BlackHat USA 2023 presentation - From Dead Data to Digestion: Extracting Windows Fibers for Your Digital Forensics Diet
https://www.youtube.com/watch?v=lWrBv1Cig1M&ab_channel=BlackHat
https://www.blackhat.com/us-23/briefings/schedule/#from-dead-data-to-digestion-extracting-windows-fibers-for-your-digital-forensics-diet-32832
*PowerPoint slides included in this repository
This tool demonstrates a PoC technique for enumerating Windows Fibers from process memory allowing defenders to distinguish legitimate from malicious Fiber use.
Weetabix identifies which Threads are running Fibers then extracts:
- The currently executing Fiber.
- Any associated Dormant Fibers.
- Their Fiber Data.
- Their Fiber local storage slots.
- And any associated Fiber callback functions in use.
Weetabix then applies a set of enrichments such as memory protections, symbol+module resolutions & entropy scores to allow one to distinguish legitimate from malicious fiber use.
Tested against a Fiber whoes default Fiber local storage callbacks have been overwritten with malicous callbacks. The malicious callbacks are executed whenever the fiber/thread exits or the associated Fiber Local Storage slot is freed.
Weetabix finds two suspicous callbacks
- A callback to a mapped module in the Downloads directory.
- A callback into unbacked RWX memory.
This reveals only a single fiber being used on a thread. This is irregular since Fibers were designed with multi-tasking in mind so one would expect two or more fibers/Thread. In addition
- FiberData points to unbacked memory.
- There is no Fiber local storage which is non-standard behaviour.
- There are no callbacks functions which is non-standard behaviour.
- This tool requires symbols to be correctly configured on Windows for callback symbol resolution.
- PoC was tested on Windows 10 19044. Targets x64 processes.
- Built around newer implementation of Fiber Local Storage (Windows 10 1903 onwards).
- Used the Json.hpp project for NDJSON file output (https://github.com/nlohmann/json).