Process Hollowing Meets Cuckoo Sandbox
Wednesday, February 4, 2015
Growing up I loved to watch horror movies. In hindsight, they scared the crap out of me probably because I was too young to watch them. One such movie was the 1986 movie Night of the Creeps. Alien slugs enter through peoples' mouths and eventually take over their bodies. A classic body snatchers style movie that had me worried for few days when talking to close to people. Process hollowing (aka process replacement) is a technique malware uses to overwrite a running process with a malicious code. To me it's the technical equivalent of those alien body snatchers. This post explores process hollowing techniques using the Cuckoo Sandbox.
In my post Prefetch File Meet Process Hollowing I walked through what process hollowing was but for completeness I’ll copied what I wrote below:
Malware uses various techniques to covertly execute code on systems. One such technique is process hollowing, which is also known as process replacement.
The book Practical Malware Analysis states the following in regards to this technique:
"Process replacement is used when a malware author wants to disguise malware as a legitimate process, without the risk of crashing a process through the use of process injection.
Key to process replacement is creating a process in a suspended state. This means that the process will be loaded into memory, but the primary thread of the process is suspended. The program will not do anything until an external program resumes the primary thread, causing the program to start running"
In addition, the book The Art of Memory Forensics states the following:
"A malicious process starts a new instance of a legitimate process (such as lsass.exe) in suspended mode. Before resuming it, the executable section( s) are freed and reallocated with malicious code."
In essence, process hollowing is when a process is started in the suspended state, code is injected into the process to overwrite the original data, and when the process is resumed the injected code is executed. Everything about the process initial appears to reflect the original process. Similar to how everything about the person initially appears to be the original person. Upon closer inspection it reveals that everything is not what it seems. The process behaves differently (such as network communications) and the code inside the process is not the original code. This is very similar to the person behaving differently (such as trying to eat you) and the biological material inside the person is not the original biological material.
Through observation, the characters in the In the Night of the Creeps figured out how people’s bodies were snatched. Slugs went from one person’s mouth to another person’s mouth. After observing this method the characters put tape over their mouths and were able to fight the zombies without becoming one themselves. By knowing what technique was used to snatch a body enabled the characters to defend themselves. The same can be said about process hollowing and knowing how the technique looks enables you to spot the zombified processes. One of the more publicize techniques was described in the Practical Malware Analysis book (lab 12-2 solution on page 590) as well as Trustwave SpiderLabs’s article Analyzing Malware Hollow Processes. The sequence of Windows functions, their descriptions, and how they appear during dynamic analysis of the Profoma Invoice.exe sample (md5 ab30c5c81a9b3509d77d83a5d18091de) with the Cuckoo sandbox is as follows:
- CreateProcessA: creates a new process and the process creation flag 0x00000004 is used to create the process in the suspended state
- GetThreadContext: retrieves the context of the specified thread for the suspended process
- ReadProcessMemory: reads the image base of the suspended process
- GetProcAddress: according to Practical Malware Analysis this function “manually resolves the import UnMapViewofSection using GetProcAddress, the ImageBaseAddress is a parameter of UnMapViewofSection”. This removes the suspended process from memory.
- VirtualAllocEx: allocates memory within the suspended process’s address space
- WriteProcessMemory: writes data of the PE file into the memory just allocated within the suspended process
- SetThreadContext: according to Practical Malware Analysis this function sets the EAX register to the entry point of the executable just written into the suspended process’s memory space. This means the thread of the suspended process is pointing to the injected code so it will execute when the process is resumed
- ResumeThread: resumes the thread of the suspended process executing the injected code
Cuckoo Sandbox is an open source automated malware analysis system. In their own words "it simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment." Malwr is a free online malware analysis service that leverages the Cuckoo Sandbox. The Behavioral Analysis section outlines the function calls made during execution. The pictures below show the Profoma Invoice.exe sample’s (md5 ab30c5c81a9b3509d77d83a5d18091de) function calls that perform process hollowing.
The image below shows Profoma Invoice.exe creating a process in the suspended state. The suspended process’ handle is 0x00000088 and thread handle is 0x0000008c.
The next image shows Profoma Invoice.exe retrieving the context of the suspended process since it references the thread handle 0x0000008c.
The image below shows Profoma Invoice.exe reading the image base of the suspended process since it references the process handle 0x00000088.
The image below shows Profoma Invoice.exe getting the addresses of the UnMapViewofSection and VirtualAllocEx function calls.
The images below show Profoma Invoice.exe writing a PE file into the address space of the suspended process since it references the process handle 0x00000088. It takes multiple WriteProcessMemory function calls to write the entire PE file.
The image below shows Profoma Invoice.exe setting the thread context for the suspended process since it references the thread handle 0x0000008c.
The image below shows Profoma Invoice.exe resuming the suspended thread to execute the injected code.
Cuckoo Sandbox detects malware functionality using signatures. The image below shows Malwr detecting the common process hollowing technique used by Profoma Invoice.exe (md5 ab30c5c81a9b3509d77d83a5d18091de).
The signature detecting process hollowing reports it as “executed a process and injected code into it, probably while unpacking.” The signature detecting the technique is named injection_runpe.py and is available in the Community Signatures. The signature is open allowing anyone to read it to see how it detects this behavior. However, the image below shows a portion of the signature that detects the sequence of function calls outlined earlier to perform process hollowing.
The process hollowing technique outlined above is well publicized and is the technique I normally expected to see. It was as if I had tape on my mouth waiting for a zombified friend to come strolling down the street. There are more than one ways to perform an action similar to there being more than one way to snatch a body. In the 1998 movie The Faculty an unknown creature snatched bodies by entering the body through the ear. Now imagine what would had happened to the characters from the Night of the Creeps movie encountering these body snatchers. The zombified bodies are harder to spot since they don’t look like zombies. Trying to defend themselves with tape on their mouths and baseball bats in hand would be short lived. The tape offers no protection since the creatures enter through the ear. It’s a different technique with the same result. Process hollowing is similar with different techniques ending with the same result.
I was a bit surprised back in December when I saw the behavior in the image below after I ran the sample Kroger_OrderID.exe (md5 1de7834ba959e734ad701dc18ef0edfc) through a sandbox.
The behavior clearly shows that Kroger_OrderID.exe is going to perform process hollowing since it started the svchost.exe process in a suspended state (creation flag 0x00000004.) However, the function calls afterwards are not the typical well publicized ones; this was a different technique. After a bit of searching I found the Lexsi article Overview of the Kronos banking malware rootkit, which breaks down how this technique works. (the article also shows how to use Volatility to analyze this as well.) I summarized below the Windows function sequence and their descriptions as outlined in the article:
- CreateProcessA: creates a new process and the process creation flag 0x00000004 is used to create the process in the suspended state
- ReadProcessMemory: reads image base of the suspended process
- NtCreateSection: creates two read/write/execute sections
- ZwMapViewOfSection: maps the read/write/execute sections into the malware’s address space
- ZwMapViewOfSection: maps the second section into the suspended process’s address space (this section is therefore shared between both processes).
- ReadProcessMemory: reads image base of the suspended process’s image into section 1
- ReadProcessMemory: reads image base of the malware’s image into section 2
- NtMapViewOfSection: overwrites the suspended process's entry point code by mapping section 1 to the new process base address
- ResumeThread: resumes the thread of the suspended process executing the injected code
The Behavioral Analysis section outlines the function calls made during execution. The pictures below show the sample Kroger_OrderID.exe (md5 1de7834ba959e734ad701dc18ef0edfc) function calls performing the different process hollowing technique.
The image below shows the first three function calls. The sample Kroger_OrderID.exe creates a suspended process with the thread handle 0x00000608 and process handle 0x00000604. Next the ReadProcessMemory function reads the image base of the suspended process due to the reference to process handle 0x00000604. The NtCreateSection function then creates the second read/write/execute section with the section handle 0x000005f8.
The image below shows the next three function calls. The ZwMapViewOfSection function maps the read/write/execute sections into the malware’s address space due to the section handle 0x000005f8 being referenced. The next ZwMapViewOfSection maps the second section into the suspended process’s address space due to both the section handle 0x000005f8 and process handle 0x00000604 both being referenced. Then the ReadProcessMemory function reads malware’s image into the section. Not shown in the image is the ReadProcessMemory function referencing the process handle 0x00000604.
The image below shows the remaining four functions. The NtCreateSection function then creates the first read/write/execute section with the section handle 0x000005f4. The ZwMapViewOfSection functions maps the read/write/execute sections between the malware and suspended process due to section handle 0x000005f4 and process handle 0x00000604 both being referenced. This mapping overwrites the entry point code in the suspended process. Finally, the ResumeThread function resumes the thread of the suspended process executing the injected code.
**** Updated on 02/04/15 *****
This section of the blog has been edited since it was published earlier today. In the original blog post I highlighted how the injection_run.py signature did not detect this injection technique and I shared a signature I put together to detect it.
Brad Spengler sent me an email about what I was seeing. He mentioned that a change did not make it into the updated injection_run.py signature. Specifically, he mentioned the plugin is looking for NtMapViewOfSection which he uses in his Cuckoo Sandbox instead of looking for the older ZwMapViewOfSection. I modified the injection_run.py signature by renaming NtMapViewOfSection to ZwMapViewOfSection (on lines 45 and 51) and afterwards it did detect this technique. As a result, I updated this section of the blog to reflect this since this post’s purpose was to explore different injection techniques and how Cuckoo can help explore them.
**** Updated on 02/04/15 *****
Cuckoo Sandbox is able to detect this different process hollowing technique (see update about change made to the injection_runpe.py signature.) Executing the sample Kroger_OrderID.exe (md5 1de7834ba959e734ad701dc18ef0edfc) in Cuckoo results in the following behavior detection.
We don’t need to sit at our computers wearing headphones and tape on our mouths to hunt down zombified processes within our environments. Process hollowing is an interesting technique and it constantly reminds me about the various body snatcher horror movies I’ve seen. Leveraging the Cuckoo Sandbox makes exploring the various process hollowing techniques even more interesting since it allows for following the sequence of Windows function calls.
Happy hunting and if you come across any zombies in your travels don’t take any chances and just follow the rule from the movie Zombieland. Rule 2 Double Tap: when in doubt, don't get stingy with your bullets.
Process Hollowing (aka Process Replacement)
In my post Prefetch File Meet Process Hollowing I walked through what process hollowing was but for completeness I’ll copied what I wrote below:
Malware uses various techniques to covertly execute code on systems. One such technique is process hollowing, which is also known as process replacement.
The book Practical Malware Analysis states the following in regards to this technique:
"Process replacement is used when a malware author wants to disguise malware as a legitimate process, without the risk of crashing a process through the use of process injection.
Key to process replacement is creating a process in a suspended state. This means that the process will be loaded into memory, but the primary thread of the process is suspended. The program will not do anything until an external program resumes the primary thread, causing the program to start running"
In addition, the book The Art of Memory Forensics states the following:
"A malicious process starts a new instance of a legitimate process (such as lsass.exe) in suspended mode. Before resuming it, the executable section( s) are freed and reallocated with malicious code."
In essence, process hollowing is when a process is started in the suspended state, code is injected into the process to overwrite the original data, and when the process is resumed the injected code is executed. Everything about the process initial appears to reflect the original process. Similar to how everything about the person initially appears to be the original person. Upon closer inspection it reveals that everything is not what it seems. The process behaves differently (such as network communications) and the code inside the process is not the original code. This is very similar to the person behaving differently (such as trying to eat you) and the biological material inside the person is not the original biological material.
A Common Process Hollowing Technique
Through observation, the characters in the In the Night of the Creeps figured out how people’s bodies were snatched. Slugs went from one person’s mouth to another person’s mouth. After observing this method the characters put tape over their mouths and were able to fight the zombies without becoming one themselves. By knowing what technique was used to snatch a body enabled the characters to defend themselves. The same can be said about process hollowing and knowing how the technique looks enables you to spot the zombified processes. One of the more publicize techniques was described in the Practical Malware Analysis book (lab 12-2 solution on page 590) as well as Trustwave SpiderLabs’s article Analyzing Malware Hollow Processes. The sequence of Windows functions, their descriptions, and how they appear during dynamic analysis of the Profoma Invoice.exe sample (md5 ab30c5c81a9b3509d77d83a5d18091de) with the Cuckoo sandbox is as follows:
- CreateProcessA: creates a new process and the process creation flag 0x00000004 is used to create the process in the suspended state
- GetThreadContext: retrieves the context of the specified thread for the suspended process
- ReadProcessMemory: reads the image base of the suspended process
- GetProcAddress: according to Practical Malware Analysis this function “manually resolves the import UnMapViewofSection using GetProcAddress, the ImageBaseAddress is a parameter of UnMapViewofSection”. This removes the suspended process from memory.
- VirtualAllocEx: allocates memory within the suspended process’s address space
- WriteProcessMemory: writes data of the PE file into the memory just allocated within the suspended process
- SetThreadContext: according to Practical Malware Analysis this function sets the EAX register to the entry point of the executable just written into the suspended process’s memory space. This means the thread of the suspended process is pointing to the injected code so it will execute when the process is resumed
- ResumeThread: resumes the thread of the suspended process executing the injected code
Cuckoo Sandbox Showing the Common Process Hollowing Technique
Cuckoo Sandbox is an open source automated malware analysis system. In their own words "it simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment." Malwr is a free online malware analysis service that leverages the Cuckoo Sandbox. The Behavioral Analysis section outlines the function calls made during execution. The pictures below show the Profoma Invoice.exe sample’s (md5 ab30c5c81a9b3509d77d83a5d18091de) function calls that perform process hollowing.
The image below shows Profoma Invoice.exe creating a process in the suspended state. The suspended process’ handle is 0x00000088 and thread handle is 0x0000008c.
The next image shows Profoma Invoice.exe retrieving the context of the suspended process since it references the thread handle 0x0000008c.
The image below shows Profoma Invoice.exe reading the image base of the suspended process since it references the process handle 0x00000088.
The image below shows Profoma Invoice.exe getting the addresses of the UnMapViewofSection and VirtualAllocEx function calls.
The images below show Profoma Invoice.exe writing a PE file into the address space of the suspended process since it references the process handle 0x00000088. It takes multiple WriteProcessMemory function calls to write the entire PE file.
The image below shows Profoma Invoice.exe setting the thread context for the suspended process since it references the thread handle 0x0000008c.
The image below shows Profoma Invoice.exe resuming the suspended thread to execute the injected code.
Cuckoo Sandbox Detecting the Common Process Hollowing Technique
Cuckoo Sandbox detects malware functionality using signatures. The image below shows Malwr detecting the common process hollowing technique used by Profoma Invoice.exe (md5 ab30c5c81a9b3509d77d83a5d18091de).
The signature detecting process hollowing reports it as “executed a process and injected code into it, probably while unpacking.” The signature detecting the technique is named injection_runpe.py and is available in the Community Signatures. The signature is open allowing anyone to read it to see how it detects this behavior. However, the image below shows a portion of the signature that detects the sequence of function calls outlined earlier to perform process hollowing.
A Different Process Hollowing Technique
The process hollowing technique outlined above is well publicized and is the technique I normally expected to see. It was as if I had tape on my mouth waiting for a zombified friend to come strolling down the street. There are more than one ways to perform an action similar to there being more than one way to snatch a body. In the 1998 movie The Faculty an unknown creature snatched bodies by entering the body through the ear. Now imagine what would had happened to the characters from the Night of the Creeps movie encountering these body snatchers. The zombified bodies are harder to spot since they don’t look like zombies. Trying to defend themselves with tape on their mouths and baseball bats in hand would be short lived. The tape offers no protection since the creatures enter through the ear. It’s a different technique with the same result. Process hollowing is similar with different techniques ending with the same result.
I was a bit surprised back in December when I saw the behavior in the image below after I ran the sample Kroger_OrderID.exe (md5 1de7834ba959e734ad701dc18ef0edfc) through a sandbox.
The behavior clearly shows that Kroger_OrderID.exe is going to perform process hollowing since it started the svchost.exe process in a suspended state (creation flag 0x00000004.) However, the function calls afterwards are not the typical well publicized ones; this was a different technique. After a bit of searching I found the Lexsi article Overview of the Kronos banking malware rootkit, which breaks down how this technique works. (the article also shows how to use Volatility to analyze this as well.) I summarized below the Windows function sequence and their descriptions as outlined in the article:
- CreateProcessA: creates a new process and the process creation flag 0x00000004 is used to create the process in the suspended state
- ReadProcessMemory: reads image base of the suspended process
- NtCreateSection: creates two read/write/execute sections
- ZwMapViewOfSection: maps the read/write/execute sections into the malware’s address space
- ZwMapViewOfSection: maps the second section into the suspended process’s address space (this section is therefore shared between both processes).
- ReadProcessMemory: reads image base of the suspended process’s image into section 1
- ReadProcessMemory: reads image base of the malware’s image into section 2
- NtMapViewOfSection: overwrites the suspended process's entry point code by mapping section 1 to the new process base address
- ResumeThread: resumes the thread of the suspended process executing the injected code
Cuckoo Sandbox Showing the Different Process Hollowing Technique
The Behavioral Analysis section outlines the function calls made during execution. The pictures below show the sample Kroger_OrderID.exe (md5 1de7834ba959e734ad701dc18ef0edfc) function calls performing the different process hollowing technique.
The image below shows the first three function calls. The sample Kroger_OrderID.exe creates a suspended process with the thread handle 0x00000608 and process handle 0x00000604. Next the ReadProcessMemory function reads the image base of the suspended process due to the reference to process handle 0x00000604. The NtCreateSection function then creates the second read/write/execute section with the section handle 0x000005f8.
The image below shows the next three function calls. The ZwMapViewOfSection function maps the read/write/execute sections into the malware’s address space due to the section handle 0x000005f8 being referenced. The next ZwMapViewOfSection maps the second section into the suspended process’s address space due to both the section handle 0x000005f8 and process handle 0x00000604 both being referenced. Then the ReadProcessMemory function reads malware’s image into the section. Not shown in the image is the ReadProcessMemory function referencing the process handle 0x00000604.
The image below shows the remaining four functions. The NtCreateSection function then creates the first read/write/execute section with the section handle 0x000005f4. The ZwMapViewOfSection functions maps the read/write/execute sections between the malware and suspended process due to section handle 0x000005f4 and process handle 0x00000604 both being referenced. This mapping overwrites the entry point code in the suspended process. Finally, the ResumeThread function resumes the thread of the suspended process executing the injected code.
Cuckoo Sandbox Detecting the Different Process Hollowing Technique
**** Updated on 02/04/15 *****
This section of the blog has been edited since it was published earlier today. In the original blog post I highlighted how the injection_run.py signature did not detect this injection technique and I shared a signature I put together to detect it.
Brad Spengler sent me an email about what I was seeing. He mentioned that a change did not make it into the updated injection_run.py signature. Specifically, he mentioned the plugin is looking for NtMapViewOfSection which he uses in his Cuckoo Sandbox instead of looking for the older ZwMapViewOfSection. I modified the injection_run.py signature by renaming NtMapViewOfSection to ZwMapViewOfSection (on lines 45 and 51) and afterwards it did detect this technique. As a result, I updated this section of the blog to reflect this since this post’s purpose was to explore different injection techniques and how Cuckoo can help explore them.
**** Updated on 02/04/15 *****
Cuckoo Sandbox is able to detect this different process hollowing technique (see update about change made to the injection_runpe.py signature.) Executing the sample Kroger_OrderID.exe (md5 1de7834ba959e734ad701dc18ef0edfc) in Cuckoo results in the following behavior detection.
Wrapping Things Up
We don’t need to sit at our computers wearing headphones and tape on our mouths to hunt down zombified processes within our environments. Process hollowing is an interesting technique and it constantly reminds me about the various body snatcher horror movies I’ve seen. Leveraging the Cuckoo Sandbox makes exploring the various process hollowing techniques even more interesting since it allows for following the sequence of Windows function calls.
Happy hunting and if you come across any zombies in your travels don’t take any chances and just follow the rule from the movie Zombieland. Rule 2 Double Tap: when in doubt, don't get stingy with your bullets.
Labels:
Cuckoo,
malware,
malware analysis,
process hollowing
Very interesting. thank you.
You had me at 'Night of the Creeps'.
Another great post. Thanks!