You are browsing the archive for Anti-*.

Running programs via Proxy & jumping on a EDR-bypass trampoline

May 1, 2017 in Anti-*, EDR, Incident Response

The parent-child process relationship is very helpful when it comes to defining detection rules and watchlists. For instance, anytime a winword.exe spawns a cmd.exe, powershell.exe, cscript.exe, wscript.exe, mshta.exe it is an obvious anomaly that may be a sign of an Office macro-based infection.

However, insert an unexpected process in-between and the rule/watchlist fails. Perhaps for this reason, it would be nice to have EDR rulesets that can refer not only to parents, but also to ancestors of the process.

Since this relationship is prone to manipulation let’s¬† have a look at a couple of possible examples:

  • rundll32 url.dll, OpenURL file://c:\windows\system32\calc.exe
  • rundll32 url.dll, OpenURLA file://c:\windows\system32\calc.exe
  • rundll32 url.dll, FileProtocolHandler calc.exe
  • rundll32 zipfldr.dll, RouteTheCall calc.exe

Running any of these commands will launch calc.exe with the rundll32.exe as a parent.

Obviously, rundll32.exe is an obvious  bad guy too. What about we copy it first?

copy c:\windows\system32\rundll32.exe %appdata%\Adobe\adobe.exe

Now, we can launch:

  • %appdata%\adobe\adobe.exe url.dll, OpenURL file://c:\windows\system32\calc.exe
  • %appdata%\adobe\adobe.exe url.dll, OpenURLA file://c:\windows\system32\calc.exe
  • %appdata%\adobe\adobe.exe url.dll, FileProtocolHandler calc.exe
  • %appdata%\adobe\adobe.exe zipfldr.dll, RouteTheCall calc.exe

And get the very same result, this time, with the parent process being adobe.exe.

If you know any other EXE/DLL combo that can act as a proxy, I’d be grateful if you could let me know. Thanks!

Shellcode. I’ll Call you back.

December 17, 2016 in Anti-*, Malware Analysis, Reversing

Many malicious wrappers and position-independent payloads (especially based on AutoIT, and VB) attempt to use various techniques to execute the main payload evading the curious eyes of security solutions, and malware analysts. One of the most popular ways to execute the code in a more stealthy way relies on using a mechanism known as a ‘call back’. A typical call back is just a function address that is passed to a legitimate, most often a well-documented and innocent API function and then the call back function is executed internally when the API encounters a specific event the call back is set up to intercept.

Some call backs are set up asynchronously and will be called in response to specific events f.ex. windows hooks execute a call back function when a key is pressed on the keyboard, a mouse moved, or a window maximized, and timer callbacks are called after a specific time interval passes. Others are executed synchronously by a given API that relies on the call back mechanism to allow the callback function to intercept some data while enumerating certain properties of the system (f.ex. popular lately EnumDateFormats). The latter are the most commonly call back functions used by the wrappers.

Since this trick is popular and kinda stealthy + makes things a bit harder to analyze… every once in a while a ‘new’ type of malware pops up using a previously unknown, or barely known call back function which – in return – obviously triggers an interest of the malware analysts all over the place.

It crossed my mind that it would be cool to list all possible (or, more precisely: all documented) call back functions giving us at least a theoretical knowledge of what is out there. And this is what this post is about. While the list doesn’t cover everything, it certainly covers a lot – it includes 500+ call back functions documented in MSDN and on Microsoft web site, or elsewhere. Hopefully, a good start to include these in sandboxing solutions and API monitors of any sort.

As usual, if you spot any mistake in the list, please let me know and I’ll fix it. Thanks!

Here’s the list:

  • acmDriverEnumCallback
  • acmDriverProc
  • acmFilterChooseHookProc
  • acmFilterEnumCallback
  • acmFilterTagEnumCallback
  • acmFormatChooseHookProc
  • acmFormatEnumCallback
  • acmFormatTagEnumCallback
  • acmStreamConvertCallback
  • AddInterface
  • AddPropSheetPageProc
  • AddSecureMemoryCacheCallback
  • agePaintHook
  • ageSetupHook
  • AllocateMemory
  • APCProc
  • ApplicationRecoveryCallback
  • ApplyCallbackFunction
  • asswordChangeNotify
  • asswordFilter
  • AuthzAccessCheckCallback
  • AuthzComputeGroupsCallback
  • AuthzFreeGroupsCallback
  • BindIoCompletionCallback
  • BlockConvertServicesToStatic
  • BlockDeleteStaticServices
  • BrowseCallbackProc
  • BufferCallback
  • CallWndProc
  • CallWndRetProc
  • capControlCallback
  • capErrorCallback
  • capStatusCallback
  • capVideoStreamCallback
  • capWaveStreamCallback
  • capYieldCallback
  • CBTProc
  • CCHookProc
  • CertChainFindByIssuerCallback
  • CertDllOpenStoreProv
  • CertEnumPhysicalStoreCallback
  • CertEnumSystemStoreCallback
  • CertEnumSystemStoreLocationCallback
  • CertStoreProvCloseCallback
  • CertStoreProvDeleteCertCallback
  • CertStoreProvDeleteCRLCallback
  • CertStoreProvDeleteCTL
  • CertStoreProvFindCert
  • CertStoreProvFindCRL
  • CertStoreProvFindCTL
  • CertStoreProvFreeFindCert
  • CertStoreProvFreeFindCRL
  • CertStoreProvFreeFindCTL
  • CertStoreProvGetCertProperty
  • CertStoreProvGetCRLProperty
  • CertStoreProvGetCTLProperty
  • CertStoreProvReadCertCallback
  • CertStoreProvReadCRLCallback
  • CertStoreProvReadCTL
  • CertStoreProvSetCertPropertyCallback
  • CertStoreProvSetCRLPropertyCallback
  • CertStoreProvSetCTLProperty
  • CertStoreProvWriteCertCallback
  • CertStoreProvWriteCRLCallback
  • CertStoreProvWriteCTL
  • CFHookProc
  • ClaimMediaLabel
  • CleanupGroupCancelCallback
  • ClientCallback
  • ClientCallback_Function
  • CloseServiceEnumerationHandle
  • CollectPerformanceData
  • CompletionProc
  • ConnectClient
  • ControlCallback
  • CopyProgressRoutine
  • CounterPathCallBack
  • CQPageProc
  • CreateServiceEnumerationHandle
  • CreateStaticService
  • CryptGetSignerCertificateCallback
  • CRYPT_ENUM_KEYID_PROP
  • CRYPT_ENUM_OID_FUNCTION
  • CRYPT_ENUM_OID_INFO
  • CRYPT_RETURN_HWND
  • CRYPT_VERIFY_IMAGE
  • CspGetDHAgreement
  • DavAuthCallback
  • DavFreeCredCallback
  • DavRegisterAuthCallback
  • DavUnregisterAuthCallback
  • DdeCallback
  • DdeEnableCallback
  • DeleteInterface
  • DeleteStaticService
  • DemandDialRequest
  • DhcpAddressDelHook
  • DhcpAddressOfferHook
  • DhcpControlHook
  • DhcpDeleteClientHook
  • DhcpHandleOptionsHook
  • DhcpNewPktHook
  • DhcpPktDropHook
  • DhcpPktSendHook
  • DhcpServerCalloutEntry
  • DialogProc
  • DigestFunction
  • DisassociateCurrentThreadFromCallback
  • DisconnectClient
  • DllCallbackProc
  • DllGetClassObject
  • DoUpdateRoutes
  • DoUpdateServices
  • DPA_DestroyCallback
  • DPA_EnumCallback
  • DrawStateProc
  • DriverCallback
  • DSA_DestroyCallback
  • DSA_EnumCallback
  • DSEnumAttributesCallback
  • EditStreamCallback
  • EditWordBreakProc
  • EditWordBreakProcEx
  • EmbeddedUIHandler
  • EnableCallback
  • EnhMetaFileProc
  • EnumCalendarInfoProc
  • EnumCalendarInfoProcEx
  • EnumCalendarInfoProcExEx
  • EnumChildProc
  • EnumCodePagesProc
  • EnumDateFormatsProc
  • EnumDateFormatsProcEx
  • EnumDateFormatsProcExEx
  • EnumDesktopProc
  • EnumDirTreeProc
  • EnumerateGetNextService
  • EnumerateLoadedModulesProc64
  • EnumFontFamExProc
  • EnumFontFamProc
  • EnumFontsProc
  • EnumGeoInfoProc
  • EnumICMProfilesProcCallback
  • EnumInputContext
  • EnumLanguageGroupLocalesProc
  • EnumLanguageGroupsProc
  • EnumLocalesProc
  • EnumLocalesProcEx
  • EnumMetaFileProc
  • EnumObjectsProc
  • EnumPageFilesProc
  • EnumRegisterWordProc
  • EnumResLangProc
  • EnumResNameProc
  • EnumResTypeProc
  • EnumThreadWndProc
  • EnumTimeFormatsProc
  • EnumTimeFormatsProcEx
  • EnumUILanguagesProc
  • EnumWindowsProc
  • EnumWindowStationProc
  • EventCallback
  • EventClassCallback
  • EventRecordCallback
  • Event_Handler_Function_Name
  • EVT_SUBSCRIBE_CALLBACK
  • ExportCallback
  • FaxLineCallback
  • FaxRouteAddFile
  • FaxRouteDeleteFile
  • FaxRouteEnumFile
  • FaxRouteEnumFiles
  • FaxRouteGetFile
  • FaxRouteModifyRoutingData
  • FaxRoutingInstallationCallback
  • FaxSendCallback
  • FAX_RECIPIENT_CALLBACK
  • FExecuteInAppDomainCallback
  • FiberProc
  • FileIOCompletionRoutine
  • FILE_RESTORE_CALLBACK
  • FindDebugInfoFileProc
  • FindExecutableImageProc
  • FLockClrVersionCallback
  • FlsCallback
  • FNCCERTDISPLAYPROC
  • FNCFILTERPROC
  • FNCMFILTERPROC
  • FNCMHOOKPROC
  • FNDAENUMCALLBACK
  • FNDPAENUMCALLBACK
  • FNDSAENUMCALLBACK
  • FNPEER_FREE_SECURITY_DATA
  • FNPEER_SECURE_RECORD
  • FNPEER_VALIDATE_RECORD
  • FN_AUTHENTICATION_CALLBACK
  • FN_AUTHENTICATION_CALLBACK_EX
  • FN_BLUETOOTH_ENUM_ATTRIBUTES_CALLBACK
  • FN_CDF_PARSE_ERROR_CALLBACK
  • FN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK
  • FN_CERT_DLL_OPEN_STORE_PROV_FUNC
  • FN_CERT_ENUM_PHYSICAL_STORE
  • FN_CERT_ENUM_SYSTEM_STORE
  • FN_CERT_STORE_PROV_CLOSE
  • FN_CERT_STORE_PROV_DELETE_CERT
  • FN_CERT_STORE_PROV_DELETE_CRL
  • FN_CERT_STORE_PROV_READ_CERT
  • FN_CERT_STORE_PROV_READ_CRL
  • FN_CERT_STORE_PROV_SET_CERT_PROPERTY
  • FN_CERT_STORE_PROV_SET_CRL_PROPERTY
  • FN_CERT_STORE_PROV_SET_CTL_PROPERTY
  • FN_CERT_STORE_PROV_WRITE_CERT
  • FN_CERT_STORE_PROV_WRITE_CRL
  • FN_CERT_STORE_PROV_WRITE_CTL
  • FN_CRYPT_XML_CREATE_TRANSFORM
  • FN_CRYPT_XML_DATA_PROVIDER_CLOSE
  • FN_CRYPT_XML_DATA_PROVIDER_READ
  • FN_CRYPT_XML_ENUM_ALG_INFO
  • FN_CRYPT_XML_WRITE_CALLBACK
  • FN_DEVICE_CALLBACK
  • FN_WdsCliCallback
  • FN_WdsCliTraceFunction
  • FN_WdsTransportClientReceiveContents
  • FN_WdsTransportClientReceiveMetadata
  • FN_WdsTransportClientSessionComplete
  • FN_WdsTransportClientSessionStart
  • FN_WdsTransportClientSessionStartEx
  • ForegroundIdleProc
  • FreeMemory
  • FRHookProc
  • FuncReturnhWnd
  • FunctionTableAccessProc64
  • FuncVerifyImage
  • GenerateGroupPolicy
  • GetApplicationRecoveryCallback
  • GetEventMessage
  • GetFirstOrderedService
  • GetGlobalInfo
  • GetInterfaceInfo
  • GetMfeStatus
  • GetModuleBaseProc64
  • GetMsgProc
  • GetNeighbors
  • GetNextOrderedService
  • GetRequest
  • GetResponse
  • GetServiceCount
  • GetSize
  • GetTSAudioEndpointEnumeratorForSession
  • gluNurbsCallback
  • gluQuadricCallback
  • gluTessCallback
  • GopherAttributeEnumerator
  • HandlerEx
  • HandlerRoutine
  • honeCallbackFunc
  • hone_Event
  • HyphenateProc
  • ICMProgressProcCallback
  • ImportCallback
  • InitHelperDll
  • InitializeChangeNotify
  • InitializeEmbeddedUI
  • InitOnceCallback
  • InsertAt
  • InstalluiHandler
  • InstalluiHandlerRecord
  • INSTALLUI_HANDLER
  • InterfaceStatus
  • InternetSetStatusCallback
  • InternetStatusCallback
  • INTERNET_STATUS_CALLBACK
  • IoCompletionCallback
  • IOProc
  • IsService
  • JournalPlaybackProc
  • JournalRecordProc
  • KeyboardProc
  • lineCallbackFunc
  • LineDDAProc
  • Line_Event
  • LOG_FULL_HANDLER_CALLBACK
  • LOG_TAIL_ADVANCE_CALLBACK
  • LOG_UNPINNED_CALLBACK
  • LowLevelKeyboardProc
  • LowLevelMouseProc
  • LPCQADDFORMSPROC
  • LPCQADDPAGESPROC
  • LPCQPAGEPROC
  • LPDISPLAYVAL
  • LPDSENUMATTRIBUTES
  • LPEVALCOMCALLBACK
  • LPFNDFMCALLBACK
  • LPFNVIEWCALLBACK
  • MagGetImageScalingCallback
  • MagImageScalingCallback
  • MagSetImageScalingCallback
  • MappingCallbackProc
  • MaxMediaLabel
  • MessageProc
  • MFAddPeriodicCallback
  • MFInvokeCallback
  • MFPERIODICCALLBACK
  • MFRemovePeriodicCallback
  • MgmCreationAlertCallback
  • MgmDisableIgmpCallback
  • MgmJoinAlertCallback
  • MgmLocalJoinCallback
  • MgmLocalLeaveCallback
  • MgmPruneAlertCallback
  • MgmRpfCallback
  • MgmWrongIfCallback
  • MGM_ENABLE_IGMP_CALLBACK
  • MibCreate
  • MibDelete
  • MIBEntryCreate
  • MIBEntryDelete
  • MIBEntryGet
  • MIBEntryGetFirst
  • MIBEntryGetNext
  • MIBEntrySet
  • MibGet
  • MibGetFirst
  • MibGetNext
  • MibGetTrapInfo
  • MibSet
  • MibSetTrapInfo
  • MidiInProc
  • MidiOutProc
  • MiniDumpCallback
  • MMCFreeNotifyHandle
  • MMCPropertyChangeNotify
  • MMCPropertyHelp
  • MMCPropPageCallback
  • MMIOProc
  • MonitorEnumProc
  • MouseProc
  • MRUCMPPROC
  • MyStatusProc
  • OFNHookProc
  • OFNHookProcOldStyle
  • OpenPerformanceData
  • ORASADFunc
  • OutOfProcessExceptionEventCallback
  • OutOfProcessExceptionEventDebuggerLaunchCallback
  • OutOfProcessExceptionEventSignatureCallback
  • OutputProc
  • PIO_APC_ROUTINE
  • QueryPower
  • RadiusExtensionFreeAttributes
  • RadiusExtensionInit
  • RadiusExtensionProcess
  • RadiusExtensionProcess2
  • RadiusExtensionProcessEx
  • RadiusExtensionTerm
  • RASADFunc
  • RasAdminAcceptNewConnection
  • RasAdminConnectionHangupNotification
  • RasAdminGetIpAddressForUser
  • RasAdminReleaseIpAddress
  • RasCustomDeleteEntryNotify
  • RasCustomDial
  • RasCustomDialDlg
  • RasCustomEntryDlg
  • RasCustomHangUp
  • RasCustomScriptExecute
  • RasDialFunc
  • RasDialFunc1
  • RasDialFunc2
  • RasEapBegin
  • RasEapEnd
  • RasEapFreeMemory
  • RasEapGetIdentity
  • RasEapGetInfo
  • RasEapInitialize
  • RasEapInvokeConfigUI
  • RasEapInvokeInteractiveUI
  • RasEapMakeMessage
  • RasFreeBuffer
  • RasGetBuffer
  • RasPBDlgFunc
  • RasReceiveBuffer
  • RasRetrieveBuffer
  • RasSecurityDialogBegin
  • RasSecurityDialogEnd
  • RasSendBuffer
  • RasSetCommSettings
  • ReaderScroll
  • ReadProcessMemoryProc64
  • RegisterApplicationRecoveryCallback
  • RegisterCallback
  • RegisterProtocol
  • RegisterWaitChainCOMCallback
  • RemoveAt
  • RemoveSecureMemoryCacheCallback
  • RemoveTraceCallback
  • rintHookProc
  • RM_WRITE_STATUS_CALLBACK
  • rocessGroupPolicy
  • rocessGroupPolicyEx
  • rogressNotificationCallback
  • ropEnumProc
  • ropEnumProcEx
  • ropSheetPageProc
  • ropSheetProc
  • RpcAuthKeyRetrievalFn
  • RpcMgmtAuthorizationFn
  • RpcnotificationRoutine
  • RpcObjectInqFn
  • RPC_IF_CALLBACK_FN
  • RtlInstallFunctionTableCallback
  • RTM_ENTITY_EXPORT_METHOD
  • RTM_EVENT_CALLBACK
  • SampleCommand
  • SampleCommit
  • SampleConnect
  • SampleDump
  • SampleOsVersionCheck
  • SampleStartHelper
  • SampleStop
  • SampleStopHelper
  • SceSvcAttachmentAnalyze
  • SceSvcAttachmentConfig
  • SceSvcAttachmentUpdate
  • SecureMemoryCacheCallback
  • SendAsyncProc
  • SendMessageCallback
  • ServiceMain
  • SetAt
  • SetGlobalInfo
  • SetInterfaceInfo
  • SetInterfaceReceiveType
  • SetLineRecoCallback
  • SetPower
  • SetProviderStatusFunc
  • SetProviderStatusInfoFreeFunc
  • SetResponseType
  • SetTraceCallback
  • SetupDefaultQueueCallback
  • SetupHookProc
  • SetupInitDefaultQueueCallback
  • SetupTermDefaultQueueCallback
  • ShellProc
  • ShutdownEmbeddedUI
  • SimpleCallback
  • SNMPAPI_CALLBACK
  • SnmpExtensionClose
  • SnmpExtensionInit
  • SnmpExtensionInitEx
  • SnmpExtensionMonitor
  • SnmpExtensionQuery
  • SnmpExtensionQueryEx
  • SnmpExtensionTrap
  • SoundSentryProc
  • SP_FILE_CALLBACK
  • StackSnapshotCallback
  • StartComplete
  • StartProtocol
  • StatusCallback
  • StatusMessageCallback
  • StatusRoutine
  • StopProtocol
  • SymEnumerateModulesProc64
  • SymEnumerateSymbolsProc64
  • SymEnumLinesProc
  • SymEnumProcessesProc
  • SymEnumSourceFilesProc
  • SymEnumSourceFileTokensProc
  • SymEnumSymbolsProc
  • SymFindFileInPathProc
  • SymRegisterCallback
  • SymRegisterCallbackProc64
  • SymRegisterFunctionEntryCallback
  • SymRegisterFunctionEntryCallbackProc64
  • SyncUpdateProc
  • SysMsgProc
  • TaskDialogCallbackProc
  • ThreadProc
  • TimeProc
  • TimeProvClose
  • TimeProvCommand
  • TimeProvOpen
  • TimerAPCProc
  • TimerCallback
  • TimerProc
  • TranslateAddressProc64
  • TranslateDispatch
  • TrySubmitThreadpoolCallback
  • UiaEventCallback
  • UiaProviderCallback
  • UiaRegisterProviderCallback
  • UmsSchedulerProc
  • UnbindInterface
  • UndeleteFile
  • UnregisterApplicationRecoveryCallback
  • ValidateRoute
  • VectoredHandler
  • VERIFYSERVERCERT
  • WaitCallback
  • WaitChainCallback
  • WaitOrTimerCallback
  • waveInProc
  • waveOutProc
  • WdsTransportClientRegisterCallback
  • WdsTransportProviderCloseContent
  • WdsTransportProviderCloseInstance
  • WdsTransportProviderCompareContent
  • WdsTransportProviderCreateInstance
  • WdsTransportProviderDumpState
  • WdsTransportProviderGetContentMetadata
  • WdsTransportProviderGetContentSize
  • WdsTransportProviderInitialize
  • WdsTransportProviderOpenContent
  • WdsTransportProviderReadContent
  • WdsTransportProviderRefreshSettings
  • WdsTransportProviderShutdown
  • WdsTransportProviderUserAccessCheck
  • WdsTransportServerRegisterCallback
  • WinBioCaptureSampleWithCallback
  • WinBioEnrollCaptureWithCallback
  • WinBioIdentifyWithCallback
  • WinBioLocateSensorWithCallback
  • WinBioVerifyWithCallback
  • WindowProc
  • WinEventProc
  • WinHttpSetStatusCallback
  • WINHTTP_STATUS_CALLBACK
  • WLAN_NOTIFICATION_CALLBACK
  • WorkCallback
  • WPUQueryBlockingCallback
  • xeProviderInitialize
  • xeProviderRecvRequest
  • xeProviderServiceControl
  • xeProviderShutdown
  • xeRegisterCallback