Forrest Orr

I'm proud to release my first Google Chrome RCE derived from the most fascinating and mind bending exploit I have yet analyzed: CVE-2019-13720 Wizard Opium. This is a beautiful bug which I have crafted into an exploit bypassing ASLR, CFG and CET on Win10 github.com/forrest-orr/Wi…

@5mukx Isnt PatchGuard an essential thing to mention in an article like this? Do you plan to make a part 2 for this?

Understanding Windows DKOM(Direct Kernel Object Manipulation) techniques nixhacker.com/understanding-…

@diversenok_zero @m417z That hidden extended ProcessBasicInformation did the trick.

@m417z @_ForrestOrr 3. Process freezing: query extended ProcessBasicInformation and check IsFrozen #isfrozen" target="_blank" rel="nofollow noopener">ntdoc.m417z.com/process_extend… (win 8+) 4. Process deep freezing: query ProcessUptimeInformation twice to see if SuspendedTime (a misleading name, see docs) is changing #suspendedtime" target="_blank" rel="nofollow noopener">ntdoc.m417z.com/process_uptime… (win 10 RS3+)

Does anyone know what mechanisms can be used to detect suspended (non-UWP) and frozen UWP app processes, and how to programmatically wake them up in a safe and persistent way where they don't just immediately freeze again?

@m417z @diversenok_zero NtPowerInformation worked for me. Of course, the UWP app goes back to being frozen the second the power handle is closed to it ie. when your own process dies. Still, a very nice trick.

@_ForrestOrr Some know-how by @diversenok_zero: #discussioncomment-9991923" target="_blank" rel="nofollow noopener">github.com/diversenok/Sus…

@vxunderground 15 not 19 ;)

In all my years of C programming (19 years), I have never once heard someone say this

@sixtyvividtails I am talking here about a specific technique to obtain such a handle to a specific System process as a non admin user, normally this is globally impossible. What I wonder though is if this meets Microsoft criteria for a security boundary/elevation bug

@_ForrestOrr *Any* System Integrity process or certain specific process? If you can get PROCESS_QUERY_INFORMATION for any System Integrity process as user despite these processes dacl, it's definitely boundary violation. But for particular process such access might be dismissed as by design?

Is the ability of a non admin user to obtain a full query handle to a System integrity process and unravel its ASLR considered a security boundary? I know a PROCESS_QUERY_INFORMATION handle on a PPL is considered a breach of a security boundary even if the owner is local admin. But what about this scenario as a non admin -> System?

A standard user is unable to obtain any process handle even with PROCESS_QUERY_LIMITED_INFO to any System integrity process regardless of which session it is in. It’s also unable to QI limited any process in another session regardless of integrity level. The process DACL in question locks all access (even query limited) to anyone but SYSTEM.

@trickster012 @sixtyvividtails @zodiacon @GabrielLandau These events do not trigger for process suspend or resume despite existing in EtwTi. They seem to be place holders.

@_ForrestOrr @sixtyvividtails @zodiacon @GabrielLandau If memory serves me right there are etwti events for suspend/resume process and threads although the yara scan wouldnt be synchronous probably.

I’m surprised to have recently learned that there does not seem to be a trivial way to receive notifications of suspended process launches in Windows via kernel proc notif callback, kernel ETW or EtwTi. Any ideas on how to do this? @zodiacon

@sixtyvividtails @zodiacon @GabrielLandau Checking the ring3 call stack from a ring0 kernel process creation callback seems like the only reliable way to do this that I can think of. Timing when the main thread is resumed woild be messy

@_ForrestOrr @zodiacon Interesting q! I'd consider 2 ways: * r3 hook on CreateProcessInternalW, inform kernel about impeding args, verify in r0 callback * no r3 hook, but process callstack in r0 callback till CreateProcessInternalW, check Flags arg (may also alert if sus callstack). cc @GabrielLandau

@sixtyvividtails @zodiacon Brilliant insight thank you. So how is an application like Elastic populating its “created_suspended” bool field for its yara rules then? This field is criteria in various process hollowing rules from what I recall

@_ForrestOrr @zodiacon When you launch process via NtCreateUserProcess, you have a choice to launch it suspended or not. But when you launch it via CreateProcess (or similar win32 api), there's no choice - process *always* launched suspended! If you didn't use CREATE_SUSPENDED, it'll just get resumed.

@frodosobon @zodiacon If you NtQueryInformationThread the state of the single/main thread from a create process notification routine in the kernel, it will always return state 0 (initialized). Not running, waiting, suspended etc regardless of CREATE_SUSPENDED

@zodiacon @_ForrestOrr Maybe it could be solved directly from CreateProcessNotifyRoutine , that is called from PspCreateProcess and when the process is created enumerate the thread and query the state, instead of doing it in ThreadNotifyRoutine? In thread you'd have to deal with CreateThread(SUSPENDED)

@peterwintrsmith @shubakki I think the biggest weakness in Moneta though is false positives. A major feature that has always been needed is a JSON whitelist file where an operator or enterprise can design a profile of known false positives.

@shubakki @_ForrestOrr Yeah I think moneta is one of the most useful tools for detecting something sus going on inside a process so it would definitely be a valuable add!

Over the years I’ve been flattered to see that my tool Moneta has picked up a following in the Infosec world and I am considering reviving the project. If you are a user of Moneta, what would you improve? Which features would you add? forrest-orr.net/post/masking-m…

@peterwintrsmith @shubakki I’m very glad to hear this, I’ve been shocked lately to see people using Moneta on YouTube videos about reverse engineering and forensics (since when does our little underground community have this big mainstream presence)?

@shubakki @peterwintrsmith Great idea with NtContinue.

@peterwintrsmith @_ForrestOrr the anomalous cfg whitelisting was an idea I had for ntcontinue, never finished coding it would love to see it in Moneta :)

@peterwintrsmith 2 and 3 are an interesting touch on Gargoyle/SleepMask techniques. The issue is that all I have are the original alloc permissions and the current ones. Malware tends to always alloc RW initially then change it, so it is of limited value to a sleeper shellcode detection

Yes exactly, there are a few valuable detections imo - 1. Detect exports/addresses which have been added to the CFG bitmap that were not specified in the PE headers (for example RtlCaptureContext to detect something like Ekko) and to detect stomped regions where shellcode is copying itself into existing modules and needs to mark all ranges as CFG targets, 2. Detect VirtualAlloc regions which are currently RO/RW which were at some point RX (and hence have CFG entries) as this may indicate active sleep encryption, and 3. Detect executable regions that were allocated RO/RW initially and subsequently changed as that can indicate active shellcode

@peterwintrsmith @ilove2pwn_ This change is already present, as I take it you’re referring to the ability to clone a process and nuke its working set to make its new image memory contents like unmodified?

@_ForrestOrr And 4. Check the SharedOriginal bit as well as the Shared bit of the MEMORY_WORKING_SET_EX_BLOCK as @ilove2pwn_ spotted it is possible to bypass checks only against the latter! (Nice work Austin!)

@peterwintrsmith You’re referring to addresses that have been whitelisted by CFG? For example a hollowed part of a .text section where malware wrote itself and then marked its entry point as whitelisted for CFG before launching a new thread there? Or something else?

@_ForrestOrr And of course non-module virtual memory regions with CFGBitmap entries (showing they were once marked executable)