieve.