https://www.youtube.com/watch?v=lWrBv1Cig1M&ab_channel=BlackHat

https://www.blackhat.com/us-23/briefings/schedule/#from-dead-data-to-digestion-extracting-windows-fibers-for-your-digital-forensics-diet-32832

*PowerPoint slides included in this repository

This tool demonstrates a PoC technique for enumerating Windows Fibers from process memory allowing defenders to distinguish legitimate from malicious Fiber use.

Weetabix identifies which Threads are running Fibers then extracts:

• The currently executing Fiber.
• Any associated Dormant Fibers.
• Their Fiber Data.
• Their Fiber local storage slots.
• And any associated Fiber callback functions in use.

Weetabix then applies a set of enrichments such as memory protections, symbol+module resolutions & entropy scores to allow one to distinguish legitimate from malicious fiber use.

Tested against a Fiber whoes default Fiber local storage callbacks have been overwritten with malicous callbacks. The malicious callbacks are executed whenever the fiber/thread exits or the associated Fiber Local Storage slot is freed.

Weetabix finds two suspicous callbacks

1. A callback to a mapped module in the Downloads directory.
2. A callback into unbacked RWX memory.

This reveals only a single fiber being used on a thread. This is irregular since Fibers were designed with multi-tasking in mind so one would expect two or more fibers/Thread. In addition

1. FiberData points to unbacked memory.
2. There is no Fiber local storage which is non-standard behaviour.
3. There are no callbacks functions which is non-standard behaviour.

• This tool requires symbols to be correctly configured on Windows for callback symbol resolution.
• PoC was tested on Windows 10 19044. Targets x64 processes.
• Built around newer implementation of Fiber Local Storage (Windows 10 1903 onwards).

• Used the Json.hpp project for NDJSON file output (https://github.com/nlohmann/json).