Conference:  Black Hat Asia 2023

Authors: John Uhlmann

2023-05-12

Memory scanning is a defensive necessity on Windows systems. Microsoft has not provided executable memory manager kernel callbacks and user-mode hooks are fragile, so defenders have deployed periodic memory scanning to compensate. Attackers have responded by obfuscating their code during periods of inactivity to avoid these scanners. Gargoyle was the first public example, but many toolkits have implemented variations since.In this talk, we describe three approaches to uncovering such hidden shellcode.Firstly we explore using the Control Flow Guard (CFG) bitmap to detect executable memory hidden by memory region protection fluctuations. We will then demonstrate using memory manager kernel ETW for runtime detection of violations of the immutable code page principle. Finally, we will show how to use kernel telemetry to construct normalised process behaviour profiles. These syscall summaries are roughly the runtime equivalent of the Import Table and can be used for highly scalable detection of outlier process behaviour. Both tools, the CFG bitmap guided memory scanner and the runtime behaviour monitor and profiler, will be released.