Disabling Windows Event Logs by Suspending EventLog Service Threads
This lab was inspired by an old post Phant0m: Killing Windows Event Log by @hlldz where he introduced a powershell tool Invoke-Phant0m, which disables Windows EventLog service by killing its threads hosted by the svchost.exe.
The purpose of this quick lab is to understand some of the inner workings of Invoke-Phant0m. In particular, I wanted to play around with Windows APIs related to retrieving a process ID that hosts a given service, thread enumeration, mapping threads to a particular service (Windows Eventlog in this case) hosted in the svchost.exe and so on. This would give me a better understanding of how I can target specific threads when I need to, I thought.
Although this lab was inspired by @hlldz' post, you will notice that we implemented the same technique in a slightly different way by levarging different Windows APIs.
Overview
Windows event logs are handled by EventLog
service that is hosted by svchost.exe.
If we list svchost processes, we see a number of those:
From the above screenshot, it's not clear which process actually hosts the EventLog
service, but if we keep inspecting svchost.exe
processes one by one in Process Hacker, we will eventually find the process hosting the EventLog
service, which in my case it is svchost.exe
with pid 2196:
Note that we can find out the PID of the process that is hosting EventLog
:
If we look into svchost.exe threads for EventLog
, we see there are a couple of threads of interest as highlighted in blue:
Below shows that indeed, suspending the threas is enough to disable the EventLog service from registering any new events:
Based on the above, the main goal of this lab is to hack some code to find these threads and simply suspend them and disable windows event logging this way.
Resuming threads will write out the events to the events log as if the threads had not been suspended in the first place.
Code
Below is the code for the technique that at a high level works like this:
Open a handle to Service Control Manager with
OpenSCManagerA
Open a handle to EventLog service with
OpenServiceA
Retrieve svchost.exe (hosting EventLog) process ID with
QueryServiceStatusEx
Open a handle to the svchost.exe process (from step 3)
Get a list of loaded modules loaded by svchost.exe
EnumProcessModules
Loop through the list of
svchost
loaded modules, retrieved in step 5, find their names withGetModuleBaseName
and find the base address of the modulewevtsvc.dll
- this is the module containingEventLog
service inner-workingsGet
wevtsvc.dll
module info withGetModuleInformation
. It will return a structure with module's start address and its image size - we will need these details later, when determiing ifEventLog
service thread's fall into wevtsvc.dll module's memory spaceEnumerate all the threads inside svchost.exe with
Thread32First
andThread32Next
For each thread from step 8, retrieve the thread's start address with
NtQueryInformationThread
For each thread from step 8, check if the thread's start address belongs to the
wevtsvc.dll
memory space inside svchost.exeIf thread's start address is inside the
wevtsvc.dll
memory space, this is our victim thread and we suspend it withSuspendThread
EventLog
service is now disabled
Demo
Below GIF illustrates:
net user ola ola
is executed and user's ola password is changed and an event4724
logged at 6:55:30 PM4 EventLog threads are suspended in svchost.exe (PID 2196)
net user ola ola
is executed again at 6:55:38 PM, but no new event4724
is captured
References
Last updated