Doppelgänging and Digital Forensic Analysis

Read Time: 10 Minutes

 Recently, Catalin Cimpanu released a article about a new Process Hollowing Technique named Doppelgänging.  The highlights of the article include undocumented features of the Microsoft Windows operating system, antivirus inability to scan NTFS transactions, and  "...cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows".  The article further discloses that BlackHat EU would be releasing the presentation.
So I found the powerpoint of the presentation, titled Lost in Transaction: Process Doppelgänging, which reveals the API Calls and some interesting assertions by the researchers.  You can find additional information about NTFS Transactions on Microsoft Developer Network (MSDN) shows some basic information regarding the API Calls referenced in the presentation.  The sequence of API calls according to the presentation is as follows: 

  1. Create a transaction
  2. Open a "clean" file transacted
  3. Overwrite the file with malicious code
  4. Roll back the changes to the file on disk



Applying what is known about NTFS, and the associated API Calls, the way Windows handles caching is called lazy write caching.  Effectively, the changes are stored in memory for a period of time before being committed to disk and the transactions are stored in the $LogFile.  This allows for analyst to discovery the aforementioned behavior, the malicious code in play, and timing of events.

 Another assertion made by the authors of the presentation during the Detection/Prevention section is that Forensics can check for "...WriteAccess == TRUE for the FILE_OBJECT associated with process".  This was paired with a statement that "Even advanced forensics tools such as Volatility will not detect it".  The first assertion can be found using Volatility making the second assertion wrong.  There is a module called filescan that reveals the permissions of the executive object type called "FILE_OBJECT":

Also, the module called "volshell" you can also query on FILE_OBJECTS of interest to see their full meta data:

Based on the information available it would seem that a careful analyst can find this technique in play using a blend of Memory Forensics and possibly Disk Forensics.  

 Please leave comments below and I look forward to sharing more experiences that I have on the daily with my readership.


References


  1. Catalin Cimpanu Author of "Process Doppelganging attacks works on all windows versions"  https://www.bleepingcomputer.com/author/catalin-cimpanu/
  2. "Process Doppelganging attacks works on all windows versions" Article https://www.bleepingcomputer.com/news/security/-process-doppelg-nging-attack-works-on-all-windows-versions/
  3. enSilo "Lost In Transaction Process Doppelganging"  https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
  4. MSDN "Transactional NTFS" https://msdn.microsoft.com/en-us/library/windows/desktop/aa964931(v=vs.85).aspx
  5. MSDN "File Caching" https://msdn.microsoft.com/en-us/library/windows/desktop/aa364218(v=vs.85).aspx
  6. Brain Carrier "File System Forensic Analysis" https://www.pearson.com/us/higher-education/program/Carrier-File-System-Forensic-Analysis/PGM270599.html
  7. Volatility Framework Wiki https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#filescan

Comments

Post a Comment

Popular posts from this blog

Digital Forensics Applied to Kubernetes - Enhancing Intruder Dilemma Part III

Image
   Read Time: 5 Minutes Continuing sharing my research that started last year I am releasing my slide deck for " Digital Forensics Applied to K8S " and the presentations of this can be found here . I plan to continue to release content that addresses forensic analysis of containerization related technology and eventually relating that back to full CI/CD forensic analysis.  The release list as of now looks like this: Docker Forensics* Malicious Container Analysis* K8S Forensics* SAAS Containerization Forensics CI/CD Forensics Stay tuned for more content and leave your suggestions below!
Read more

Digital Forensics Applied to Containers - Enhancing Intruder Dilemma Part 1

Image
  Read Time: 5 Minutes In 2020, I worked on several efforts that ranged from Malware targeting Mac OS X to Cloud Forensics.  For the remainder of 2021 I will be releasing the results of my research and I am leading with the release of my efforts on containerization forensics which is imbodied in my talk "Digital Forensics Applied to Containers: Enhancing Intruder Dilemma".  See a video of the original presentation at dc706 , most recent presentation at issacolga , the latest presentation slides , and a docker forensic cheatsheet .   Stay tuned for more content and leave your suggestions below!
Read more

Reverse Engineering Methodology Applied to Containers - Enhancing Intruder Dilemma Part II

Image
  Read Time: 5 Minutes Continuing sharing my research that started last year I am releasing my slide deck for " REM(Containers) - The real Xanthe ".  I just presented on this and plan to continue to release content that addresses forensic analysis of containerization related technology and eventually relating that back to full CI/CD analysis.  The release list as of now looks like this: Docker Forensics* Malicious Container Analysis* K8S Forensics SAAS Containerization Forensics CI/CD Forensics Stay tuned for more content and leave your suggestions below!
Read more