14.2.2. In-Memory Evasion

In-Memory Injections, shuningdek PE Injection sifatida ham tanilgan, Windows mashinalarida antivirus mahsulotlarini chetlab o‘tish uchun mashhur texnika hisoblanadi. Malicious binary’ni obfuscate qilish, yangi section’lar yaratish yoki mavjud permissions’ni o‘zgartirish o‘rniga, bu texnika volatile memory’ni manipulyatsiya qilishga qaratilgan. Ushbu texnikaning asosiy afzalliklaridan biri shundaki, u diskka hech qanday fayl yozmaydi, bu esa ko‘pgina antivirus mahsulotlari diqqat markazida bo‘lgan sohadir.

Diskka fayl yozmaydigan bir nechta evasion techniques mavjud. Biz ulardan ba’zilarini qisqacha tushuntiramiz, lekin faqat PowerShell yordamida in-memory injection’ni batafsil yoritamiz, chunki boshqa texnikalar C/C++ kabi low-level programming tillarida tajribani talab qiladi va bu Modul doirasidan tashqarida.

Birinchi ko‘rib chiqadigan texnika – Remote Process Memory Injection, bu payload’ni malicious bo‘lmagan boshqa valid PE’ga injektsiya qilishga urinishdir. Buni amalga oshirishning eng keng tarqalgan usuli Windows APIs to‘plamidan foydalanishdir. Avval OpenProcess funksiyasidan foydalanib, bizda kirish huquqiga ega bo‘lgan target process’ga valid HANDLE olamiz. HANDLE olgandan so‘ng, VirtualAllocEx kabi Windows API’ni chaqirib, ushbu process kontekstida memory allocate qilamiz. Remote process’da memory allocate qilingandan so‘ng, malicious payload’ni yangi allocate qilingan memory’ga WriteProcessMemory yordamida ko‘chiramiz. Payload muvaffaqiyatli ko‘chirilgandan so‘ng, odatda CreateRemoteThread API yordamida alohida thread’da memory’da ishga tushiriladi.

Bu murakkab tuyulishi mumkin, lekin keyingi misolda biz shunga o‘xshash texnikadan foydalanamiz, bu yerda PowerShell og‘ir ishni bajaradi va mahalliy powershell.exe instans’iga qaratilgan o‘xshash, lekin soddalashtirilgan hujum amalga oshiriladi.

Odatiy DLL injection’dan farqli o‘laroq, bu LoadLibrary API yordamida diskdan malicious DLL’ni yuklashni o‘z ichiga oladi, Reflective DLL Injection texnikasi tajovuzkor tomonidan process memory’da saqlangan DLL’ni yuklashga harakat qiladi.

Ushbu texnikani amalga oshirishning asosiy muammosi shundaki, LoadLibrary memory’dan DLL yuklashni qo‘llab-quvvatlamaydi. Bundan tashqari, Windows operatsion tizimi buni amalga oshiradigan hech qanday API’ni taqdim etmaydi. Ushbu texnikani tanlagan tajovuzkorlar disk-based DLL’ga tayanmaydigan o‘zlarining API versiyasini yozishlari kerak.

Uchinchi eslatib o‘tmoqchi bo‘lgan texnika – Process Hollowing. Antivirus dasturlarini chetlab o‘tish uchun process hollowing’dan foydalanganda, tajovuzkorlar avval malicious bo‘lmagan process’ni suspended state’da ishga tushiradilar. Ishga tushirilgandan so‘ng, process’ning image’i memory’dan o‘chiriladi va uning o‘rniga malicious executable image qo‘yiladi. Nihoyat, process qayta ishga tushiriladi va legitimate process o‘rniga malicious code ishga tushiriladi.

Nihoyat, Inline hooking, nomidan ko‘rinib turganidek, memory’ni o‘zgartirish va function’ga hook (code execution’ni qayta yo‘naltiruvchi instruction) kiritish orqali uni malicious code’imizga yo‘naltirishni o‘z ichiga oladi. Malicious code’imiz ishga tushirilgandan so‘ng, flow o‘zgartirilgan function’ga qaytadi va faqat original code ishga tushirilgandek execution davom etadi.

Hooking ko‘pincha rootkits tomonidan qo‘llaniladigan texnika bo‘lib, bu malware’ning yanada yashirin turi hisoblanadi. Rootkits malware muallifiga user space, kernel yoki hatto OS’ning pastki protection rings (masalan, boot yoki hypervisor) da system componentlarini o‘zgartirish orqali target system’ga dedicated va persistent kirish imkonini berishga qaratilgan. Rootkits o‘z hook’larini implant qilish uchun administrative privileges’ni talab qilganligi sababli, u ko‘pincha elevated shell’dan yoki privilege-escalation vulnerability’dan foydalanib o‘rnatiladi.

1(Endgame, 2017), https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process [↩︎]

2(F-Secure, 2018), https://blog.f-secure.com/memory-injection-like-a-boss/ [↩︎]

3(Wikipedia, 2019), https://en.wikipedia.org/wiki/Windows_API [↩︎]

4(Microsoft, 2019), https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-openprocess [↩︎]

5(Wikipedia, 2019), https://en.wikipedia.org/wiki/Handle_(computing) [↩︎]

6(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex [↩︎]

7(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory [↩︎]

8(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethread [↩︎]

9(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya [↩︎]

10(Andrea Fortuna, 2017), https://www.andreafortuna.org/2017/12/08/what-is-reflective-dll-injection-and-how-can-be-detected/ [↩︎]