hasherezade / hollows_hunter

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
https://github.com/hasherezade/hollows_hunter/wiki
BSD 2-Clause "Simplified" License
2.03k stars 253 forks source link

Not all processes are scanned #21

Open greenozon opened 2 days ago

greenozon commented 2 days ago

Even if I ran cmd.exe as Admin, the tool can't access some processes are there any clues why is that?

eg:

HollowsHunter v.0.3.9 (x64)
Built on: Feb 24 2024

using: PE-sieve v.0.3.9.0

Default scan deployed.
>> Scanning PID:    0 : [System Process]
[!] Could not access: 0
>> Scanning PID:    4 : System
[!] Could not access: 4
>> Scanning PID:  324 : smss.exe

...........

>> Scanning PID: 15492 : chrome.exe
>> Scanning PID: 12572 : Clock7.exe
[-] Section 0:  out ouf bounds, skipping...
>> Scanning PID: 8664 : chrome.exe
>> Scanning PID: 7260 : chrome.exe
>> Scanning PID: 11164 : chrome.exe
>> Scanning PID: 15860 : chrome.exe
>> Scanning PID: 15032 : chrome.exe
[!] Could not access: 15032
>> Scanning PID: 16868 : audiodg.exe
[!] Could not access: 16868
>> Scanning PID: 15672 : chrome.exe
>> Scanning PID: 15868 : chrome.exe
[!] Could not access: 15868
>> Scanning PID: 11204 : chrome.exe
>> Scanning PID: 9192 : chrome.exe
[!] Could not access: 9192
>> Scanning PID: 7560 : WmiPrvSE.exe
>> Scanning PID: 5088 : dllhost.exe
[!] Could not access: 5088
>> Scanning PID: 14892 : dllhost.exe
[!] Could not access: 14892
>> Scanning PID: 9836 : TOTALCMD64.EXE
>> Scanning PID: 16220 : cmd.exe
>> Scanning PID: 4220 : conhost.exe
>> Scanning PID: 7912 : hollows_hunter.exe
--------
SUMMARY:
Scan at: 10/27/24 11:34:01 (1730021641)
Finished scan in: 55333 ms. = 55.333 sec. = 0.922217 min.
[*] Total scanned: 175
[*] Total suspicious: 0

the first two I guess are OK, but what about the rest?

greenozon commented 2 days ago

Do I need to run the tool on even higher priv, eg https://github.com/nfedera/run-as-trustedinstaller ?

hasherezade commented 1 day ago

Hi @greenozon ! Yes, clearly Admin is not enough and HH doesn't have the privilege to access those processes. Can you check with which privileges each of them run? What exactly is your Windows version? Do you have any AV/EDR software installed? Sometimes such products block access to specific processes.

greenozon commented 1 day ago

Thanks for reply! I dont have any AV/EDR I'm using old good W7x64SP1 I'll check what priv are those processes using

greenozon commented 1 day ago

details:

C:\Windows\system32\AUDIODG.EXE 0x9d8 User: NT AUTHORITY\LOCAL SERVICE

about "Could not access" errors for chrome.exe and opera.exe - wow! each time I ran the tool and tried to find the PID using ProcExplorer - I was not able to find those! I've also seen that those chrome/opera are constantly creating and deleting processes might it be the case? Also a side note: all chrome/opera processes are running under my local (non-admin) user so might it be the case that you start scanning it and during scan this process was killed by browser due to it internal kitchen?

and last question on this case:

Scanning PID: 12572 : Clock7.exe [-] Section 0: out ouf bounds, skipping...

could you explain a bit more pls this is an extremly small (1 KB PE64) digital clock nice tool - shows transparent clock on the Desktop

greenozon commented 1 day ago

and one more question: could you print more info in case of [!] Could not access issue? eg getlasterror() or so..

hasherezade commented 1 day ago

@greenozon - I will add better error reporting. In the meanwhile, could you please try scanning each of the problematic processes with PE-sieve? It is an engine used by HollowsHunter. It scans only one process at the time, but has extended reporting of errors. It is very much possible that it cannot access the process because it terminated before the scan completed. Regarding Clock7.exe - can you share this application? I will take a look.

greenozon commented 19 hours ago

Gave it a try but generally the thing is that the pe-sieve tool works with a single PID per run it means I can't catch taht nasty open/close issue with this tool... BTW, while reading logs out of it I've seen

[-] Could not set debug privilege

is it just an informational msg or you are skipping some deeper functionality?

Clock7 attached hope you'll enjoy this small piecee of mastership!

btw, the tool did not tell more info besides as before... ([-] Section 0: out ouf bounds, skipping...)

C:\Prg\Hiteq\pe\PeBear>pe-sieve.exe /pid 12920
PID: 12920
Output filter: no filter: dump everything (default)
Dump mode: autodetect (default)
[-] Could not set debug privilege
[*] Using raw process!
[-] Section 0:  out ouf bounds, skipping...
[*] Scanning: C:\Prg\inet\crypto\certs\Clock7.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\lpk.dll
[*] Scanning: C:\Windows\System32\usp10.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\imm32.dll
[*] Scanning: C:\Windows\System32\msctf.dll
[*] Scanning: C:\Windows\System32\nvinitx.dll
[*] Scanning: C:\Windows\System32\version.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
[*] Scanning: C:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrapx.dll
[*] Scanning: C:\Windows\System32\setupapi.dll
[*] Scanning: C:\Windows\System32\cfgmgr32.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\ole32.dll
[*] Scanning: C:\Windows\System32\devobj.dll
[*] Scanning: C:\Program Files\NVIDIA Corporation\CoProcManager\nvdxgiwrapx.dll
[*] Scanning: C:\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.27361_none_145bfe468b8fc347\GdiPlus.dll
[*] Scanning: C:\Windows\System32\uxtheme.dll
[*] Scanning: C:\Windows\System32\dwmapi.dll
[*] Scanning: C:\Windows\System32\CRYPTBASE.dll
Scanning workingset: 199 memory regions.
[*] Workingset scanned in 16 ms.
[+] Report dumped to: process_12920
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\140000000.Clock7.exe as VIRTUAL
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\77490000.kernel32.dll as UNMAPPED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\7fefd360000.KERNELBASE.dll as REALIGNED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\7fefe9a0000.gdi32.dll as UNMAPPED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\77390000.user32.dll as UNMAPPED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\7fefde20000.ole32.dll as UNMAPPED
[+] Dumped modified to: process_12920
[+] Report dumped to: process_12920
---
PID: 12920
---
SUMMARY:

Total scanned:      28
Skipped:            0
-
Hooked:             6
Replaced:           0
Hdrs Modified:      0
IAT Hooks:          0
Implanted:          0
Unreachable files:  0
Other:              0
-
Total suspicious:   6
---

Clock7.zip

greenozon commented 19 hours ago

Could you also explain the goal of .tag file, eg:

8b90;D3DKMTQueryAdapterInfo->7fefd3501f0;5
8b95;patch_1;3
bde0;D3DKMTGetDisplayModeList->7fefd3501b8;5
bde5;patch_3;3
hasherezade commented 13 hours ago

Could you also explain the goal of .tag file, eg:

8b90;D3DKMTQueryAdapterInfo->7fefd3501f0;5
8b95;patch_1;3
bde0;D3DKMTGetDisplayModeList->7fefd3501b8;5
bde5;patch_3;3

It is explained on PE-sieve Wiki, check it out: https://github.com/hasherezade/pe-sieve/wiki/3.1.-Investigating-hooks-and-patches

hasherezade commented 13 hours ago

Clock7 attached hope you'll enjoy this small piecee of mastership!

btw, the tool did not tell more info besides as before... ([-] Section 0: out ouf bounds, skipping...)

Clock7.zip

Thank you! I checked your clock application, it is indeed very nice, looks like written in pure assembly, is it? Also, I understood why it was showing that message - this executable has atypical alignment of sections. And also, the raw size of the section defined in the header was going beyond the file size.

sections

I fixed my library to better handle such cases, so from now this message is not gonna be shown.

hasherezade commented 13 hours ago

@greenozon - finally, I made a new test build - please have a look:

hollows_hunter64_test.zip

It has a new parameter added: /report with the help of which you can define if you want to generate report with details for the executables that failed to be scanned.

report

The report looks like this:

error_Report