They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code that, combined with API hooking, implements security checks. If DLLs are injected into processes, they can be detected and it’s a common anti-debugging or evasion technique implemented by many malware samples. If you’re interested in such techniques, they are covered in the FOR610[1] training. The detection relies on a specific API call GetModuleFileName()[2]. The function expects the following parameters: A handle (pointer) to a process and the name of the DLL to check. Malware samples list all running processes, get a handle on them, and search for interesting DLL names. To get the handle, the OpenProcess()[3] API call must use the following access flag (0x0410 – PROCESS_VM_READ|PROCESS_QUERY_INFORMATION).
Today, I found a Python script that implemented this technique. Note that the script just borrows and obfuscates a snippet of code available on github.com[4] for a while. The list of DLLs is a bit outdated but remains valid.
import win32api
import win32process
LRazMCgmBIhqNsJ= []
wqeltyA = [“sbiedll.dll”,”api_log.dll”,”dir_watch.dll”,”pstorec.dll”,”vmcheck.dll”,”wpespy.dll”]
eDbscqrrt= win32process.EnumProcesses()
for mbPLkF in eDbscqrrt:
try:
mhEIFoBo = win32api.OpenProcess(0x0410, 0, mbPLkF)
try:
JoKxLLHnpg= win32process.EnumProcessModules(mhEIFoBo)
for qGvSyMSQH in JoKxLLHnpg:
XFUQQonQDUFW= str(win32process.GetModuleFileNameEx(mhEIFoBo, qGvSyMSQH)).lower()
for yeksLrlmxhewfzF in wqeltyA:
if yeksLrlmxhewfzF in XFUQQonQDUFW:
if XFUQQonQDUFW not in LRazMCgmBIhqNsJ:
LRazMCgmBIhqNsJ.append(XFUQQonQDUFW)
finally:
win32api.CloseHandle(mbPLkF)
except:
pass
if not LRazMCgmBIhqNsJ:
If the array LRazMCgmBIhqNsJ is still empty, no suspicious (from a malware point of view) DLL has been found and the execution continues…
The sample received a nice VT score of 4/59 (SHA256:b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334)[5]. Another good example of Python integration with the Windows API!
[1] http://for610.com
[2] https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea
[3] https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
[4] https://github.com/Arvanaghi/CheckPlease/blob/master/Python/check_all_DLL_names.py
[5] https://www.virustotal.com/gui/file/b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334/detection
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post Python DLL Injection Check, (Tue, Jul 6th) appeared first on Malware Devil.
https://malwaredevil.com/2021/07/06/python-dll-injection-check-tue-jul-6th/?utm_source=rss&utm_medium=rss&utm_campaign=python-dll-injection-check-tue-jul-6th
No comments:
Post a Comment