Additional IE hooks request (And Other API requests) about monitor HOT 8 OPEN

Hi,

Sorry can I request some other APIs? I am just going to make this generic request including above ones:

Shellcode/Interesting:
UrlDownloadToCacheFile: Shellcode alternative to UrlDownloadToCacheFile (would be good to have stack pivot/exploit mode stuff on it too)
ShellExecuteA/W: Stackpivot/exploit mode added if possible. I tried this myself but it failed to work as I hoped although I will have another go as it is a good starting point for me given it is modifying an already existing hooked API.
WinExec: For shellcodes and things. Again with exploit mode stuff. This is used more with shellcode as a all in one simple execution.

DEP Bypass
SetProcessDEPPolicy: DEP Disable
NtSetInformationProcess: DEP Disable

from monitor.

Some of these have already been covered elsewhere. E.g., ShellExecuteA as part of ShellExecuteExW, but I'll work on adding some of these. Could you share some samples where adding these hooks improves the analysis (i.e., these functions are being used)?

from monitor.

Thanks for looking at this :-) Mostly shellcode/exploit behavior rather than specific samples but I will have a look. The ShellExecute I was meaning not for it to be added as a hook as I know it already is but to mark it for stackpivot like createprocess etc. is. This is to try and mark shellcode execution following ROP as generally we will see behaviours like the following after an exploit so trying to cover as much as possible for post exploit detection:

process creation: covered by martians sigs
network activity: Documents initiating network traffic etc. But with the URLDownloadToFile/CacheFile markings following stack pivot extends it to other files that aren't safe just to mark network activity with whitelisting.
code injection: Generic techniques. Really should just be covering all injection for malware like the CreateRemoteThread sig which covers this kind of thing.
dropped files: dropping file and executing it sig, writing exe on docs etc. covered already too.

I am thinking too given WinExec is legacy API it might even be the case of just marking it too for its use in non-executable documents as being very suspicious given it is one of these all in one kind of things for shellcode like UrlDownloadToFile is.

Also as mentioned here Atom hooks (NtAddAtom, NtAddAtomEx, NtFindAtom, NtDeleteAtom) could be useful too. http://volatility-labs.blogspot.co.uk/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html:

spender-sandbox/cuckoomon-modified@ac11e57

from monitor.

On another though tangent about exploit analysis/detection. A stack pivot is where the original stack of the program is replaced with the new stack provided by the exploit. Would it be worth if a stack pivot has occured provide a stacktrace like on program crash potentially showing the ROP gadgets, shellcode and things and allowing for more analysis? Obviously there is ROPLess exploits about (hence other layers).

Another idea I was thinking of but don't have the skillset necessary to implement this. Also interesting generic exploit detection ideas here if you are interested https://www.defcon.org/images/defcon-21/dc-21-presentations/Thabet/DEFCON-21-Thabet-EDS-Exploitation-Detection-System-WP-Updated.pdf. Interesting ones are use-after-free and SEH corruption/overflow as well as others.

from monitor.

On some testing btw the exploit test tool can be handy (although with whitelisting in the sigs may not trigger but useful to do safe executions without playing with the exploits themselves although I will try and locate some examples. There are tests in it (if you look at manual for descriptons but tool is self explanatory) for WinExec and UrlDownloadToFile, ROP etc.

http://www.surfright.nl/en/downloads/

from monitor.

Hi,

Looking over some stuff I realised VirtualProtectEx does not appear to be hooked when I was doing some analysis. NtProtectVirtualMemory is fine and is hooked but could this please be added and also NtWow64WriteVirtualMemory64 (NtWriteVirtualMemory is also covered).

Thanks :-D

from monitor.

Hi,

Some more found during conversion. I am converting this signature while analysing a few samples: https://raw.githubusercontent.com/spender-sandbox/community-modified/master/modules/signatures/injection_explorer.py

I have found some APIs needed but not hooked (in the attached file if you want to look at list although many are done)
"SetWindowLongA", "SetWindowLongW", "SetWindowLongPtrA", "SetWindowLongPtrW"

On some of the samples I am looking at the cuckoo-modified signature is too specific and explorer is being injected without triggering the signature anyway so I am intending to simplify it which marking the relevant calls. The other thing I mean to ask is if given a PID can the process name be determined? i.e
API argument: process_id = 2100
get.pname_from_pid(process_id)

This I am hoping to use in the injection sigs to report in process being injected into and in this case only mark APIs where the process is explorer.exe :)

injection_explorer.txt

from monitor.

Can these be added to the to do list please (seen locky):

• GetCommandLineA/W
• GetDriveTypeA/W

Thanks

from monitor.