Additional IE hooks request (And Other API requests)

[kevross33]

Hi,

Looking through analysis results would it please be possible to add in the following hooks in the IE hooks (https://github.com/cuckoosandbox/monitor/blob/master/sigs/iexplore.rst)?

• JsEval
• COleScript_ParseScriptText
• JsParseScript
• JsRunScript

This should hopefully help to cover more exploit kit activity. Below I have included the stuff for cuckoo-modified for these hooks (https://github.com/spender-sandbox/cuckoomon-modified/blob/MSVC/hook_special.c); doesn't mean a lot to me about how to go about it but thought it may be useful to someone in the know :-)

HOOKDEF_NOTAIL(WINAPI, JsEval,
    PVOID Arg1,
    PVOID Arg2,
    PVOID Arg3,
    int Index,
    DWORD *scriptobj
) {
#ifndef _WIN64
    PWCHAR jsbuf;
    PUCHAR p;
#endif
    int ret = 0;

    /* TODO: 64-bit support*/
#ifdef _WIN64
    return ret;
#else

HOOKDEF_NOTAIL(WINAPI, JsRunScript,
    const wchar_t *script,
    PVOID SourceContext,
    const wchar_t *sourceUrl,
    PVOID *result
) {
    int ret = 0;

    LOQ_zero("browser", "uu", "Script", script, "Source", sourceUrl);
    return ret;
}

HOOKDEF(PVOID, WINAPI, JsParseScript,
    const wchar_t *script,
    PVOID SourceContext,
    const wchar_t *sourceUrl,
    PVOID *result
) {
    PVOID ret = Old_JsParseScript(script, SourceContext, sourceUrl, result);

    LOQ_zero("browser", "uu", "Script", script, "Source", sourceUrl);

    return ret;
}
    p = (PUCHAR)scriptobj[4 * Index - 2];
    jsbuf = *(PWCHAR *)(p + 8);
    if (jsbuf)
        LOQ_ntstatus("browser", "u", "Javascript", jsbuf);

    return ret;
#endif
}

HOOKDEF(int, WINAPI, COleScript_ParseScriptText,
    PVOID Arg1,
    PWCHAR ScriptBuf,
    PVOID Arg3,
    PVOID Arg4,
    PVOID Arg5,
    PVOID Arg6,
    PVOID Arg7,
    PVOID Arg8,
    PVOID Arg9,
    PVOID Arg10
) {
    int ret = Old_COleScript_ParseScriptText(Arg1, ScriptBuf, Arg3, Arg4, Arg5, Arg6, Arg7, Arg8, Arg9, Arg10);
    LOQ_ntstatus("browser", "u", "Script", ScriptBuf);
    return ret;
}

[kevross33]

Hi,

Sorry can I request some other APIs? I am just going to make this generic request including above ones:

Shellcode/Interesting: UrlDownloadToCacheFile: Shellcode alternative to UrlDownloadToCacheFile (would be good to have stack pivot/exploit mode stuff on it too) ShellExecuteA/W: Stackpivot/exploit mode added if possible. I tried this myself but it failed to work as I hoped although I will have another go as it is a good starting point for me given it is modifying an already existing hooked API. WinExec: For shellcodes and things. Again with exploit mode stuff. This is used more with shellcode as a all in one simple execution.

DEP Bypass SetProcessDEPPolicy: DEP Disable NtSetInformationProcess: DEP Disable

[jbremer]

Some of these have already been covered elsewhere. E.g., ShellExecuteA as part of ShellExecuteExW, but I'll work on adding some of these. Could you share some samples where adding these hooks improves the analysis (i.e., these functions are being used)?

[kevross33]

Thanks for looking at this :-) Mostly shellcode/exploit behavior rather than specific samples but I will have a look. The ShellExecute I was meaning not for it to be added as a hook as I know it already is but to mark it for stackpivot like createprocess etc. is. This is to try and mark shellcode execution following ROP as generally we will see behaviours like the following after an exploit so trying to cover as much as possible for post exploit detection:

process creation: covered by martians sigs network activity: Documents initiating network traffic etc. But with the URLDownloadToFile/CacheFile markings following stack pivot extends it to other files that aren't safe just to mark network activity with whitelisting. code injection: Generic techniques. Really should just be covering all injection for malware like the CreateRemoteThread sig which covers this kind of thing. dropped files: dropping file and executing it sig, writing exe on docs etc. covered already too.

I am thinking too given WinExec is legacy API it might even be the case of just marking it too for its use in non-executable documents as being very suspicious given it is one of these all in one kind of things for shellcode like UrlDownloadToFile is.

Also as mentioned here Atom hooks (NtAddAtom, NtAddAtomEx, NtFindAtom, NtDeleteAtom) could be useful too. http://volatility-labs.blogspot.co.uk/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html:

https://github.com/spender-sandbox/cuckoomon-modified/commit/ac11e57e42d5c21248ec82bfe621188cf80920fc

[kevross33]

On another though tangent about exploit analysis/detection. A stack pivot is where the original stack of the program is replaced with the new stack provided by the exploit. Would it be worth if a stack pivot has occured provide a stacktrace like on program crash potentially showing the ROP gadgets, shellcode and things and allowing for more analysis? Obviously there is ROPLess exploits about (hence other layers).

Another idea I was thinking of but don't have the skillset necessary to implement this. Also interesting generic exploit detection ideas here if you are interested https://www.defcon.org/images/defcon-21/dc-21-presentations/Thabet/DEFCON-21-Thabet-EDS-Exploitation-Detection-System-WP-Updated.pdf. Interesting ones are use-after-free and SEH corruption/overflow as well as others.

[kevross33]

On some testing btw the exploit test tool can be handy (although with whitelisting in the sigs may not trigger but useful to do safe executions without playing with the exploits themselves although I will try and locate some examples. There are tests in it (if you look at manual for descriptons but tool is self explanatory) for WinExec and UrlDownloadToFile, ROP etc.

http://www.surfright.nl/en/downloads/

[kevross33]

Hi,

Looking over some stuff I realised VirtualProtectEx does not appear to be hooked when I was doing some analysis. NtProtectVirtualMemory is fine and is hooked but could this please be added and also NtWow64WriteVirtualMemory64 (NtWriteVirtualMemory is also covered).

Thanks :-D

[kevross33]

Hi,

Some more found during conversion. I am converting this signature while analysing a few samples: https://raw.githubusercontent.com/spender-sandbox/community-modified/master/modules/signatures/injection_explorer.py

I have found some APIs needed but not hooked (in the attached file if you want to look at list although many are done) "SetWindowLongA", "SetWindowLongW", "SetWindowLongPtrA", "SetWindowLongPtrW"

On some of the samples I am looking at the cuckoo-modified signature is too specific and explorer is being injected without triggering the signature anyway so I am intending to simplify it which marking the relevant calls. The other thing I mean to ask is if given a PID can the process name be determined? i.e API argument: process_id = 2100 get.pname_from_pid(process_id)

This I am hoping to use in the injection sigs to report in process being injected into and in this case only mark APIs where the process is explorer.exe :)

injection_explorer.txt

[kevross33]

Can these be added to the to do list please (seen locky):

• GetCommandLineA/W
• GetDriveTypeA/W

Thanks