Aug 10, 2020
Detecting Thread Injection by ETW & One Simple Technique
Detecting Thread Injection by ETW & One Simple Technique
In this Article I want to talk about ETW and Thread Injection in this case “Remote Thread Injection”.
I made simple C# code “ETWMonThread.cs” for Monitoring Meterpreter Payload/Thread Injection in 2018.
this code was simple & my goal was to Show how We can use ETW very simple and useful…
in this code we have something like this :
With This code you can have all New Created Thread IDs (TIDs) with ETW then you need to get only Injected Thread which means Thread Created by Process A into Process B so with this simple Code you can get this:
it seams everything is ok & I tested this code with some Technique like these:
ETW test with Process Hollowing Technique:
As you can see in this picture we have shell but this Meterpreter session and Thread ID Detected by ETW.
Thread Injection Detected & you can see Session Closed…
ETW test with APC Queue Technique:
Again you can see in this picture we have shell but this Meterpreter session and Thread ID Detected by ETW .
Thread Injection Detected & you can see Session Closed…
After these tests you can see this code “ETWMonThread.cs” was worked good.
but something in these Tests was same which is all of them have OpenProcess, CreateRemoteThread, WriteProcessMemory & … in one code/exe
it means Malware/Injector Code Will Detect at least with PID by ETW Events.
In the Picture 3 Malware/Injector Code PID was “Process Exited:1048”.
In the Picture 4 Malware/Injector Code PID was “Process Exited:3964”
Chunking Codes:
In this simple technique I want to use Thread Injection method with two Steps, it means I want to run this Injection Technique with two code/exe file.
As you can see I made “NativePayload_TId2.exe” and this is Step1 of Thread Injection Method/Code.
In this step1 we have (OpenProcess, VirtualAllocEx, WriteProcessMemory) API functions only and don’t have CreateRemoteThread Function.
mportant Point :
As you can see in the “Picture 5“, we “don’t have any Detection” for Payload Injection or Writing Payload via API Function WriteProcessMemory into Target Process
(Notepad.exe:3796) by ETW code because in this [step1] with “NativePayload_TId2.exe” we did not have CreateRemoteThread Function.
So with this “NativePayload_TId2.exe” we don’t have new Thread but Target Process Infected by This Code very Simple & Malware Payload was injected to Notepad (In-memory).
In the Next Picture you can see I used “NativePayload_TId3.exe” which is Part2 of Attack/Code.
In this step2 of code Target Process in this case “Notepad” Opened with API function OpenProcess & Remote Thread created by “Intptr Pointer Address” from Step1
Which is in this case “002B0000”.
Now in this Step2, Code Detected by ETW and you can see “NativePayload_TId3.exe” as Thread Injector Detected by ETW but this is Part2 of Code,
This is not all of them.
Part1 of code which was (OpenProcess, VirtualAllocEx, WriteProcessMemory) executed by “NativePayload_TId2.exe” and Not Detected by ETW code and still is undetectable for this C# ETW code.
In the next “Picture 7” you can see this Session Detected/Closed.
Another important thing is in this technique after [step1], your payload is in-memory of Notepad Process and you can Execute that any time you want with/without delay
And more than once so in the next Pictures you can see I used this Technique for Bypassing AVIRA Anti-viruses and these Codes
[step1 & step2] worked very well but in this case I Used [step2] two times and I had two sessions too, very simple.
ETWMonThread.cs: https://github.com/DamonMohammadbagher/Meterpreter_Payload_Detection/tree/master/MPD/ETWMonThread/
Video ETWMonThread.cs [step by step]: https://www.youtube.com/watch?v=nIoDrqeQ2es
as you can see this ETW is very useful thing for Thread Monitoring also is useful to show Injected Threads also Injector Processes… (Sometimes) and I think Some Anti-viruses need to use this ETW or something like this but always attackers have some Methods for bypassing your things….
Last Update: 8 Jun 2020
