Discuss "illegal modules" and "third-party detection" (1)

The man who casts the spear shall be able to use the power of SHIELD.
The man who creates the shield will be able to interpret the spear.

This article is a little longer. Starting from (1), I will talk a little bit about the inexplicable detection technologies that have been deeply remembered in those years.

 

(1) Main Content: methods and countermeasures for detecting illegal modules at the beginning

First, you must know the definition of an invalid module. Generally,
Module definition: DLL file, PE file, executable code block
Illegal module definition: a module that does not comply with certain positive rules or a module that complies with certain negative rules.

Illegal module detection,
The primary check uses the enumeration first and then the detection method, so the first step is the enumeration!
Common enumeration: API enumeration and PEB enumeration.
API enumeration common APIs:
1. createconlhelp32snapshot Module32First Module32Next
2. EnumProcessModules GetModuleFileNameEx
3. RtlQueryProcessDebugInformation RtlCreateQueryDebugBuffer
Most of the PEB enumeration types are based on the PEB structure,
Because API enumeration is basically implemented by PEB, you only need to break the PEB chain.
So we have a new enumeration method, unconventional enumeration and brute force enumeration!
Brute-force enumeration is usually implemented using Api: ZwQueryVirtualMemory.
Of course, there is also a structure of the violent search PE Header,
There are two Processing Methods for ZwQuery api enumeration.
Hook api
Modify the VAD structure in the kernel (For details, refer to the article of the, which will not be repeated here)
For PE Structure profiteering search, you can erase the PE Header (very simple, modify the Memory attribute, and then RtlZeroMemory can be implemented ).

Non-conventional enumeration can be enumerated through various hashlists, such as _ LdrpHashTable used by GetModuleHandle
In fact, this enumeration is the same as PEB, and can be easily erased if it is discovered.
However, HandleTable can also be used to enumerate all open file paths in a process and then determine the file type enumeration.

As for the module detection, there are usually several models
Check the path name, filter out the modules that belong to the system, and then process the modules that are not the system.
Module hash check, read the file content of the module, and then calculate the hash comparison.
Module Feature Detection: scans the module's memory for features.
First, you can modify the module display path to bypass the detection (if hidden, you don't have to worry about it ).
Second, you can use the driver to modify the file path to bypass (if hidden, Do not worry ).
The third type of detection can only rely on dynamic deformation or other means to avoid signatures (hiding is invalid ).

Okay (1) It's over here. Please look forward to (2 ~