search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.01k stars 421 forks source link

Huge amount of replaced processes #18

Closed Sirbu closed 4 years ago

Sirbu commented 5 years ago

I encountered this behavior using Loki in order to scan several machines. At first I was wondering if it was a false positive, but I set up a testing Windows 10 and the behavior didn't show up.

I get a process replaced for almost every process. For exemple with firefox : 

20180910T09:43:16Z [hostname] LOKI: Warning: MODULE: ProcessScan MESSAGE: PE-Sieve reported replaced process PID: 9432 NAME: firefox.exe OWNER: [username] CMD: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="8792.69.1317586373\549569501" -childID 10 -isForBrowser -prefsHandle 4372 -prefsLen 11889 -schedulerPrefs 0001,2 -parentBuildID 20180830143136 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 8792 "\\.\pipe\gecko-crash-server-pipe.8792" 960 tab PATH: C:\Program Files (x86)\Mozilla Firefox\firefox.exe REPLACED: 1

I get this message for all kinds of processes. I was wondering if it could be some kind of false positive. Also, I was curious about the method you use to check for process hollowing. I checked your code, but it is a still a little bit complex for me. Could you summarize or guide me to some documentation on the subject ? :smile:

hasherezade commented 5 years ago

Thank you for reporting! Indeed it seems to be a false positive. But I will need some more information in order to reproduce it and investigate. Where exactly this behavior show up? Does it happens on multiple machines? What is the version of Windows? Can you please do some more experiments for me on that machine using a standalone version of PE-sieve (last from my releases)? For example: scan by PE-sieve the same process that was invalidly detected by Loki and confirm that the standalone version detects it as well. Please paste for me the JSON report generated by PE-sieve. If it dumped anything more, I will also need the dumped + the original EXE.

Sirbu commented 5 years ago

I am starting to think the AV running on the machines have something to do with the warnings. We use Symantec Endpoint Protection. When I run the latest pe-sieve on those machines, I get the replaced process warnings. When I run it on my own VM without Symantec, I do not have them. And Symantec systematically displays a pop-up for the "shady" pe-sieve, but I do not have such a popup using Loki.

Here is the json dump for 2 processes that were flagged by pe-sieve : 

PS C:\Users\tthibeuf\Desktop> .\pe-sieve64.exe /pid 1196 /ofilter 2 /quit /json
PID: 1196
Modules filter: 3
Output filter: 2
[*] Scanning: c:\Windows\System32\svchost.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\sysfer.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Windows\System32\ucrtbase.dll
[*] Scanning: C:\Windows\System32\combase.dll
[*] Scanning: C:\Windows\System32\bcryptPrimitives.dll
[*] Scanning: C:\Windows\System32\kernel.appcore.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\win32u.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\gdi32full.dll
[*] Scanning: C:\Windows\System32\msvcp_win.dll
[*] Scanning: c:\Windows\System32\bdesvc.dll
[*] Scanning: C:\Windows\System32\cfgmgr32.dll
[*] Scanning: c:\Windows\System32\fveapi.dll
[*] Scanning: c:\Windows\System32\wevtapi.dll
[*] Scanning: c:\Windows\System32\bcd.dll
[*] Scanning: c:\Windows\System32\bcrypt.dll
[*] Scanning: C:\Windows\System32\wldp.dll
[*] Scanning: C:\Windows\System32\crypt32.dll
[*] Scanning: C:\Windows\System32\msasn1.dll
[*] Scanning: C:\Windows\System32\wintrust.dll
[*] Scanning: c:\Windows\System32\sspicli.dll
[*] Scanning: c:\Windows\System32\devobj.dll
[*] Scanning: c:\Windows\System32\tbs.dll
[*] Scanning: C:\Windows\System32\clbcatq.dll
[*] Scanning: C:\Windows\System32\gpapi.dll
[*] Scanning: C:\Windows\System32\policymanager.dll
[*] Scanning: c:\Windows\System32\msvcp110_win.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\sxs.dll
Scanning workingset: 55 memory regions.
{
 "pid" : 1196,
 "main_image_path" : "C:\\Windows\\System32\\svchost.exe",
 "scanned" :
 {
  "total" : 37,
  "skipped" : 0,
  "modified" :
  {
   "total" : 2,
   "hooked" : 1,
   "replaced" : 1,
   "detached" : 0,
   "implanted" : 0,
   "other" : 0
  },
  "errors" : 0
 },
 "scans" : [
  {
   "code_scan" : {
    "module" : "7ff8a7870000",
    "status" : 1,
    "patches" : 15
   }
  },
  {
   "headers_scan" : {
    "module" : "67c10000",
    "status" : 1,
    "ep_modified" : 0
   }
  }
 ]
}
PS C:\Users\tthibeuf\Desktop> .\pe-sieve64.exe /pid 12204 /ofilter 2 /quit /json
PID: 12204
Modules filter: 3
Output filter: 2
[*] Scanning: C:\Windows\System32\wbem\WmiPrvSE.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\sysfer.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Windows\System32\ncobjapi.dll
[*] Scanning: C:\Windows\System32\wbemcomn.dll
[*] Scanning: C:\Windows\System32\ws2_32.dll
[*] Scanning: C:\Windows\System32\bcrypt.dll
[*] Scanning: C:\Windows\System32\wbem\fastprox.dll
[*] Scanning: C:\Windows\System32\combase.dll
[*] Scanning: C:\Windows\System32\ucrtbase.dll
[*] Scanning: C:\Windows\System32\bcryptPrimitives.dll
[*] Scanning: C:\Windows\System32\psapi.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\win32u.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\gdi32full.dll
[*] Scanning: C:\Windows\System32\msvcp_win.dll
[*] Scanning: C:\Windows\System32\kernel.appcore.dll
[*] Scanning: C:\Windows\System32\clbcatq.dll
[*] Scanning: C:\Windows\System32\wbem\wbemprox.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\wbem\wbemsvc.dll
[*] Scanning: C:\Windows\System32\wbem\wmiutils.dll
[*] Scanning: C:\Windows\CCM\smsclient.dll
[*] Scanning: C:\Windows\System32\ole32.dll
[*] Scanning: C:\Windows\System32\msvcp120.dll
[*] Scanning: C:\Windows\System32\msvcr120.dll
[*] Scanning: C:\Windows\System32\msi.dll
[*] Scanning: C:\Windows\System32\shell32.dll
[*] Scanning: C:\Windows\System32\cfgmgr32.dll
[*] Scanning: C:\Windows\System32\SHCore.dll
[*] Scanning: C:\Windows\System32\windows.storage.dll
[*] Scanning: C:\Windows\System32\shlwapi.dll
[*] Scanning: C:\Windows\System32\powrprof.dll
[*] Scanning: C:\Windows\System32\profapi.dll
[*] Scanning: C:\Windows\System32\ccmcore.dll
[*] Scanning: C:\Windows\CCM\lsutilities.dll
[*] Scanning: C:\Windows\System32\crypt32.dll
[*] Scanning: C:\Windows\System32\msasn1.dll
[*] Scanning: C:\Windows\CCM\smscore.dll
[*] Scanning: C:\Windows\CCM\CcmUtilLib.dll
[*] Scanning: C:\Windows\System32\wintrust.dll
[*] Scanning: C:\Windows\CCM\CcmTask.dll
[*] Scanning: C:\Windows\CCM\fsputillib.dll
[*] Scanning: C:\Windows\System32\version.dll
[*] Scanning: C:\Windows\System32\wtsapi32.dll
[*] Scanning: C:\Windows\System32\netapi32.dll
[*] Scanning: C:\Windows\System32\activeds.dll
[*] Scanning: C:\Windows\System32\dnsapi.dll
[*] Scanning: C:\Windows\System32\nsi.dll
[*] Scanning: C:\Windows\CCM\ccmgencert.dll
[*] Scanning: C:\Windows\System32\IPHLPAPI.DLL
[*] Scanning: C:\Windows\System32\adsldpc.dll
[*] Scanning: C:\Windows\System32\Wldap32.dll
[*] Scanning: C:\Windows\System32\netutils.dll
[*] Scanning: C:\Windows\System32\logoncli.dll
Scanning workingset: 49 memory regions.
{
 "pid" : 12204,
 "main_image_path" : "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
 "scanned" :
 {
  "total" : 62,
  "skipped" : 0,
  "modified" :
  {
   "total" : 2,
   "hooked" : 1,
   "replaced" : 1,
   "detached" : 0,
   "implanted" : 0,
   "other" : 0
  },
  "errors" : 0
 },
 "scans" : [
  {
   "code_scan" : {
    "module" : "7ff8a7870000",
    "status" : 1,
    "patches" : 15
   }
  },
  {
   "headers_scan" : {
    "module" : "67c10000",
    "status" : 1,
    "ep_modified" : 0
   }
  }
 ]
}
hasherezade commented 5 years ago

This indeed may be related with some process modifications made by Symantec Endpoint Protection. Various AV products install hooks/implants in the processes. Probably they modified also something in the headers of the loaded executables, that's why it is detected as replaced. I can do a workaround for this, but I need more data and tests. Can you please send some samples to my e-mail? I need 2 versions of each detected module: the original one + the one dumped by PE-sieve. You can pack them and send to hasherezade-at-gmail.com. Thanks!