11/28/2023 0 Comments Comodo antivirus advancedThen, HijackLoader loads the specified DLL and locates the next stager ( ti module) after searching for its hash (included in the configuration block) in the modules table. mshtml.dll ) and a table for the modules of HijackLoader that is included in the decrypted payload. This is accomplished by obtaining the file path of the DLL to patch (e.g. Next, the first stager needs to load and execute the next stage. Main shellcode and settings, or a list of optional files to use for DLL hijacking.A modules table - This includes the HijackLoader modules along with their settings and the final payload (e.g.The decrypted payload includes two components: ![]() The only difference is that HijackLoader uses an additional pattern (from the configuration block) for finding the start offset of the embedded payload (Figure 2).įigure 2: HijackLoader second stage payload execution from a local file The same procedure is followed when the payload is loaded from disk. Pseudocode for this process is shown in Figure 1.įigure 1: HijackLoader second stage code to download and execute payloads ![]() Finally, the decrypted payload is decompressed using the LZNT1 algorithm.Once all encrypted blobs have been extracted, they are concatenated together and decrypted with the XOR key.Moreover, the XOR key is located after the offset of the first encrypted blob. Each marker represents the start of an encrypted blob along with the size of the blob (which is stored before each occurrence). Searches for encrypted blobs using the second marker.If the validation passes, it writes it to disk. Downloads the payload and validates it by checking for the presence of the signature (included in the configuration block) in its data.Then, HijackLoader locates the encrypted payload URL and decrypts it using a bitwise XOR operation. Parses the decrypted configuration block, which was obtained from the initialization phase.HijackLoader locates the payload of the second stage (i.e., the ti module) by following the steps below: Table 1 - HijackLoader blocklist of processes PROCESS NAME In Table 1, we summarize the corresponding functionality for each process. Depending on which ones are present, it executes different functionality. The first stager checks for the presence of a set of running processes.Delaying of code execution at different stages.If a connection cannot be made, then HijackLoader does not proceed with the execution and enters an infinite loop until a connection is made. Performing an HTTP connectivity test to a legitimate website (e.g.Dynamic loading of Windows API functions by leveraging a custom API hashing technique.The first stage includes a limited set of evasion techniques: The offsets for the configuration block detection (including the offset of the encryption key) might differ from sample to sample. The above configuration block is detected by using hardcoded offsets and then decrypted either with a bitwise XOR or ADD operation. A blocklist of process name hashes (described later in Table 1). ![]() An offset for the payload URL (if any) along with an XOR key to decrypt it.A DWORD value, which is used for detecting all blobs of the encrypted payload.A DWORD value, which is used for validating the payload, when loaded from disk, by searching it in the payload’s data.A DWORD seed value, which is used for deriving a string based on the compromised host’s username.For example, the constant PAGE_EXECUTE_READWRITE (0x40) for VirtualProtect. Parameters for several Windows API functions.The offsets for these fields might differ from sample to sample. An array of DWORDs, which are used to determine if the loader has to download the final payload.Windows API hashes for dynamic loading.A DWORD hash value to detect the next stage (e.g., the ti module described later in the text) from the modules table.To achieve this, HijackLoader includes an encrypted configuration, which stores information such as: Upon execution, HijackLoader starts by executing a modified (hooked) function of the Windows C Runtime (CRT), which points to the entry point of the first stage.ĭuring its initialization phase, the loader determines if the final payload has been embedded in the binary or if it needs to download it from an external server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |