Exploiting a weak Minifilter Driver to create a course of killer – Supply: securityaffairs.com

Exploiting a weak Minifilter Driver to create a course of killer

Researcher demonstrated tips on how to exploit a signed Minifilter Driver in a BYOVD assault to terminate a particular course of from the kernel.

Exploiting a signed Minifilter Driver that can be utilized to used the BYOVD assault approach to a program in a position to terminate a particular course of from the kernel.

Exploiting a weak Minifilter Driver to create a course of killer

Carry Your Personal Weak Driver (BYOVD) is a way that makes use of a weak driver so as to obtain a particular purpose. BYOVD is commonly utilized by malware to terminate processes related to safety options comparable to an EDR. There are lots of examples of open-source software program that (ab)use a weak driver for this function. One essentially the most used driver is the Course of Explorer driver. On this case we can’t discuss a vulnerability since it’s a function of the applying to allow course of termination from its UI.

BYOVD is gaining an increasing number of consideration since attackers understood that it’s a greater technique to terminate the EDR course of as an alternative than counting on obfuscation strategies so as to evade EDR detection.

On this weblog submit I’ll analyze a signed driver that can be utilized to create a program in a position to terminate a particular course of from the kernel. The motive force is kind of outdated however neverthless usable. The motive force hash is 023d722cbbdd04e3db77de7e6e3cfeabcef21ba5b2f04c3f3a33691801dd45eb (probmon.sys).

Exploiting a Minifilter Signed Driver

The talked about driver is a signed minifilter driver a part of a safety answer. One of many imported operate is ZwTerminateProcessso my purpose is to examine whether it is doable to name this operate on an arbitrary course of.

The motive force begins by calling the FltRegisterFilter operate so as to register the filter. Subsequent, a communication port is created by calling FltCreateCommunicationPort. The decision specifies the parameter MessageNotifyCallbackimplying {that a} person mode software can talk with the minifilter by utilizing the FilterSendMessage operate. This callback doesn’t expose the entry to the ZwTerminateProcess operate, however it’s obligatory so as to fulfill the wanted preconditions.

After the creation of the communication port, the motive force units a course of creation notification operate by calling the operate PsSetCreateProcessNotifyRoutine. The required callback checks that the third argument of the callback, named Createis fake, if not, the operate returns immediatly. This suggests that solely course of termination are monitored by the motive force. Beneath particular situations, the notification callback operate will name the ZwTerminateProcess operate.

With a view to terminate a course of with the weak driver, there are two preconditions that should be happy:

  1. The deal with of the method to terminate is learn from a world variable. We’ve to set this variable, in any other case when the motive force tries to terminate a course of a KeBugCheckEx shall be known as producing a BSOD
  2. The ZwTerminateProcess is known as provided that the worth of the method ID calling into the minifilter is identical of the one related to a world variable.

Set the goal course of deal with

This requirement is happy by sending a message to the communication port by utilizing the struct from Determine 1

On this case the command_type parameter should assume worth 3. This can trigger the ZwOpenProcess to be known as by utilizing the pid_to_kill parameter, and the end result assigned to the above talked about international variable (let’s name it process_handle_to_terminate).

Allow course of termination

The second precondition includes a examine on a world variable (let’s name it it_s_a_meyou’ll perceive why I select this title in a second). The worth of this variable should be the identical of the method ID that’s exiting (keep in mind that the callback is monitoring for course of termination). This examine is carried out within the PsSetCreateProcessNotifyRoutine notification callback operate. As earlier than, this may be achieved by utilizing the struct from Determine 2.

On this case the command_type parameter should assume worth 1. The data_count is used to repeat the information that observe this parameter. In our case it’s okay to set 1 as worth (1 DWORD is copied) and set as worth of the sphere my_pid our PID. On this approach, our PID is written to the it_s_a_me international variable, happy our second precondition.

Triggering course of termination

At this level we have now set the deal with of the method to terminate (variable process_handle_to_terminate) and we will attain the ZwTerminateProcess operate due to the variable it_s_a_me.

When our course of will exit, the PsSetCreateProcessNotifyRoutine notification callback shall be known as, the PID examine shall be happy by verifying that the variable it_s_a_me is equals to the method ID that’s exiting, triggering the ZwTerminateProcess on the process_handle_to_terminate course of. All which means that when our course of killer program will exit, the goal course of shall be killed 🙂

Supply Code

Contemplating the plethora of such packages out there on Github, releasing yet one more shouldn’t be an enormous drawback. You could find the supply code utilizing the analyzed driver in my Github account:

https://github.com/enkomio/s4killer

Be consciuos that the motive force is registered by utilizing the flag FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP implying that the minifilter just isn’t unloaded in response to service cease requests. As well as, the code STATUS_FLT_DO_NOT_DETACH is returned once you attempt to unload the motive force with fltmc. With a view to unload the motive force it’s important to reboot your machine.

Conclusion

The purpose of this weblog submit was to reveal how the malware use BYOVD approach so as to kill EDR processes. I analyzed a beforehand unknow weak driver (to one of the best of my information in fact) demonstrating how a minifilter may also be abused for such function.

Bonus

I’m presently targeted on BYOVD approach utilized by malware to kill processes, so I haven’t looked for extra vulnerabilities within the driver. Nevertheless, there’s a good buffer overflow in it however I’m uncertain whether it is exploitable or not 🙂

This evaluation and different attention-grabbing posts can be found right here:

https://antonioparata.blogspot.com/2024/02/exploiting-vulnerable-minifilter-driver.html

In regards to the writer:

Antonio ParataPrincipal Safety Researcher at CrowdStrike

Comply with me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs hacking, BYOVD)



Unique Submit URL: https://securityaffairs.com/158926/hacking/process-killer-with-minifilter-driver.html

Class & Tags: Breaking Information,Hacking,BYOVD,hacking information,info safety information,IT Data Safety,Pierluigi Paganini,Safety Affairs,Safety Information – Breaking Information,Hacking,BYOVD,hacking information,info safety information,IT Data Safety,Pierluigi Paganini,Safety Affairs,Safety Information


Author: CISO2CISO Editor 2
Date: 2024-02-10 04:46:14

Source link

spot_imgspot_img

Subscribe

Related articles

spot_imgspot_img
Alina A, Toronto
Alina A, Torontohttp://alinaa-cybersecurity.com
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.

LEAVE A REPLY

Please enter your comment!
Please enter your name here