under their cover • Examples of the techniques: • Process Hollowing (RunPE) • Reflective DLL injection • Manual PE loading (various variants) • Process Doppelgänging • Combinations of multiple techniques (i.e. Transacted Hollowing)
to evade it by finding uncommon APIs that can be used to make injection. Some newer examples: • AtomBombing technique • Process Doppelgänging • What if some unknown API was used for injection?
that allow to detect some indicators, i.e. GMER (rootkits/hooking), RunPE detector • They don’t help collecting material for analysis • Some of them detect only the most popular variants of the implants – not robust enough to analyze new types of malware
• Focus: speed and simplicity of use • Passive scan, not hooking any APIs • Can be used post-infection • Generates a material ready to be analyzed: not only detection, but precise details • Free & open source: https://github.com/hasherezade/pe-sieve https://github.com/hasherezade/hollows_hunter
PE files • Replaced processes: i.e. Process Hollowing, Process Doppelganging • Manually loaded PE-files (Reflective DLL Injection and others) • Shellcodes
code overwritten in memory by comparing it with the executable on disk • No impersonation technique is perfect: they all leave some suspicious artefacts
the PE from the disk that corresponds to the module withing the process • Detect all the sections containing code • Transform both sections into the same format (relocate to the same base, remove IAT, etc) • Compare
from the disk that corresponds to the module withing the process • Are their headers matching? • When it works? • For all the techniques that rely on connecting the implanted PE to the PEB, in order to have imports automatically resolved
Search executable memory pages that are not a part of any module • Suspicious mapping type? Other indicators? • Are they part of a PE file? Detection of PE headers /artefacts