search

Mr-Un1k0d3r / EDRs

1.99k stars 348 forks source link

Update carbonblack.txt #18

Closed ScriptIdiot closed 2 years ago

ScriptIdiot commented 2 years ago

Ran hook_finder64.exe on carbon black on 02 Feb 2022, updated the list for carbon black

Raw result below: https://gist.github.com/ScriptIdiot/57886fd8b556b128aa0b70b38bb1f628

ScriptIdiot commented 2 years ago

Sensor version: 3.7.0.1503

Mr-Un1k0d3r commented 2 years ago

Thanks for the pull you made me realize that the compiled version of the tool that I pushed on the repo was not the right one I updated the file so you should have have the same result.

ScriptIdiot commented 2 years ago

Just ran it again with Sensor version: 3.7.0.1503, should I add Zw call manully? Thanks

Raw result: https://gist.github.com/ScriptIdiot/57886fd8b556b128aa0b70b38bb1f628

Mr-Un1k0d3r commented 2 years ago

Technically Zw and Nt are the same function Zw is designed to be called from the kernel and Nt from usermode I decided to remove the IsFalsePositive function to get a full list but this will by default generate a lot of false positive since there is a lot of non-Nt* API that may start with a JMP. you can get the list by adding the -nt switch at the end of the command. But it will contain a lot of FP.

hook_finder64.exe C:\windows\system32\ntdll.dll -nt will return the whole list including FP.

The reason why I removed this IsFalsePositive check is fairly as people pointed out the code was not portable due to the use of hardcoded offset for ntdll. I used the official structure to make the code usable against other DLL but every DLL may generate other FP so keeping track of it is not super relevant anymore. I could probably have a better way to identify FP but I feel that this POC is more than enough to identify what you are looking for.

ScriptIdiot commented 2 years ago

Just ran with nt flag again and noted more output (probably FP), thanks for the explanation. For the latest commit, 3 previously hooked function are removed and 1 new function is added, see if this info. helps. You may feel free to close the pull request, thanks again!

Mr-Un1k0d3r commented 2 years ago

ran it on my CB VM and this is what I got

>hook_finder64.exe C:\windows\system32\ntdll.dll
Loading C:\windows\system32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
Listing loaded modules
------------------------------------------
C:\Users\me\Desktop\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFE94B30000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFE93DA0000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFE92240000.
C:\Windows\system32\ctiuser.dll is loaded at 0x00007FFE79820000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFE92DB0000.
C:\Windows\System32\ADVAPI32.dll is loaded at 0x00007FFE93620000.
C:\Windows\System32\sechost.dll is loaded at 0x00007FFE94810000.
C:\Windows\System32\RPCRT4.dll is loaded at 0x00007FFE934E0000.
C:\Windows\system32\FLTLIB.DLL is loaded at 0x00007FFE8C670000.
C:\Windows\System32\ucrtbase.dll is loaded at 0x00007FFE92880000.
***Listing Nt* API only

NtAllocateVirtualMemory is hooked
NtCreateThread is hooked
NtCreateThreadEx is hooked
NtMapViewOfSection is hooked
NtOpenProcess is hooked
NtProtectVirtualMemory is hooked
NtQueryInformationProcess is hooked
NtQuerySystemInformation is hooked
NtQuerySystemTime is hooked
NtQueueApcThread is hooked
NtQueueApcThreadEx is hooked
NtReadVirtualMemory is hooked
NtUnmapViewOfSection is hooked
NtWriteVirtualMemory is hooked
------------------------------------------
Completed

It does seems like they removed NtClose and NtCreateFile.

ScriptIdiot commented 2 years ago

Same as your output and i will close it, thanks!