Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
AV Bypass with Metasploit Templates and Custom Binaries
Evading Windows Defender with 1 Byte Change
Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
Windows API Hashing in Malware
Detecting Hooked Syscalls
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
Retrieving ntdll Syscall Stubs from Disk at Run-time
Full DLL Unhooking with C++
Enumerating RWX Protected Memory Regions for Code Injection
Disabling Windows Event Logs by Suspending EventLog Service Threads
T1027: Obfuscated Powershell Invocations
Masquerading Processes in Userland via _PEB
Commandline Obfusaction
File Smuggling with HTML and JavaScript
T1099: Timestomping
T1096: Alternate Data Streams
T1158: Hidden Files
T1140: Encode/Decode Data with Certutil
Downloading Files with Certutil
T1045: Packed Binaries
Unloading Sysmon Driver
Bypassing IDS Signatures with Simple Reverse Shells
Preventing 3rd Party DLLs from Injecting into your Malware
ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
Parent Process ID (PPID) Spoofing
Executing C# Assemblies from Jscript and wscript with DotNetToJscript
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows / OS Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Preventing 3rd Party DLLs from Injecting into your Malware

It is possible to launch a new process in such a way that Windows will prevent non Microsoft signed binaries from being injected into that process. This may be useful for evading some AVs/EDRs that perform userland hooking by injecting their DLLs into running process.

UpdateProcThreadAttribute

First method of achieving the objective is brought to us by UpdateProcThreadAttribute and one of the attributes it allows us set -PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY

Below code shows how to create a new notepad process with a mitigation policy that will not allow any non MS Signed binaries to be injected to it:

#include "pch.h"
#include <iostream>
#include <Windows.h>
​
int main()
{
	PROCESS_INFORMATION pi = {};
	STARTUPINFOEXA si = {};
	SIZE_T attributeSize = 0;
	
	InitializeProcThreadAttributeList(NULL, 1, 0, &attributeSize);
	PPROC_THREAD_ATTRIBUTE_LIST attributes = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, attributeSize);
	InitializeProcThreadAttributeList(attributes, 1, 0, &attributeSize);
​
	DWORD64 policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
	UpdateProcThreadAttribute(attributes, 0, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &policy, sizeof(DWORD64), NULL, NULL);
	si.lpAttributeList = attributes;
​
	CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);
	HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, attributes);
​
	return 0;
}

Compiling and executing the above code will execute notepad.exe with a process mitigation policy that prevents non Microsoft binaries from getting injected into it. This can be confirmed with process hacker:

Below GIF shows the mitigation policy in action - non MS signed binaries are blocked, but a Microsoft binaries are let through:

Non Microsoft DLL being prevented from loading

It is worth mentioning that this is exactly what the blockdlls does under the hood in Cobalt Strike.

SetProcessMitigationPolicy

While playing with the first method, I stumbled upon a SetProcessMitigationPolicy API that allows us to set the mitigation policy for the calling process itself ratther than for child processes as with the first technique:

mitigationpolicy.cpp
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY sp = {};
sp.MicrosoftSignedOnly = 1;
SetProcessMitigationPolicy(ProcessSignaturePolicy, &sp, sizeof(sp));

In my limited testing, using SetProcessMitigationPolicy did not prevent a well known EDR solution from injecting its DLL into my process on process creation. A quick debugging session confirmed why - the mitigation policy gets applied after the DLL has already been injected. Once the process has been initialized and is running, however, any further attempts to inject non Microsoft signed binaries will be prevented:

If you've successfully abused SetProcessMitigationPolicy, I would like to hear from you.

Detection

I am sure there are better ways (if you know, I would like to hear), but here's the idea - use a powershell's Get-ProcessMitigation cmdlet to enumerate the processes that run with MicrosoftSignedOnly mitigation set, investigate, baseline, repeat:

get-process | select -exp processname -Unique | % { Get-ProcessMitigation -ErrorAction SilentlyContinue -RunningProcesses $_ | select processname, Id, @{l="Block non-MS Binaries"; e={$_.BinarySignature|select -exp MicrosoftSignedOnly} } }

Below shows how the notepad.exe only allows MS Signed binaries to be injected into its process:

References

Previous
Bypassing IDS Signatures with Simple Reverse Shells
Next
ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
Last updated 1 year ago
Contents
UpdateProcThreadAttribute
SetProcessMitigationPolicy
Detection
References