volatility3
volatility3 copied to clipboard
volatilityfoundation
inlinehooks plugin & change to avpatch
Hello, not sure if thats good enough as a standalone plugin, but I tried to re-implement apihooks. however, since there a lot of "hooks" in legitimate dlls I couldn't get it to output less false positives, ofc I am open to ideas. also, some hooks are not relevant anymore e.g KiFastSystemCall. even the current implementation of check_inline_hooks throw false positives, anyways that was a fun experience :D I have left some of the pseudo-code commented for now, if you think it can be improved or removed totally.
Also I have 2 questions:
I have read a paper of @atcuno about hooktracer but couldn't find code online.
second question is something I also tried asking on your slack, maybe I misunderstand something but worth a try:
From my understanding, unhooked_system_calls plugin will enumerate all of the processes to find differences, if every process is hooked it will not be flagged as malware. a follow-up to this, a DLL is loaded to a shared memory and if it's patched the OS creates a private copy for the process, so cant we compare the hooks against the known shared read-only memory for the DLL? if not why?
Anyways, about the plugin:
(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/etw_patch_dump.raw windows.inlinehooks --pid 2108
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
PID Process Hook Type Module Hook Address Function Hook Info Hook Hexdump Disasm
2108 patch-etw-x64. Inline Hook ntdll.dll 0x7ff8013bf1f0 EtwEventWrite Early RET
c3 8b dc 48 83 ec 58 4d 89 4b e8 33 c0 45 89 43 ...H..XM.K.3.E.C
e0 45 33 c9 49 89 43 d8 .E3.I.C.
0x7ff8013bf1f0: ret
0x7ff8013bf1f1: mov ebx, esp
0x7ff8013bf1f3: sub rsp, 0x58
0x7ff8013bf1f7: mov qword ptr [r11 - 0x18], r9
0x7ff8013bf1fb: xor eax, eax
0x7ff8013bf1fd: mov dword ptr [r11 - 0x20], r8d
0x7ff8013bf201: xor r9d, r9d
0x7ff8013bf204: mov qword ptr [r11 - 0x28], rax
(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/hook_patch_dump.raw windows.inlinehooks --pid 8004
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
PID Process Hook Type Module Hook Address Function Hook Info Hook Hexdump Disasm
8004 hooking_32.exe Inline Hook USER32.dll 0x770e1110 MessageBoxA JMP relative
e9 17 04 51 89 83 3d 94 5c 10 77 00 74 22 64 a1 ...Q..=.\.w.t"d.
18 00 00 00 ba a4 61 10 ......a.
0x770e1110: jmp 0x5f152c
0x770e1115: cmp dword ptr [rip + 0x77105c94], 0
0x770e111c: je 0x770e1140
0x770e111e: movabs eax, dword ptr fs:[0x1061a4ba00000018]
(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/amsi-patch.raw windows.avpatch
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
PID Process DLL Function Hook Address Hook Info Hook Hexdump Disasm
6740 powershell_ise amsi.dll AmsiScanBuffer 0x7ffd77873860 Early RET
31 c0 c3 49 89 5b 08 49 89 6b 10 49 89 73 18 57 1..I.[.I.k.I.s.W
41 56 41 57 48 83 ec 70 AVAWH..p
0x7ffd77873860: xor eax, eax
0x7ffd77873862: ret
0x7ffd77873863: mov qword ptr [r11 + 8], rbx
0x7ffd77873867: mov qword ptr [r11 + 0x10], rbp
0x7ffd7787386b: mov qword ptr [r11 + 0x18], rsi
0x7ffd7787386f: push rdi
0x7ffd77873870: push r14
0x7ffd77873872: push r15
0x7ffd77873874: sub rsp, 0x70
(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/etw_patch_dump.raw windows.avpatch
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
PID Process DLL Function Hook Address Hook Info Hook Hexdump Disasm
2108 patch-etw-x64. ntdll.dll EtwEventWrite 0x7ff8013bf1f0 Early RET
c3 8b dc 48 83 ec 58 4d 89 4b e8 33 c0 45 89 43 ...H..XM.K.3.E.C
e0 45 33 c9 49 89 43 d8 .E3.I.C.
0x7ff8013bf1f0: ret
0x7ff8013bf1f1: mov ebx, esp
0x7ff8013bf1f3: sub rsp, 0x58
0x7ff8013bf1f7: mov qword ptr [r11 - 0x18], r9
0x7ff8013bf1fb: xor eax, eax
0x7ff8013bf1fd: mov dword ptr [r11 - 0x20], r8d
0x7ff8013bf201: xor r9d, r9d
0x7ff8013bf204: mov qword ptr [r11 - 0x28], rax
(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/stealthy_etw_patch_dump.raw windows.avpatch
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
PID Process DLL Function Hook Address Hook Info Hook Hexdump Disasm
180 stealthy_etw_p ntdll.dll EtwpEventWriteFull 0x7ffe3025f278 Early RET
c3 55 53 56 57 41 54 41 55 41 56 41 57 48 8d ac .USVWATAUAVAWH..
24 78 ff ff ff 48 81 ec $x...H..
0x7ffe3025f278: ret
0x7ffe3025f279: push rbp
0x7ffe3025f27a: push rbx
0x7ffe3025f27b: push rsi
0x7ffe3025f27c: push rdi
0x7ffe3025f27d: push r12
0x7ffe3025f27f: push r13
0x7ffe3025f281: push r14
0x7ffe3025f283: push r15
0x7ffe3025f285: lea rbp, [rsp - 0x88]
I tried running it on fresh windows 10 machine now and the false positives is very high, however they can quickly be examined and succumb to less with few statistics with something like splunk/custom python. e.g in this file: inlinehooks.json it can be seen about 95% of the hooks come from 2 module related to crypto. in other high priority functions such ntdll.dll!LdrLoadDll the Disasm field is the same between all hooks, which can also indicate something that is non-malicious. but yeah thats far from being fullproof, although the code can be reused in other plugins (e.g avpatch). also - the json dataset can be used to compare the hooks to another trusted memory image of the same machine golden image.
any update on this? I would like to keep working on that if it's relevant, I would like help regarding my questions:x
