Hunt & Hackett presents a set of instruments and technical write-ups describing attacking methods that depend on concealing code execution on Home windows. Right here one can find explanations of how these methods work, obtain recommendation on detection, and get pattern supply code for testing your detection protection.
Content material
This repository covers two lessons of attacking methods that extensively use inside Home windows mechanisms plus offers solutions and instruments for detecting them:
- Course of Tampering – a set of methods that conceal the code on the size of a whole course of.
- Code Injection – a set of methods that enable executing code as a part of different processes with out interfering with their performance.
- Detection – a compilation of suggestions for defending towards varied methods for concealing code execution.
The core values of the mission:
- The systematic strategy. This repository consists of greater than only a assortment of instruments or hyperlinks to exterior sources. Every topic receives an in depth clarification of the underlying ideas; every particular case will get categorised into generic classes.
- Proof-of-concept tooling. The write-ups are accompanied by instance tasks in C that display the usage of the described services in observe.
- Newbie to skilled. You do not must be a cybersecurity knowledgeable to grasp the ideas we describe. But, even professionals within the corresponding area ought to discover the content material precious and academic due to the eye to element and pitfalls.
Implementation
One ultimate distinctive function of this mission is the intensive use of Native API all through the samples. Right here is the motivation for this selection:
- Performance. Some operations required for essentially the most superior methods (corresponding to Course of Tampering) will not be uncovered through different APIs.
- Management. Being the bottom degree of interplay with the working system, it offers essentially the most management over its habits. The Win32 API is applied on prime of Native API, so no matter is feasible to attain with the previous can be attainable with the latter.
- Availability. Being uncovered by ntdll.dll, Native API is out there in all processes, together with the system ones.
- Consistency. The interfaces uncovered by this API are remarkably constant. After studying the basic design selections, it turns into attainable to accurately predict nearly all of perform prototypes simply from the API’s title.
- Resistance to hooking. It’s considerably simpler to take away or bypass user-mode hooks when utilizing Native API, partially blinding safety software program. There are not any lower-level libraries that may be patched, so unhooking turns into so simple as loading a second occasion of ntdll.dll and redirecting the calls there.
Compiling Remarks
The pattern code makes use of the Native API headers supplied by the PHNT mission. Be sure that to clone the repository utilizing the git clone --recurse-submodules command to fetch this dependency. Alternatively, you should utilize git submodule replace --init after cloning the repository.
To construct the tasks included with the repository, you will have a latest model of Home windows SDK. If you happen to use Visible Studio, please seek advice from the built-in SDK set up. Alternatively, you may as well use the standalone construct setting of EWDK. To compile all instruments without delay, use MSBuild AllTools.sln /t:construct /p:configuration=Launch /p:platform=x64.
