logo

You Can Run, but You Can't Hide - Finding the Footprints of Hidden Shellcode

Conference:  Black Hat Asia 2023

2023-05-12

Authors:   John Uhlmann


Abstract

Memory scanning is a defensive necessity on Windows systems. Microsoft has not provided executable memory manager kernel callbacks and user-mode hooks are fragile, so defenders have deployed periodic memory scanning to compensate. Attackers have responded by obfuscating their code during periods of inactivity to avoid these scanners. Gargoyle was the first public example, but many toolkits have implemented variations since.In this talk, we describe three approaches to uncovering such hidden shellcode.Firstly we explore using the Control Flow Guard (CFG) bitmap to detect executable memory hidden by memory region protection fluctuations. We will then demonstrate using memory manager kernel ETW for runtime detection of violations of the immutable code page principle. Finally, we will show how to use kernel telemetry to construct normalised process behaviour profiles. These syscall summaries are roughly the runtime equivalent of the Import Table and can be used for highly scalable detection of outlier process behaviour. Both tools, the CFG bitmap guided memory scanner and the runtime behaviour monitor and profiler, will be released.

Materials:

Post a comment

Related work