Is PEB based Masquerading effective for defenders?
Hi! I am morimolymoly.
Many sophisiscated malwares do manipulate PEB structure to masquerade itself as a legitmate process.
And also, redteamers may take this action.
I wonder whether EDR/AV is blinded or not.
EPROCESS is a strucuture which is a process management structure and it has a link to PEB and manage Access Tokens, handle tables, scheduling and so on.
Addition to it, it is a Kernel Object.
We are going to do Kernel debugging to see what EPROCESS structure is and where it is located!
I opend notepad.exe and break and see how it is.
WinDbg says EPROCESS is located at 0xffffe508136c50c0
Then, it has a link to PEB. (0xfa33b5f000)
Let’s take a look at page table!
We should look at pde and -GLDA--KW-V LARGE PAGEstring.
G means Global. It is not flushed from TLB.
L means Large Page. so PTE is invalid.
D is Dirty. It was written.
A means Accessed.
K means Kerel mode.
W means Writable.
V means it is valid and mapped in Physical Memory.
!pte command says that EPROCESS is located in Kernel space.
Let’s take a look at what EPROCESS has simply.
As you can see, many objetcts are handled.
In conclusion, PEB based Masquerading is effective for PEB structure but it can not deceive Kernel.
For defenders, we should look at EPROCESS instead of PEB.
It is undocumented tho, there is PsGetProcessImageFileName function to retrieve process’s ImageFileName from EPROCESS.
Defenders should use this.
LPSTR NTAPI PsGetProcessImageFileName(PEPROCESS Process)
