• Change the Badge Year to 2024 (when it is available: https://github.com/toolswatch/badges/tree/master/arsenal/asia) => NOTE for me :P
• If required, create MD file in this format: https://github.com/toolswatch/blackhat-arsenal-tools/blob/master/tool_name.md => NOTE for me :P

This is a Dropper/PostExploitation Tool (or can be used in both situations) targeting Windows.

1. Indirect Dynamic Syscall. (MITRE ATT&CK TTP: T1106)
2. SSN + Syscall address sorting via Modified TartarusGate approach
3. Remote Process Injection via APC Early Bird to CUT OFF telemetry Catching by EDR. (MITRE ATT&CK TTP: T1055.004)
4. Spawns a sacrificial Process as the target process, not disrupting already open processes in the environment.
5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy on spawned sacrificial process.
6. PPID spoofing (MITRE ATT&CK TTP: T1134.004)
7. Api and Dll resolving from TIB (Directly via offset (from TIB) -> TEB -> PEB -> resolve Nt Api) (MITRE ATT&CK TTP: T1106)
8. Cursed Nt API hashing (MITRE ATT&CK ID: S0574)

1. Disables Event Log via killing EventLog Service Threads (MITRE ATT&CK TTP: T1562.002)

Disadv: If threads are resumed, all events that occurred during the suspension of Event Logger, get logged Again!

So, thought of killing them instead!

"It's more Invasive than suspension, but the decision is always up to the operator. Besides, killing threads get logged on the kernel level" - @SEKTOR7net

Directly via VS compiler:

2. Also via compile.bat (prefer option 1.)

./compile.bat

PS C:> .\x64\Release\indirect.exe
[!] Wrong!
[->] Syntax: .\x64\Release\indirect.exe <PPID to spoof>

1. PPID spoofing (Emotet method)
2. Much Stealthier Use Case of EventLog Disabling!

1. BlackHat Asia, 2024 - Call For Tools

• Thanks a lot to Soumyadeep Da aka @SoumyadeepBas12 for encouraging me to apply for this opportunity, else I wouldn't have done it :)
• Thanks a lot to Faran aka @Chrollo_l33t for helping me to create the Slides and PPT for the presentation for this tool :)

1. TIB:

   • https://en.wikipedia.org/wiki/Win32_Thread_Information_Block
   • https://www.wikiwand.com/en/Win32_Thread_Information_Block

2. GS and FS register:

   • https://stackoverflow.com/questions/39137043/what-is-the-gs-register-used-for-on-windows
   • https://stackoverflow.com/questions/10810203/what-is-the-fs-gs-register-intended-for#:~:text=The%20registers%20FS%20and%20GS,to%20access%20thread%2Dspecific%20memory.

3. PEB LDR structure:

   • BlackHat - What Malware Authors Don't Want You to Know - Evasive Hollow Process Injection by @monnappa22

   • A pic of process Memory from the Above link:
     

   • From labs.cognisys.group, a blog by @D1rkMtr :
     

4. TIB -> TEB -> PEB -> Resolve Nt API and API hashing

   • https://stackoverflow.com/questions/41277888/iterating-over-peb-dllname-shows-only-exe-name

   • https://doxygen.reactos.org/d7/d55/ldrapi_8c_source.html#l01124

   • labs.cognisys.group, a blog by @D1rkMtr

   • A pic of the snippet from the above link, which I used here to resolve API dynamically without HardCoding Offsets:
     

   • The Api hashing code that I applied:

#include <stdint.h>
#include <stdio.h>
#include <Windows.h>

DWORD64 djb2(const char* str)
{
	DWORD64 dwHash = 0x7734773477347734;
	int c;

	while (c = *str++)
		dwHash = ((dwHash << 0x5) + dwHash) + c;


	return dwHash;
}

int main(int argc, char** argv)
{
	if (argc < 2)
	{
		printf("[!] Wrong!\n");
		printf("[->] Syntax: .\\%s <NTFuncName>\n\n", argv[0]);
		return 1;
	}

	const char* string = argv[1];

	DWORD64 hashvalue = djb2(string);

	printf("Hash Value: 0x%llX\n", hashvalue);

	return 0;
}

5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy:

   • links:
   • Protecting Your Malware by @xpn
   • Wraith by @winterknife
   • spawn and HOLLOW by @0xBoku

6. PPID Spoofing Detection:

   • PPID Spoofing Detect by @spotheplanet
   • If got time, I will be adding a detection Portion to this portion! -> [Remaining..............................................!]

7. Moneta Detection and PESieve Detection:\

   • Moneta:
     

   • PESieve:
     

8. Capa Scan:
   

9. How Thread Stack Looks of the Implant Process:

Implant Process	Legit Cmd process

It follows that by executing the return instruction in the memory of the ntdll.dll in the indirect syscall POC, the return address can be successfully spoofed, the ntdll.dll can be placed at the top of the call stack and the EDR will interpret a higher legitimacy. - @VirtualAllocEx from DirectSyscall Vs Indirect Syscall
Also thanks to, @peterwintrsmith!

10. Instrumentation CallBack Evasion: Used this POC - syscall-detect by winternl_t

11. EventLogger Config, I used:

13. Setting SeDebugPrivilege:
    From Here: To Here:

14. Killing Event Log Threads:

    • rto-win-evasion by @SEKTOR7net
    • Phant0m by @hlldz
    • Goblin by @winterknife
    • disabling-windows-event-logs-by-suspending-eventlog-service-threads by @spotheplanet
      From here:
      
      To here:
      
    • This Method, Ended up causing errors in indirect syscall implementation. So, I ended up killing all those threads present within responsible svchost.exe (reason: Go up).

1. Case 1: When Darkwidow executed under normal privilege

No Critical Alerts gets created except One Low Severity Log!

2. Case 2: When Darkwidow executed under Admin privilege

One Low Severity Log => APC Injection (Like Before)

Another one which is a Medium Severity Log occured for setting SeDebugPrivilege.

This is how stack looks after applying synthetic frame thread stack spoofing.

This is the NT api Thread Stack

This is the shellcode (btw, this is not custom made, this is Havoc Shellcode :)) thread stack.

For shellcode development, I have used havoc and this below configuration:

Newly Created Thread Start Address Spoofing was not really required in this project cause within APC Injection technique, APC hijacks the execution of an already and legit running thread. Thanks to @C5pider!

Now Status On Event Logs ?

No logs got generated. I also have removed the Event Logger Killing part from the DarkWidow V2, which decreases down the Event generation too!

1. Porting this version to C++ Clang Compiler, which would help us to perform LLVM obfuscation.
2. Upgrading to NtCreateUserProcess() to perform indirect syscall and stack spoofing.
3. Applying Manual Load Library capability for bypassing Image Load Kernel Callbacks.
4. Applying Module Stomping capability.
5. Encrypted shellcode Injection to avoid Kernel triggered memory scans (Caro-Kann).

1. @SEKTOR7net
2. @peterwintrsmith
3. @Jean_Maes_1994
4. @D1rkMtr
5. @spotheplanet
6. @0xBoku
7. @Sh0ckFR
8. @winterknife
9. @monnappa22
10. @xpn
11. @hlldz
12. @d_tranman�
13. @SoumyadeepBas12
14. @jack_halon
15. @KlezVirus
16. @C5pider

I hope I didn't miss someone!