Similar to Dridex, DoppelPaymer uses DLL search order hijacking to exploit the DLL loading behavior for Windows processes. As the operating system PE loader loads a binary, it also needs to load the DLL files required for the PE to function. By default, MS Windows has a specific path it takes when looking for the DLL files to load. Windows checks for Windows system DLLs in the same directory as the target binary before it checks the Windows system directories. A malicious process, in this case DoppelPaymer, can drop a malicious version of a DLL in that directory and it will be loaded by the target application.
DoppelPaymer passes two arguments to the ProcessHacker process: The first is the name of the KProcessHacker.sys driver, and the second is an integer that will be used for inter-process communication (IPC) between the DoppelPaymer and ProcessHacker processes.
Process Hacker 2 Mac
Download File: https://vittuv.com/2vEJdD
Event handlers and section objects are used to communicate between the two processes. These objects allow DoppelPaymer to communicate directly with the stager DLL that is loaded inside the ProcessHacker process. The example handle values in Table 2 are used throughout the rest of this post when referencing these objects. These values vary with different executions of DoppelPaymer.
For each section object, a view is mapped into process memory, so that DoppelPaymer is able to write data to the objects. The 0x124 object is the queue where the process information of the processes to terminate will be written. The other object, 0x128, will contain the handle values of the other three objects: 0x120, 0x11C and 0x124. For the stager DLL to access those three handles, DoppelPaymer needs to provide the 0x128 handle value to ProcessHacker.
After these IPC objects are created, and the second argument to ProcessHacker has been generated, CreateProcessW is called to launch ProcessHacker. Now DoppelPaymer has to wait for the stager DLL to initialize inside of the ProcessHacker process prior to establishing inter process communication. NtWaitForSingleObject is called for event handle 0x120, and DoppelPaymer waits for that event to be signaled.
This code is copied from the .rdata section of the stager DLL and is modified to represent the current process environment. Placeholders exist for the event handle and for the two Windows API functions used for the notification routines. The event used to signal that the entry point has been reached is created and copied to the 8FF4B5ACh placeholder. The addresses for NtSetHandle and NtWaitForSingleObject are resolved and written to 94A351BBh and 1DCB264Eh, respectively.
Now that the entry point is overwritten, the stager DLL spawns a new thread that initializes the KProcessHacker driver and sets the stage for killing AV processes. First, the thread calls NtWaitForSingleObject and waits for the entry point to be reached.
The KProcessHacker service has been created and started and is ready to receive requests from the client ProcessHacker process. Before a client can make a request to the service, it needs to be verified.
This KphDispatchCreate function allocates kernel memory to store this data structure. Due to it being kernel memory, the stager DLL is unable to manipulate the data structure from user mode, even from inside the ProcessHacker process. Instead, the stager DLL can send a KPH_VERIFYCLIENT IOCTL request to the driver. The handler function, KphVerifyClient, for this IOCTL will set the necessary fields once the client is verified.
From Figure 2, the second argument, 161604546, is decoded, yielding the handle ID of 0x128. The section object that this handle references is duplicated in the ProcessHacker process. The section object is duplicated with the same access rights as the original. Duplicating objects generate new handle values, but to keep it simple, this post reuses the original values.
DoppelPaymer is now in a state where it is waiting for an event to be signaled that notifies it that the stager DLL has completed initialization and is ready to process requests in the queue. This notification is sent by calling NtSetEvent with the 0x120 event handle, and the stager DLL waits for requests.
Process termination occurs in two steps: a process is opened, then it is killed. The first command sent, 1, will tell the stager DLL to open a handle to the process. Table 4 contains a list of valid commands.
The command is written to the queue, along with the process ID, and DoppelPaymer signals the event to notify the stager DLL that data is in the queue. Once that event is signaled, it waits for a response.
As noted earlier, the APC routine receives a function pointer that will be used to execute a specific action (kill process, open process, etc.). To restrict which requests can be made via this APC routine, it makes sure that only the following functions can be called from the APC:
The StagerAPCRoutine (Figure 8) shortcuts the entire process and jumps directly to a procedure, CallFunctionPointerRoutine, that calls the DLL stager versions of KphpOpenProcessContinuation and KphpTerminateProcessContinuation procedures and passes the client copy of the request key as a parameter.
As outlined in the previous section, to open a process handle, a KPH_RETRIEVEKEY request is sent to the KProcessHacker service. Along with this request, the StagerAPCRoutine address and the address of the function called by the APC open a process, StagerOpenProcess. A new request key is generated, saved to KPH_CLIENT and passed to StagerAPCRoutine. Once everything has been validated, the StagerAPCRoutine calls StagerOpenProcess where a KPH_OPENPROCESS request is sent to the KProcessHacker service. Both the client copy of the request key and the process ID of the target are sent with the request.
PsLookupProcessByProcessId is called to get a pointer to the process object in kernel memory. That pointer is used to open a handle to the object by calling ObOpenObjectByPointer. This handle can now be referenced by the stager DLL.
DoppelPaymer verifies that the process was successfully opened, and then takes the appropriate action. If an error occurred, it continues checking for blocklisted applications; otherwise, another notification is sent, this time with the command 2 to terminate the process.
Terminating a process follows the same procedure as opening a process with one difference: The StagerKillProcess function pointer is passed to the StagerAPCRoutine. The StagerKillProcess function sends a KPH_TERMINATEPROCESS request to the KProcessHacker service. This is handled by the KpiTerminateProcess kernel-mode function. The request key is validated before process termination can occur. The target process is reopened to get a kernel handle, and ZwTerminateProcess is called to kill the process. Note that using this procedure ignores PPL, so even protected processes will be killed.
Perhaps the most interesting change that the DoppelPaymer author made is to terminate processes and services that may interfere with file encryption. DoppelPaymer contains several lists of CRC32 checksums of process and service names that are blacklisted. The malware author included CRC32 checksums rather than strings to hinder reverse engineering efforts. However, it is possible to brute-force all of the checksums and recover the respective strings, as shown in Tables 7-11 found in the Appendix.
Thick client pentesting involves both local and server-side processing and often uses proprietary protocols for communication.Simple automated assessment scanning is not sufficient and testing thick client applications requires a lot of patience and a methodical approach. Moreover, the process often requires specialized tools and custom testing setup.
In addition to Burp Suite, there is an alternative proxy tool named Echo Mirage. Echo Mirage enables intercepting non-HTTP traffic between the tested thick client and the local or remote server.Echo Mirage can hook into the tested thick client application process so that communication between the tested thick client application and the local or remote server can be intercepted and edited. This can provide us insight into what kind of data was transmitted from the tested thick client application to the local or remote server.
The Process Monitor tool will identify if the application is trying to load any DLLs and the actual path that the application uses when looking for the missing DLLs.In Figure 11, we can see that the DVTA.exe process is missing several DLLs files that can be used for privilege escalation.
NOTE: The most popular development languages we faced was .NET or Java. Thick clients that were developed in those languages can be decompiled simply using open-source decompilers, provided the application has not undergone an obfuscation process.
In addition to being used as ransomware, Phobos is a support system for Advanced Persistent Threats (APTs). In this scenario, hackers gain access to a network and spend time exploring resources, extending control, and assessing the value of data held within. So, Phobos is both an avenue for ransomware and data theft. Both of these threats can cause severe financial and reputational damage to businesses.
Just as Rapid7 did a sweep of the Internet with a crawler, cycling through IP addresses and probing RDP ports, any hacker can perform the same sweep. Some hacker teams just perform this type of research and then package their findings of vulnerable targets for sale. A second hacker group, such as the Crysis team, buys a list, uploads it into their attack system, and then lets it run.
The controlling software for the ransomware is called Exec.exe. Unfortunately, the Crysis team does not produce these, and it calls a series of other programs in sequence to perform its attack. The first two of these are Process Hacker 2 and IObit Unlocker. The first of these identifies processes that have control of files, and the second kills them. This makes files available for alteration by encryption. 2ff7e9595c
Comments