You are browsing the archive for Anti-*.

Shellcode. I’ll Call you back.

December 17, 2016 in Anti-*, Malware Analysis, Reversing

Many malicious wrappers and position-independent payloads (especially based on AutoIT, and VB) attempt to use various techniques to execute the main payload evading the curious eyes of security solutions, and malware analysts. One of the most popular ways to execute the code in a more stealthy way relies on using a mechanism known as a ‘call back’. A typical call back is just a function address that is passed to a legitimate, most often a well-documented and innocent API function and then the call back function is executed internally when the API encounters a specific event the call back is set up to intercept.

Some call backs are set up asynchronously and will be called in response to specific events f.ex. windows hooks execute a call back function when a key is pressed on the keyboard, a mouse moved, or a window maximized, and timer callbacks are called after a specific time interval passes. Others are executed synchronously by a given API that relies on the call back mechanism to allow the callback function to intercept some data while enumerating certain properties of the system (f.ex. popular lately EnumDateFormats). The latter are the most commonly call back functions used by the wrappers.

Since this trick is popular and kinda stealthy + makes things a bit harder to analyze… every once in a while a ‘new’ type of malware pops up using a previously unknown, or barely known call back function which – in return – obviously triggers an interest of the malware analysts all over the place.

It crossed my mind that it would be cool to list all possible (or, more precisely: all documented) call back functions giving us at least a theoretical knowledge of what is out there. And this is what this post is about. While the list doesn’t cover everything, it certainly covers a lot – it includes 500+ call back functions documented in MSDN and on Microsoft web site, or elsewhere. Hopefully, a good start to include these in sandboxing solutions and API monitors of any sort.

As usual, if you spot any mistake in the list, please let me know and I’ll fix it. Thanks!

Here’s the list:

  • acmDriverEnumCallback
  • acmDriverProc
  • acmFilterChooseHookProc
  • acmFilterEnumCallback
  • acmFilterTagEnumCallback
  • acmFormatChooseHookProc
  • acmFormatEnumCallback
  • acmFormatTagEnumCallback
  • acmStreamConvertCallback
  • AddInterface
  • AddPropSheetPageProc
  • AddSecureMemoryCacheCallback
  • agePaintHook
  • ageSetupHook
  • AllocateMemory
  • APCProc
  • ApplicationRecoveryCallback
  • ApplyCallbackFunction
  • asswordChangeNotify
  • asswordFilter
  • AuthzAccessCheckCallback
  • AuthzComputeGroupsCallback
  • AuthzFreeGroupsCallback
  • BindIoCompletionCallback
  • BlockConvertServicesToStatic
  • BlockDeleteStaticServices
  • BrowseCallbackProc
  • BufferCallback
  • CallWndProc
  • CallWndRetProc
  • capControlCallback
  • capErrorCallback
  • capStatusCallback
  • capVideoStreamCallback
  • capWaveStreamCallback
  • capYieldCallback
  • CBTProc
  • CCHookProc
  • CertChainFindByIssuerCallback
  • CertDllOpenStoreProv
  • CertEnumPhysicalStoreCallback
  • CertEnumSystemStoreCallback
  • CertEnumSystemStoreLocationCallback
  • CertStoreProvCloseCallback
  • CertStoreProvDeleteCertCallback
  • CertStoreProvDeleteCRLCallback
  • CertStoreProvDeleteCTL
  • CertStoreProvFindCert
  • CertStoreProvFindCRL
  • CertStoreProvFindCTL
  • CertStoreProvFreeFindCert
  • CertStoreProvFreeFindCRL
  • CertStoreProvFreeFindCTL
  • CertStoreProvGetCertProperty
  • CertStoreProvGetCRLProperty
  • CertStoreProvGetCTLProperty
  • CertStoreProvReadCertCallback
  • CertStoreProvReadCRLCallback
  • CertStoreProvReadCTL
  • CertStoreProvSetCertPropertyCallback
  • CertStoreProvSetCRLPropertyCallback
  • CertStoreProvSetCTLProperty
  • CertStoreProvWriteCertCallback
  • CertStoreProvWriteCRLCallback
  • CertStoreProvWriteCTL
  • CFHookProc
  • ClaimMediaLabel
  • CleanupGroupCancelCallback
  • ClientCallback
  • ClientCallback_Function
  • CloseServiceEnumerationHandle
  • CollectPerformanceData
  • CompletionProc
  • ConnectClient
  • ControlCallback
  • CopyProgressRoutine
  • CounterPathCallBack
  • CQPageProc
  • CreateServiceEnumerationHandle
  • CreateStaticService
  • CryptGetSignerCertificateCallback
  • CRYPT_ENUM_KEYID_PROP
  • CRYPT_ENUM_OID_FUNCTION
  • CRYPT_ENUM_OID_INFO
  • CRYPT_RETURN_HWND
  • CRYPT_VERIFY_IMAGE
  • CspGetDHAgreement
  • DavAuthCallback
  • DavFreeCredCallback
  • DavRegisterAuthCallback
  • DavUnregisterAuthCallback
  • DdeCallback
  • DdeEnableCallback
  • DeleteInterface
  • DeleteStaticService
  • DemandDialRequest
  • DhcpAddressDelHook
  • DhcpAddressOfferHook
  • DhcpControlHook
  • DhcpDeleteClientHook
  • DhcpHandleOptionsHook
  • DhcpNewPktHook
  • DhcpPktDropHook
  • DhcpPktSendHook
  • DhcpServerCalloutEntry
  • DialogProc
  • DigestFunction
  • DisassociateCurrentThreadFromCallback
  • DisconnectClient
  • DllCallbackProc
  • DllGetClassObject
  • DoUpdateRoutes
  • DoUpdateServices
  • DPA_DestroyCallback
  • DPA_EnumCallback
  • DrawStateProc
  • DriverCallback
  • DSA_DestroyCallback
  • DSA_EnumCallback
  • DSEnumAttributesCallback
  • EditStreamCallback
  • EditWordBreakProc
  • EditWordBreakProcEx
  • EmbeddedUIHandler
  • EnableCallback
  • EnhMetaFileProc
  • EnumCalendarInfoProc
  • EnumCalendarInfoProcEx
  • EnumCalendarInfoProcExEx
  • EnumChildProc
  • EnumCodePagesProc
  • EnumDateFormatsProc
  • EnumDateFormatsProcEx
  • EnumDateFormatsProcExEx
  • EnumDesktopProc
  • EnumDirTreeProc
  • EnumerateGetNextService
  • EnumerateLoadedModulesProc64
  • EnumFontFamExProc
  • EnumFontFamProc
  • EnumFontsProc
  • EnumGeoInfoProc
  • EnumICMProfilesProcCallback
  • EnumInputContext
  • EnumLanguageGroupLocalesProc
  • EnumLanguageGroupsProc
  • EnumLocalesProc
  • EnumLocalesProcEx
  • EnumMetaFileProc
  • EnumObjectsProc
  • EnumPageFilesProc
  • EnumRegisterWordProc
  • EnumResLangProc
  • EnumResNameProc
  • EnumResTypeProc
  • EnumThreadWndProc
  • EnumTimeFormatsProc
  • EnumTimeFormatsProcEx
  • EnumUILanguagesProc
  • EnumWindowsProc
  • EnumWindowStationProc
  • EventCallback
  • EventClassCallback
  • EventRecordCallback
  • Event_Handler_Function_Name
  • EVT_SUBSCRIBE_CALLBACK
  • ExportCallback
  • FaxLineCallback
  • FaxRouteAddFile
  • FaxRouteDeleteFile
  • FaxRouteEnumFile
  • FaxRouteEnumFiles
  • FaxRouteGetFile
  • FaxRouteModifyRoutingData
  • FaxRoutingInstallationCallback
  • FaxSendCallback
  • FAX_RECIPIENT_CALLBACK
  • FExecuteInAppDomainCallback
  • FiberProc
  • FileIOCompletionRoutine
  • FILE_RESTORE_CALLBACK
  • FindDebugInfoFileProc
  • FindExecutableImageProc
  • FLockClrVersionCallback
  • FlsCallback
  • FNCCERTDISPLAYPROC
  • FNCFILTERPROC
  • FNCMFILTERPROC
  • FNCMHOOKPROC
  • FNDAENUMCALLBACK
  • FNDPAENUMCALLBACK
  • FNDSAENUMCALLBACK
  • FNPEER_FREE_SECURITY_DATA
  • FNPEER_SECURE_RECORD
  • FNPEER_VALIDATE_RECORD
  • FN_AUTHENTICATION_CALLBACK
  • FN_AUTHENTICATION_CALLBACK_EX
  • FN_BLUETOOTH_ENUM_ATTRIBUTES_CALLBACK
  • FN_CDF_PARSE_ERROR_CALLBACK
  • FN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK
  • FN_CERT_DLL_OPEN_STORE_PROV_FUNC
  • FN_CERT_ENUM_PHYSICAL_STORE
  • FN_CERT_ENUM_SYSTEM_STORE
  • FN_CERT_STORE_PROV_CLOSE
  • FN_CERT_STORE_PROV_DELETE_CERT
  • FN_CERT_STORE_PROV_DELETE_CRL
  • FN_CERT_STORE_PROV_READ_CERT
  • FN_CERT_STORE_PROV_READ_CRL
  • FN_CERT_STORE_PROV_SET_CERT_PROPERTY
  • FN_CERT_STORE_PROV_SET_CRL_PROPERTY
  • FN_CERT_STORE_PROV_SET_CTL_PROPERTY
  • FN_CERT_STORE_PROV_WRITE_CERT
  • FN_CERT_STORE_PROV_WRITE_CRL
  • FN_CERT_STORE_PROV_WRITE_CTL
  • FN_CRYPT_XML_CREATE_TRANSFORM
  • FN_CRYPT_XML_DATA_PROVIDER_CLOSE
  • FN_CRYPT_XML_DATA_PROVIDER_READ
  • FN_CRYPT_XML_ENUM_ALG_INFO
  • FN_CRYPT_XML_WRITE_CALLBACK
  • FN_DEVICE_CALLBACK
  • FN_WdsCliCallback
  • FN_WdsCliTraceFunction
  • FN_WdsTransportClientReceiveContents
  • FN_WdsTransportClientReceiveMetadata
  • FN_WdsTransportClientSessionComplete
  • FN_WdsTransportClientSessionStart
  • FN_WdsTransportClientSessionStartEx
  • ForegroundIdleProc
  • FreeMemory
  • FRHookProc
  • FuncReturnhWnd
  • FunctionTableAccessProc64
  • FuncVerifyImage
  • GenerateGroupPolicy
  • GetApplicationRecoveryCallback
  • GetEventMessage
  • GetFirstOrderedService
  • GetGlobalInfo
  • GetInterfaceInfo
  • GetMfeStatus
  • GetModuleBaseProc64
  • GetMsgProc
  • GetNeighbors
  • GetNextOrderedService
  • GetRequest
  • GetResponse
  • GetServiceCount
  • GetSize
  • GetTSAudioEndpointEnumeratorForSession
  • gluNurbsCallback
  • gluQuadricCallback
  • gluTessCallback
  • GopherAttributeEnumerator
  • HandlerEx
  • HandlerRoutine
  • honeCallbackFunc
  • hone_Event
  • HyphenateProc
  • ICMProgressProcCallback
  • ImportCallback
  • InitHelperDll
  • InitializeChangeNotify
  • InitializeEmbeddedUI
  • InitOnceCallback
  • InsertAt
  • InstalluiHandler
  • InstalluiHandlerRecord
  • INSTALLUI_HANDLER
  • InterfaceStatus
  • InternetSetStatusCallback
  • InternetStatusCallback
  • INTERNET_STATUS_CALLBACK
  • IoCompletionCallback
  • IOProc
  • IsService
  • JournalPlaybackProc
  • JournalRecordProc
  • KeyboardProc
  • lineCallbackFunc
  • LineDDAProc
  • Line_Event
  • LOG_FULL_HANDLER_CALLBACK
  • LOG_TAIL_ADVANCE_CALLBACK
  • LOG_UNPINNED_CALLBACK
  • LowLevelKeyboardProc
  • LowLevelMouseProc
  • LPCQADDFORMSPROC
  • LPCQADDPAGESPROC
  • LPCQPAGEPROC
  • LPDISPLAYVAL
  • LPDSENUMATTRIBUTES
  • LPEVALCOMCALLBACK
  • LPFNDFMCALLBACK
  • LPFNVIEWCALLBACK
  • MagGetImageScalingCallback
  • MagImageScalingCallback
  • MagSetImageScalingCallback
  • MappingCallbackProc
  • MaxMediaLabel
  • MessageProc
  • MFAddPeriodicCallback
  • MFInvokeCallback
  • MFPERIODICCALLBACK
  • MFRemovePeriodicCallback
  • MgmCreationAlertCallback
  • MgmDisableIgmpCallback
  • MgmJoinAlertCallback
  • MgmLocalJoinCallback
  • MgmLocalLeaveCallback
  • MgmPruneAlertCallback
  • MgmRpfCallback
  • MgmWrongIfCallback
  • MGM_ENABLE_IGMP_CALLBACK
  • MibCreate
  • MibDelete
  • MIBEntryCreate
  • MIBEntryDelete
  • MIBEntryGet
  • MIBEntryGetFirst
  • MIBEntryGetNext
  • MIBEntrySet
  • MibGet
  • MibGetFirst
  • MibGetNext
  • MibGetTrapInfo
  • MibSet
  • MibSetTrapInfo
  • MidiInProc
  • MidiOutProc
  • MiniDumpCallback
  • MMCFreeNotifyHandle
  • MMCPropertyChangeNotify
  • MMCPropertyHelp
  • MMCPropPageCallback
  • MMIOProc
  • MonitorEnumProc
  • MouseProc
  • MRUCMPPROC
  • MyStatusProc
  • OFNHookProc
  • OFNHookProcOldStyle
  • OpenPerformanceData
  • ORASADFunc
  • OutOfProcessExceptionEventCallback
  • OutOfProcessExceptionEventDebuggerLaunchCallback
  • OutOfProcessExceptionEventSignatureCallback
  • OutputProc
  • PIO_APC_ROUTINE
  • QueryPower
  • RadiusExtensionFreeAttributes
  • RadiusExtensionInit
  • RadiusExtensionProcess
  • RadiusExtensionProcess2
  • RadiusExtensionProcessEx
  • RadiusExtensionTerm
  • RASADFunc
  • RasAdminAcceptNewConnection
  • RasAdminConnectionHangupNotification
  • RasAdminGetIpAddressForUser
  • RasAdminReleaseIpAddress
  • RasCustomDeleteEntryNotify
  • RasCustomDial
  • RasCustomDialDlg
  • RasCustomEntryDlg
  • RasCustomHangUp
  • RasCustomScriptExecute
  • RasDialFunc
  • RasDialFunc1
  • RasDialFunc2
  • RasEapBegin
  • RasEapEnd
  • RasEapFreeMemory
  • RasEapGetIdentity
  • RasEapGetInfo
  • RasEapInitialize
  • RasEapInvokeConfigUI
  • RasEapInvokeInteractiveUI
  • RasEapMakeMessage
  • RasFreeBuffer
  • RasGetBuffer
  • RasPBDlgFunc
  • RasReceiveBuffer
  • RasRetrieveBuffer
  • RasSecurityDialogBegin
  • RasSecurityDialogEnd
  • RasSendBuffer
  • RasSetCommSettings
  • ReaderScroll
  • ReadProcessMemoryProc64
  • RegisterApplicationRecoveryCallback
  • RegisterCallback
  • RegisterProtocol
  • RegisterWaitChainCOMCallback
  • RemoveAt
  • RemoveSecureMemoryCacheCallback
  • RemoveTraceCallback
  • rintHookProc
  • RM_WRITE_STATUS_CALLBACK
  • rocessGroupPolicy
  • rocessGroupPolicyEx
  • rogressNotificationCallback
  • ropEnumProc
  • ropEnumProcEx
  • ropSheetPageProc
  • ropSheetProc
  • RpcAuthKeyRetrievalFn
  • RpcMgmtAuthorizationFn
  • RpcnotificationRoutine
  • RpcObjectInqFn
  • RPC_IF_CALLBACK_FN
  • RtlInstallFunctionTableCallback
  • RTM_ENTITY_EXPORT_METHOD
  • RTM_EVENT_CALLBACK
  • SampleCommand
  • SampleCommit
  • SampleConnect
  • SampleDump
  • SampleOsVersionCheck
  • SampleStartHelper
  • SampleStop
  • SampleStopHelper
  • SceSvcAttachmentAnalyze
  • SceSvcAttachmentConfig
  • SceSvcAttachmentUpdate
  • SecureMemoryCacheCallback
  • SendAsyncProc
  • SendMessageCallback
  • ServiceMain
  • SetAt
  • SetGlobalInfo
  • SetInterfaceInfo
  • SetInterfaceReceiveType
  • SetLineRecoCallback
  • SetPower
  • SetProviderStatusFunc
  • SetProviderStatusInfoFreeFunc
  • SetResponseType
  • SetTraceCallback
  • SetupDefaultQueueCallback
  • SetupHookProc
  • SetupInitDefaultQueueCallback
  • SetupTermDefaultQueueCallback
  • ShellProc
  • ShutdownEmbeddedUI
  • SimpleCallback
  • SNMPAPI_CALLBACK
  • SnmpExtensionClose
  • SnmpExtensionInit
  • SnmpExtensionInitEx
  • SnmpExtensionMonitor
  • SnmpExtensionQuery
  • SnmpExtensionQueryEx
  • SnmpExtensionTrap
  • SoundSentryProc
  • SP_FILE_CALLBACK
  • StackSnapshotCallback
  • StartComplete
  • StartProtocol
  • StatusCallback
  • StatusMessageCallback
  • StatusRoutine
  • StopProtocol
  • SymEnumerateModulesProc64
  • SymEnumerateSymbolsProc64
  • SymEnumLinesProc
  • SymEnumProcessesProc
  • SymEnumSourceFilesProc
  • SymEnumSourceFileTokensProc
  • SymEnumSymbolsProc
  • SymFindFileInPathProc
  • SymRegisterCallback
  • SymRegisterCallbackProc64
  • SymRegisterFunctionEntryCallback
  • SymRegisterFunctionEntryCallbackProc64
  • SyncUpdateProc
  • SysMsgProc
  • TaskDialogCallbackProc
  • ThreadProc
  • TimeProc
  • TimeProvClose
  • TimeProvCommand
  • TimeProvOpen
  • TimerAPCProc
  • TimerCallback
  • TimerProc
  • TranslateAddressProc64
  • TranslateDispatch
  • TrySubmitThreadpoolCallback
  • UiaEventCallback
  • UiaProviderCallback
  • UiaRegisterProviderCallback
  • UmsSchedulerProc
  • UnbindInterface
  • UndeleteFile
  • UnregisterApplicationRecoveryCallback
  • ValidateRoute
  • VectoredHandler
  • VERIFYSERVERCERT
  • WaitCallback
  • WaitChainCallback
  • WaitOrTimerCallback
  • waveInProc
  • waveOutProc
  • WdsTransportClientRegisterCallback
  • WdsTransportProviderCloseContent
  • WdsTransportProviderCloseInstance
  • WdsTransportProviderCompareContent
  • WdsTransportProviderCreateInstance
  • WdsTransportProviderDumpState
  • WdsTransportProviderGetContentMetadata
  • WdsTransportProviderGetContentSize
  • WdsTransportProviderInitialize
  • WdsTransportProviderOpenContent
  • WdsTransportProviderReadContent
  • WdsTransportProviderRefreshSettings
  • WdsTransportProviderShutdown
  • WdsTransportProviderUserAccessCheck
  • WdsTransportServerRegisterCallback
  • WinBioCaptureSampleWithCallback
  • WinBioEnrollCaptureWithCallback
  • WinBioIdentifyWithCallback
  • WinBioLocateSensorWithCallback
  • WinBioVerifyWithCallback
  • WindowProc
  • WinEventProc
  • WinHttpSetStatusCallback
  • WINHTTP_STATUS_CALLBACK
  • WLAN_NOTIFICATION_CALLBACK
  • WorkCallback
  • WPUQueryBlockingCallback
  • xeProviderInitialize
  • xeProviderRecvRequest
  • xeProviderServiceControl
  • xeProviderShutdown
  • xeRegisterCallback

A few ideas to mess around with threat hunting, and EDR software (anti-threat hunting/anti-edr)

December 12, 2016 in Anti-*, Anti-Forensics, EDR, Incident Response

I just came back from holidays and since time off it’s usually a great time to make your brain run idle, it often turns it into a bit more creative device than usual. As a result I came up with a number of ideas that I will post about in the coming days. I’ll kick it off by discussing the anti-threat hunting/anti-edr techniques.

I do threat hunting for living, so it’s not just a post to play a devil’s advocate, but an invitation to discuss ways of detecting techniques I am going to present below (and potentially others).

To stay focused, I’ll mainly talk about the process creation events that can be typically analyzed inside Splunk (or other log aggregator) that is collecting Windows Event logs (f.ex. Security events with the Event ID 4688) and data from a typical EDR software (this includes sysmon). The discussion can be extended to other events quite easily.

Okay, so let’s assume that we have a nice collection of events showing us all the process names (and possibly command line options) from the systems and we already created rules for detecting some anomalies + we regularly review the alerts and new event logs to see if there is any new anomaly that we can potentially spot by just eyeballing data and codify into a new alert/watchlist. A clever attacker could attempt to modify our logs in a way that could affect these automated detections & analysis by attempting to hide the execution of some processes, or if lucky (I have not tested it), perhaps even hide some of the logs from the analyst.

Here’s how it could work:

  • Many watchlists focus on process names; changing a process name turns the watchlist useless (f.ex. macro could copy ‘powershell.exe’ to ‘harmless.exe’ before executing the powershell snippet, or ‘cscript.exe’ to ‘goodprogram.exe’); try it, it actually works and since the copy operation can be delivered via API, it may be hard to spot it by just looking at process logs; to detect it we would need to look at the flow of both process creation events and preceding it file system operations
  • Lots of analysis happen on Web UI level; if the EDR or Event Viewer doesn’t process the HTML entities correctly, there is a possibility of injecting tags modifying the flow of the generated HTML; I have not tested it, but it’s a possibility
  • Possibly a silly idea, but EDR has to store data somewhere and it probably uses some database; would a carefully crafted path or a file name cause an SQL command to fail? [similar to SQL injection; could we delete all records by doing SQL injection using a specially crafted event?]
  • There are potential bugs in EDR that can be exploited
  • Homomorphic object names f.ex. paths, and file names (using two identically looking Unicode characters with one non-English replacing opcodes for English characters) may make the analyst ‘blind’; if the attacker creates ‘c:\Windоws\system32\calc.exe’ and ‘o’ in ‘Windows’ is a Cyrillic ‘о’, the paths will look identical and casual eyeballing of the data will miss this entry classifying it as a legitimate ‘c:\Windows\system32\calc.exe’; this can be detected using data stacking, and by showing the non-standard English characters (especially these that can be used for homomorphic paths) using their Unicode code in an escaped form (or using a different color at least).
  • Delays are a trouble to sandboxes. The very same is true for EDR; if the events are generated slowly, it may be hard to correlate them + they will be interleaved by a large number of other, legitimate events; unfortunately, even basic event logs are quite noisy (load module, create open file/registry, etc. – lots of it comes from legitimate OS libraries; perhaps filtering of white-listed events is required)
  • Direct attack on EDR could prevent event interception; this is not bugs per se, but understanding how the software operates may help to bypass it:
    • If the EDR doesn’t work from kernel/hypervisor level, one could modify access rights to the malicious files so they can’t be accessed; same goes for directories, registry
    • If the EDR doesn’t protect its services, processes, registry keys, files from tampering, this could help to kill its functionality (same techniques as for AV)
    • Evasions could be built-in for specific EDR that bad guys don’t know how to bypass (EDR detection working the same way as sandbox / vm detection)
    • Finally, knowing the network protocol, one could potentially install a filter (or simply patch the code in memory) that would disable the event reporting that is related to malicious activity (EDR events going via malicious proxy!)
  • Using new hacking tricks may help to bypass EDR as well (good to follow the trends in pentesting world)
  • If the system is a web server, it may be hard to spot activities on the system if delivered via a web shell that talks directly to API
  • Also, lots can be done from ntdll alone and it’s resident in every process; and while using NT call, or even syscalls directly is trickier, it could bypass some of the user-mode EDR engines as well; in other words – spawning new processes is a lazy way malware does it today, but it may change in the future
  • and so on, and so forth…