Closed Sirbu closed 4 years ago
Thank you for reporting! Indeed it seems to be a false positive. But I will need some more information in order to reproduce it and investigate. Where exactly this behavior show up? Does it happens on multiple machines? What is the version of Windows? Can you please do some more experiments for me on that machine using a standalone version of PE-sieve (last from my )? For example: scan by PE-sieve the same process that was invalidly detected by Loki and confirm that the standalone version detects it as well. Please paste for me the JSON report generated by PE-sieve. If it dumped anything more, I will also need the dumped + the original EXE.
I am starting to think the AV running on the machines have something to do with the warnings. We use Symantec Endpoint Protection. When I run the latest pe-sieve on those machines, I get the replaced process warnings. When I run it on my own VM without Symantec, I do not have them. And Symantec systematically displays a pop-up for the "shady" pe-sieve, but I do not have such a popup using Loki.
Here is the json dump for 2 processes that were flagged by pe-sieve :
PS C:\Users\tthibeuf\Desktop> .\pe-sieve64.exe /pid 1196 /ofilter 2 /quit /json
PID: 1196
Modules filter: 3
Output filter: 2
[*] Scanning: c:\Windows\System32\svchost.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\sysfer.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Windows\System32\ucrtbase.dll
[*] Scanning: C:\Windows\System32\combase.dll
[*] Scanning: C:\Windows\System32\bcryptPrimitives.dll
[*] Scanning: C:\Windows\System32\kernel.appcore.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\win32u.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\gdi32full.dll
[*] Scanning: C:\Windows\System32\msvcp_win.dll
[*] Scanning: c:\Windows\System32\bdesvc.dll
[*] Scanning: C:\Windows\System32\cfgmgr32.dll
[*] Scanning: c:\Windows\System32\fveapi.dll
[*] Scanning: c:\Windows\System32\wevtapi.dll
[*] Scanning: c:\Windows\System32\bcd.dll
[*] Scanning: c:\Windows\System32\bcrypt.dll
[*] Scanning: C:\Windows\System32\wldp.dll
[*] Scanning: C:\Windows\System32\crypt32.dll
[*] Scanning: C:\Windows\System32\msasn1.dll
[*] Scanning: C:\Windows\System32\wintrust.dll
[*] Scanning: c:\Windows\System32\sspicli.dll
[*] Scanning: c:\Windows\System32\devobj.dll
[*] Scanning: c:\Windows\System32\tbs.dll
[*] Scanning: C:\Windows\System32\clbcatq.dll
[*] Scanning: C:\Windows\System32\gpapi.dll
[*] Scanning: C:\Windows\System32\policymanager.dll
[*] Scanning: c:\Windows\System32\msvcp110_win.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\sxs.dll
Scanning workingset: 55 memory regions.
{
"pid" : 1196,
"main_image_path" : "C:\\Windows\\System32\\svchost.exe",
"scanned" :
{
"total" : 37,
"skipped" : 0,
"modified" :
{
"total" : 2,
"hooked" : 1,
"replaced" : 1,
"detached" : 0,
"implanted" : 0,
"other" : 0
},
"errors" : 0
},
"scans" : [
{
"code_scan" : {
"module" : "7ff8a7870000",
"status" : 1,
"patches" : 15
}
},
{
"headers_scan" : {
"module" : "67c10000",
"status" : 1,
"ep_modified" : 0
}
}
]
}
PS C:\Users\tthibeuf\Desktop> .\pe-sieve64.exe /pid 12204 /ofilter 2 /quit /json
PID: 12204
Modules filter: 3
Output filter: 2
[*] Scanning: C:\Windows\System32\wbem\WmiPrvSE.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\sysfer.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Windows\System32\ncobjapi.dll
[*] Scanning: C:\Windows\System32\wbemcomn.dll
[*] Scanning: C:\Windows\System32\ws2_32.dll
[*] Scanning: C:\Windows\System32\bcrypt.dll
[*] Scanning: C:\Windows\System32\wbem\fastprox.dll
[*] Scanning: C:\Windows\System32\combase.dll
[*] Scanning: C:\Windows\System32\ucrtbase.dll
[*] Scanning: C:\Windows\System32\bcryptPrimitives.dll
[*] Scanning: C:\Windows\System32\psapi.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\win32u.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\gdi32full.dll
[*] Scanning: C:\Windows\System32\msvcp_win.dll
[*] Scanning: C:\Windows\System32\kernel.appcore.dll
[*] Scanning: C:\Windows\System32\clbcatq.dll
[*] Scanning: C:\Windows\System32\wbem\wbemprox.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\wbem\wbemsvc.dll
[*] Scanning: C:\Windows\System32\wbem\wmiutils.dll
[*] Scanning: C:\Windows\CCM\smsclient.dll
[*] Scanning: C:\Windows\System32\ole32.dll
[*] Scanning: C:\Windows\System32\msvcp120.dll
[*] Scanning: C:\Windows\System32\msvcr120.dll
[*] Scanning: C:\Windows\System32\msi.dll
[*] Scanning: C:\Windows\System32\shell32.dll
[*] Scanning: C:\Windows\System32\cfgmgr32.dll
[*] Scanning: C:\Windows\System32\SHCore.dll
[*] Scanning: C:\Windows\System32\windows.storage.dll
[*] Scanning: C:\Windows\System32\shlwapi.dll
[*] Scanning: C:\Windows\System32\powrprof.dll
[*] Scanning: C:\Windows\System32\profapi.dll
[*] Scanning: C:\Windows\System32\ccmcore.dll
[*] Scanning: C:\Windows\CCM\lsutilities.dll
[*] Scanning: C:\Windows\System32\crypt32.dll
[*] Scanning: C:\Windows\System32\msasn1.dll
[*] Scanning: C:\Windows\CCM\smscore.dll
[*] Scanning: C:\Windows\CCM\CcmUtilLib.dll
[*] Scanning: C:\Windows\System32\wintrust.dll
[*] Scanning: C:\Windows\CCM\CcmTask.dll
[*] Scanning: C:\Windows\CCM\fsputillib.dll
[*] Scanning: C:\Windows\System32\version.dll
[*] Scanning: C:\Windows\System32\wtsapi32.dll
[*] Scanning: C:\Windows\System32\netapi32.dll
[*] Scanning: C:\Windows\System32\activeds.dll
[*] Scanning: C:\Windows\System32\dnsapi.dll
[*] Scanning: C:\Windows\System32\nsi.dll
[*] Scanning: C:\Windows\CCM\ccmgencert.dll
[*] Scanning: C:\Windows\System32\IPHLPAPI.DLL
[*] Scanning: C:\Windows\System32\adsldpc.dll
[*] Scanning: C:\Windows\System32\Wldap32.dll
[*] Scanning: C:\Windows\System32\netutils.dll
[*] Scanning: C:\Windows\System32\logoncli.dll
Scanning workingset: 49 memory regions.
{
"pid" : 12204,
"main_image_path" : "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"scanned" :
{
"total" : 62,
"skipped" : 0,
"modified" :
{
"total" : 2,
"hooked" : 1,
"replaced" : 1,
"detached" : 0,
"implanted" : 0,
"other" : 0
},
"errors" : 0
},
"scans" : [
{
"code_scan" : {
"module" : "7ff8a7870000",
"status" : 1,
"patches" : 15
}
},
{
"headers_scan" : {
"module" : "67c10000",
"status" : 1,
"ep_modified" : 0
}
}
]
}
This indeed may be related with some process modifications made by Symantec Endpoint Protection. Various AV products install hooks/implants in the processes. Probably they modified also something in the headers of the loaded executables, that's why it is detected as replaced. I can do a workaround for this, but I need more data and tests. Can you please send some samples to my e-mail? I need 2 versions of each detected module: the original one + the one dumped by PE-sieve. You can pack them and send to hasherezade-at-gmail.com. Thanks!
I encountered this behavior using Loki in order to scan several machines. At first I was wondering if it was a false positive, but I set up a testing Windows 10 and the behavior didn't show up.
I get a process replaced for almost every process. For exemple with firefox :
I get this message for all kinds of processes. I was wondering if it could be some kind of false positive. Also, I was curious about the method you use to check for process hollowing. I checked your code, but it is a still a little bit complex for me. Could you summarize or guide me to some documentation on the subject ? :smile: