Malware, viruses, what are they?

Discussion in 'Tutorials & Guides' started by frogboy, Jun 4, 2015.

  1. Duotone

    Duotone Level 9

    Mar 17, 2016
    Windows 7
    This kind of information/thread should be pinned...
  2. DJ Panda

    DJ Panda Level 29

    Aug 30, 2015
    Madison, Wisconsin
    Windows 10
    Looks like this topic is pinned! Congratz :) Very helpful information was curious on the severity on viruses and other harmful applications
    Yash Khan, Svoll, DardiM and 2 others like this.
  3. DZ42

    DZ42 New Member

    Oct 16, 2016
    Thank you so much for the informations
    Yash Khan and Svoll like this.
  4. Svoll

    Svoll Level 12

    Nov 17, 2016
    Student/Engineering Failure
    macOS Sierra
    This is an awesome read! I even took notes, Sure it would show up on one of my test. Never knew this term before reading your post : Drive-by-download: This is the term used when speaking of malvertising, malicious web code, fake “required” plugins. It can be installed after you open an email attachement. They are installed sometimes without the user knowing it.

    Still used today or has it been rename to explots or spoofing?
    tim one, XhenEd, JM Security and 3 others like this.
  5. Anker_by

    Anker_by Level 4

    Jun 23, 2015
    Windows 8.1
    We are 2017, i still using this usefull post. Thank you
  6. frogboy

    frogboy Level 61

    Jun 9, 2013
    Heavy Duty Mechanic.
    Western Australia
    Windows 10
    Thanks and yes I agree still very relevant today and into the future I think. :):eek:
    Rengar, bribon77, Transhumana and 9 others like this.
  7. tim one

    tim one Level 19
    Trusted AV Tester

    Jul 31, 2014
    Windows 10
    Awesome post @frogboy, my friend :)
    And yes, it is still very relevant today because malware will never die, sadly!
  8. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    Windows 10
    Just to elaborate... There are many more ways in which a process can be targeted for termination, aside from NtOpenProcess.

    NtOpenProcess (NTDLL) is called when OpenProcess (KERNEL32) is called. It is used to open a handle to a process and then this handle can be used to suspend the process, inject code into the process, or terminate the process - code injection could also be used for termination if NtTerminateProcess is hooked.

    1. Process threads. These can be targeted as well. You can use OpenThread (KERNEL32) which will call NtOpenThread (NTDLL) to open a handle to the threads within the process and then call TerminateThread (KERNEL32) which will call NtTerminateThread (NTDLL). If you can get a handle to one of the threads, you can also use it to attempt APC injection (however due to not having a handle to the process, you could just use shell-code for the APC injection instead of performing virtual memory operations to place code in its address space beforehand).

    2. Handle hijacking. Some system processes will automatically have an open handle to the running processes on the system. On earlier versions of Windows, csrss.exe will have an open handle. On newer versions of Windows, lsass.exe and svchost.exe will have an open handle. You can inject code into such processes to hijack the handles they already have for usage.

    3. User-Mode API hooks are usually set for specific processes, not all of them. A common example would be Task Manager (taskmgr.exe). You could try injecting into another process which is likely not to be targeted, and then attempt to terminate the process from within the unsuspected process.

    I am certain creative security researchers can come up with more interesting examples.

    There is one very easy solution though.
    You can bypass the user-mode hooks by using a system call. A system call is when you call the same instructions NTDLL would have had executed to make code execution pass to the kernel to perform an operation, such as opening a handle to a process or terminating a process via the handle. In some scenarios, this can be blocked (e.g. WOW64 interception for a 32-bit process running on a 64-bit OS environment) but it is unlikely.

    Kernel-Mode rootkits are no longer prevalent due to the Extended Validation Code Signing Certificate requirement on Windows 10 by PatchGuard (Driver Signature Enforcement) and Kernel Patch Protection (KPP - also part of PatchGuard). Most people use 64-bit systems where this security feature is present, and malware authors tend to want compatibility for both 32-bit and 64-bit systems... PatchGuard has been around since Windows Vista and improves a lot for every new Windows version. Even prior to Windows 10, a normal code signing certificate was still required. Bypasses do exist via exploitation of the VirtualBox driver, but I do not recall ever seeing a real malware attack take place doing something like this.

    XhenEd, frogboy, bribon77 and 2 others like this.
  9. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    Windows 10
    Recently I came across a sample which hijacked the value of Userinit (REG_SZ) under the Winlogon key (REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon).


    You can append to the string present as the value to make another application start-up at boot. For example, changing it to "C:\Windows\system32\userinit.exe, C:\hello.exe" would cause both userinit.exe and hello.exe to start-up at boot. The method has been known for a long time though, it is nothing new - you would also require elevation to do this due to where the registry key is located (HKEY_LOCAL_MACHINE instead of HKEY_CURRENT_USER).

    There are many alike tricks to gain persistence at boot without touching scheduled tasks, the start-up folder or the Run/RunOnce key. Another example would be hijacking of a DLL used by vulnerable software.
Similar Threads Forum Date
A Beginner’s Guide To Malware, Viruses, And Spyware Online Technology News Wednesday at 3:57 AM
Q&A IObit Malware Fighter with other antiviruses IObit Dec 21, 2016
Poll Have you ever been infected by ransomware, malware or viruses? General Security Discussions Aug 18, 2016