Skip to content

Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing

License

Notifications You must be signed in to change notification settings

c0de-sin/DarkWidow

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

80 Commits
 
 
 
 
 
 
 
 

Repository files navigation

DarkWidow

Black Hat Arsenal

Chnage the Badge Year !!!!!????

This is a Dropper/PostExploitation Tool (or can be used in both situations) targeting Windows.

Capabilities:

  1. Indirect Dynamic Syscall
  2. SSN + Syscall address sorting via Modified TartarusGate approach
  3. Remote Process Injection via APC Early Bird (MITRE ATT&CK TTP: T1055.004)
  4. Spawns a sacrificial Process as the target process
  5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy on spawned process
  6. PPID spoofing (MITRE ATT&CK TTP: T1134.004)
  7. Api resolving from TIB (Directly via offset (from TIB) -> TEB -> PEB -> resolve Nt Api) (MITRE ATT&CK TTP: T1106)
  8. Cursed Nt API hashing

Bonus: If blessed with Admin privilege =>

  1. Disables Event Log via killing EventLog Service Threads (MITRE ATT&CK TTP: T1562.002)

Disadv: If threads are resumed, all events that occurred during the suspension of Event Logger, get logged Again!

So, thought of killing them instead!

"It's more Invasive than suspension, but the decision is always up to the operator. Besides, killing threads get logged on the kernel level" - @SEKTOR7net

While Killing only those threads in the indirect syscall implant, was facing an error. I was unable to get the "eventlog" SubProcessTag Value. So thought of killing all threads, i.e. killing the whole process (responsible svchost.exe). Yeah creating an IOC!.

=

1. EDR/Ring-3/UserLand hook Bypass

2. The syscall and return statement are executed from memory of ntdll.dll

3. EDR detection based on checking the return address in the call stack can be bypassed.

Compile:

Directly via VS compiler:

image

Also add /MT compiler flag! => To statically links CRT functions together in a binary (Yeah, U guessed it, it bloats the implant)

image

  1. Also via compile.bat (prefer option 1.)
./compile.bat

Usage:

PS C:> .\x64\Release\indirect.exe
[!] Wrong!
[->] Syntax: .\x64\Release\indirect.exe <PPID to spoof>

In Action:

DarkWidow.mp4

Successful Execution WithOut Creating Alert on Sofos XDR EndPoint:

SofosXDREvade


Further Improvements:

  1. PPID spoofing (Emotet method)
  2. Much Stealthier Use Case of EventLog Disabling!


Honourable Mentions:

  1. BlackHat Asia, 2024 - Call For Tools
  • Thanks a lot to Soumyadeep Da aka @SoumyadeepBas12 for encouraging me to apply for this opportunity, else I wouldn't have done it :)
  • Thanks a lot to Faran aka @Chrollo_l33t for helping me to create the Slides and PPT for the presentation for this tool :)

Portions of the Code and links those helped:

  1. TIB:

  2. GS and FS register:

  3. PEB LDR structure:

  4. TIB -> TEB -> PEB -> Resolve Nt API and API hashing

#include <stdint.h>
#include <stdio.h>
#include <Windows.h>

DWORD64 djb2(const char* str)
{
	DWORD64 dwHash = 0x7734773477347734;
	int c;

	while (c = *str++)
		dwHash = ((dwHash << 0x5) + dwHash) + c;


	return dwHash;
}

int main(int argc, char** argv)
{
	if (argc < 2)
	{
		printf("[!] Wrong!\n");
		printf("[->] Syntax: .\\%s <NTFuncName>\n\n", argv[0]);
		return 1;
	}

	const char* string = argv[1];

	DWORD64 hashvalue = djb2(string);

	printf("Hash Value: 0x%llX\n", hashvalue);

	return 0;
}
  1. ACG(Arbitrary Code Guard)/BlockDll mitigation policy:

  2. PPID Spoofing Detection:

    • PPID Spoofing Detect by @spotheplanet
    • If got time, I will be adding a detection Portion to this portion! -> [Remaining..............................................!]
  3. Moneta Detection and PESieve Detection:\

    • Moneta:
      alt text

    • PESieve:
      alt text

  4. Capa Scan:
    alt text

  5. How Thread Stack Looks of the Implant Process:

Implant Process Legit Cmd process
alt text alt text

It follows that by executing the return instruction in the memory of the ntdll.dll in the indirect syscall POC, the return address can be successfully spoofed, the ntdll.dll can be placed at the top of the call stack and the EDR will interpret a higher legitimacy. - @VirtualAllocEx from DirectSyscall Vs Indirect Syscall
Also thanks to, @peterwintrsmith!

  1. Instrumentation CallBack Evasion: Used this POC - syscall-detect by winternl_t

image

  1. EventLogger Config, I used:

alt text alt text

  1. Setting SeDebugPrivilege:
    From Here: alt text To Here: alt text

  2. Killing Event Log Threads:

Major Thanks for helping me out (Directly/indirectly (pun NOT intended :))):

  1. @SEKTOR7net
  2. @peterwintrsmith
  3. @Jean_Maes_1994
  4. @D1rkMtr
  5. @spotheplanet
  6. @0xBoku
  7. @Sh0ckFR
  8. @winterknife
  9. @monnappa22
  10. @xpn
  11. @hlldz

I hope I didn't miss someone!

This project is a part of my journey to learn about EDR World! => Learning-EDR-and-EDR_Evasion

About

Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 53.2%
  • C++ 44.2%
  • Assembly 2.5%
  • Batchfile 0.1%