Skip to content

[plugin] Add dirty state IoC detection to malfind#1300

Merged
ikelos merged 2 commits into
volatilityfoundation:developfrom
Abyss-W4tcher:dirty_ioc_windows_malfind
Nov 7, 2024
Merged

[plugin] Add dirty state IoC detection to malfind#1300
ikelos merged 2 commits into
volatilityfoundation:developfrom
Abyss-W4tcher:dirty_ioc_windows_malfind

Conversation

@Abyss-W4tcher
Copy link
Copy Markdown
Contributor

@Abyss-W4tcher Abyss-W4tcher commented Oct 8, 2024

Hi,

The current windows.malfind implementation does not leverage the dirty state indicator to identify potential threats, and filters out non writable VADs. However, some evasion techniques use an elevated WriteProcessMemory call to inject data inside remote processes PAGE_EXECUTE_READ regions :

As expected, we invoked WriteProcessMemory, specifying 0x00007FF7519BOECO as
target address (address of entry point in our example), and successfully changed the
read-only region.

When using WriteProcessMemory to write to Read-only memory addresses we have
observed that associated errors and exceptions are not raised within the OS if we have
sufficient privileges on the target process. The question is, why?

If the page is read-only, Write­Process­Memory temporarily changes the permission to read-write, updates the memory, and then restores the original permission.

To identify this behaviour, I edited the malfind code to scan each VAD page with (R)-X protection for any dirty state marker.

If necessary, I can develop a PoC + sample (which might come handy for unit tests).

Inspired from Linux #995.

@gcmoreira gcmoreira mentioned this pull request Oct 8, 2024
Merged
@atcuno
Copy link
Copy Markdown
Contributor

atcuno commented Oct 8, 2024

Do you have some Windows 10 samples with the default Defender enabled state to test this? If not, we can run it over some of them soon.

@Abyss-W4tcher
Copy link
Copy Markdown
Contributor Author

Abyss-W4tcher commented Oct 8, 2024

I don't possess any sample infected by this technique, or by malware performing an RWX allocation, shellcode injection and then changing protection back to RX.

Sure, it'd be great to have this feature ran over many samples !

@atcuno
Copy link
Copy Markdown
Contributor

atcuno commented Oct 8, 2024
edited
Loading

Ok we will run it across our sample set (a couple hundred Windows samples) and report back before/after this patch.

@Abyss-W4tcher
Copy link
Copy Markdown
Contributor Author

Abyss-W4tcher commented Nov 4, 2024

Hi @atcuno, any news on the testing of this feature ?

@ikelos
Copy link
Copy Markdown
Member

ikelos commented Nov 7, 2024

I'm not sure why this is still failing on the black test. Could you try pushing a trivial commit to it please? I thought they'd resolved the black issues, but this one still seems to be failing the tests...

@ikelos
Copy link
Copy Markdown
Member

ikelos commented Nov 7, 2024

Awesome, thanks! 5:)

ikelos
ikelos approved these changes Nov 7, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@ikelos ikelos merged commit efa4959 into volatilityfoundation:develop Nov 7, 2024
@Abyss-W4tcher Abyss-W4tcher deleted the dirty_ioc_windows_malfind branch November 7, 2024 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ikelos ikelos ikelos approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Abyss-W4tcher @atcuno @ikelos