Parent process spoofing and how to detect them

 

Malware uses vaious techniques to hide it or evade from antivirus or EDR system.  So I decided to discuss about a very intresting malware hiding technique Parent process spoofing.  This technique is well discussed by many other infosec people and Didier Stevens blogged about this in 2009. I decided to discuss in layman form.

parent process spoofing technique allows a malicious program to spawn a process of its choice. It helps the malicious program to hide itself from the parent-child process analyzing which helps defender to find anomalies.

How Does It work

This is an abuse of windows feature It uses a Windows API CreatProcessA function which use to create a new process. This function has a parameter lpStartupinfo which allows you to choose the parent process.

 

 lpStartupinfo points to STARTUPINFOEX structure

 

 The STARTUPINFOEX structure contains lpAttributeList

lpAttributelist is created by InitializeProcThreadAttributeList function this function will allocate the memory required for the attribute list and then initial it.

Finally, the UpdateProcThreadAttribute function sets the parent process and the process gets execute by CreateProcessA function.

Demo Time

There are lots of open source code for this demo.I chose c_shot for this demo. This will download the malicious file from remote location end execute it straight into memory. This can help us to evade some antivirus. 

Prepare the stageless payload this will contain everything to start a listener so no stager required and a secure communication.


Start the listener 

Host the payload on the attacker machine

Now go to the victim machine and execute the command. This command will download the .bin file and execute the shellcode into the child process with our spoofed parent process. For example, here explorer.exe is my parent process and notepad is the child process.

And I Got the shell 



Investigate the malware

If we look at notepad we can see it's showing the parent  process in explorer.exe

 

 

But looking at the notepad process memory we can see it has PAGE_EXECUTE_READWRITE permission for a private working set and that's a red flag for any malware hunters.

 

By looking at the call stack between two notepad process one is executed by a legit parent and one is executed by a spoofed parent we can see the entry of 0x000000 in the malicious process stack. On the other side, there is an entry of win32.dll USER32.dll then notepad.exe clearly says this process was not created by any malicious process and another one is injected.


Checking the process in hxd I search for some of those functions which the malware used to create spoof parent process

Above we can see this process has CreateProcessA function and below I got search result for
UpdateProcThreadAttribute which set the parent process

 

 I also looked at tcpview and it shows notepad.exe was communicating with our attacking machine

  

For automated hunting, I used detect ppid-spoofing this script used FireEye pywintrace python library for detecting spoofed parent process

 

And it immediately detected that spoofed parent process  

 

Refrence 

https://docs.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-startupinfoexa 

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa 

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-initializeprocthreadattributelist 

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute 

 https://blog.f-secure.com/detecting-parent-pid-spoofing/ 

https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/ 


 

Comments

Post a Comment

Popular posts from this blog

USB forensic : Find the history of every connected USB device on your computer

Image
Sometime we need to know what USB devices were connected to our computer in our absence.These information could be very useful for forensic examiner or in general case also where we just want to know what USB devices were used . How do this works We all know about registry on windows, a registry is a database in windows which stores settings of the operating system, hardware devices, software programs and user preferences settings. Whenever we insert a USB drive in a computers a registry key with name "USBSTOR" is created this registry key store information about that USB device and whatever info the OS need to know can be found in this registry key.  Finding the all attached USB history To find the usb  history of your device just do the following step below  STEP 1  Go to run and type "regedit".  STEP 2: In the registry go to  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR and there you will find a registry ke...
Read more

Crawling pastebin to find specific pastedump

Image
In this post we will crawl into pastebin.com to find specific pastebin dump. For example if we want to find paste for specific keyword like "password" we can get all the paste containing that keyword. Preparing the Attack Usually some sites don't allow web crawling and by doing so you may get banned from accessing that site, which will also make this method vain.  So before doing this i recommend you to use THIS tool to anonymize all your traffic so that if we get banned we can switch our IP address immediately.  Start the Attack STEP 1 Clone into this URL by typing https://github.com/kahunalu/pwnbin.git STEP 2 Now type python pwnbin.py -k pass -n 10 -m 10 here "-k" is the keyword you want to search for "-n" is the number of paste you want to crawl and "-m" number of keywords matches you want.  As we can see above we have found a match and it's now saved to log.txt file so it's time to see the dump co...
Read more

Hack WinRAR password by using Brute force attack

Image
Winrar have option to password protect your files in it.Some times we got password protected rar files or we forget our password so we go online to search to crack password of these type of rar files.Some website tell about some program who promises to decrypt the password, But unluckily there are lots of spam ,advertisement, on internet who ask you to complete the survey to download the program that can unlock the password and absolutely that's a spam,some websites also provide direct link downloadable  program to crack rar password but when we download them instead of doing that, they install lots of unwanted sponsors software and make your PC slower.But now we have a easiest way to get the password of rar file by using brute force attack. No spam,no survey,no unwanted software and with proof.So lets start the hack and follow some simple  step by step guide given below.  1 > For example i am going to set password in rar file 2> Now when eve...
Read more

Fileless malware Analysis with Cuckoo sandbox

Image
What is cuckoo Sandbox Cuckoo is a dynamic malware analysis sandbox which is open source and completely free. We can submit any malicious binary file and cuckoo will provide a detailed report of the malicious file, including the behaviour of that file during execution.   What is Fileless Malware A fileless malware is a favorite technique for malware authors, what this type of malware does, it doesn’t write anything on the disk to bypass mostly string base detection. The malware executes an obfuscated command usually PowerShell and during run time antivirus could not detect the strings which are being executed and after injecting it in memory the command get deobfuscated. Cuckoo Interface and sample analysis To run cuckoo just type cuckoo from your terminal, this will start cuckoo service. Now to get the web interface type cuckoo run webserver this will start the cuckoo web interface on its defined URL and port address as shown belo...
Read more

Web application penetration testing: Tools and Techniques for web security auditing

Image
Every pentester has it's own tool and technique for web app security auditing, Some time it depend on the type of website  we are pentesting. We are gonna see some common tool and technique that can help us to audit our web application security. Detecting web application firewall and other services You can start with by detecting is there any web application firewall in use? Later we can see if there's any way to bypass it.  Recommend tool :  fofa.so It is a cyberspace search engine launched by White Hat. It can help researchers or enterprises quickly match network assets by performing cyberspace mapping, for example, analyzing the scope of vulnerability.  shodan.io It is most poplar search engine among pentester for finding various online vulnerable IoT devices, online open ports f rom various web servers. wafw00f   This tool allow you to detect and identify what Web Application is in use that is protecting the website.  ...
Read more